Loading
The Oregon Administrative Rules contain OARs filed through March 15, 2014
 
QUESTIONS ABOUT THE CONTENT OR MEANING OF THIS AGENCY'S RULES?
CLICK HERE TO ACCESS RULES COORDINATOR CONTACT INFORMATION

 

DEPARTMENT OF ADMINISTRATIVE SERVICES

 

DIVISION 700

INTERNAL AUDITING

125-700-0010

Purpose

The Oregon Department of Administrative Services is responsible for adopting rules setting standards and policies for internal audit functions within state government according to 2005 Oregon Law, Chapter 373. The rules include, but are not limited to:

(1) Standards for internal audits that are consistent with and incorporate commonly recognized industry standards and practices; and

(2) Policies and procedures that ensure the integrity of the internal audit process.

Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06

125-700-0015

Definitions

(1) Agency: “State Agency” means any elected or appointed officer, board, commission, department, institution, branch or other unit of the state government.

(2) Audit: An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization, Examples may include financial, performance, compliance, systems security and due diligence assurance engagements.

(3) Audit Committee: A committee that provides oversight of auditing and internal control for the agency, and helps ensure the independence of the internal audit function. The purpose of the audit committee is to assist agency management in carrying out its oversight responsibilities.

(4) Chief Audit Executive: Top position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from outside service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow-up of engagement results.

(5) Internal Audit Function: A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations.

(6) Internal Auditing: An independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

(7) Professional Auditing Standards: Standards for performing and evaluating internal audits that are consistent with and incorporate commonly recognized industry standards and practices.

(8) Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact (the effect) and likelihood (the probability the event will occur).

(9) Risk Assessment: A process of identifying, analyzing and prioritizing risks to activities of an agency.

(10) Risk Management: A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.

Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06; DAS 1-2010(Temp), f. & cert. ef 6-29-10 thru 12-26-10; Administrative correction 1-25-11; DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11

125-700-0120

Statewide Audit Advisory Committee

(1) The Statewide Audit Advisory Committee (Committee) exists to promote the benefits of professional, standards-based internal auditing services in state government. The Statewide Audit Advisory Committee serves in an advisory capacity to the Director of the Oregon Department of Administrative Services.

(2) The Committee shall be comprised of:

(a) Director of the Oregon Department of Administrative Services, who will serve as Chair;

(b) Director of the Secretary of State Division of Audits (Oregon Audits Division);

(c) Legislative Fiscal Officer;

(d) State Court Administrator;

(e) Two Chief Audit Executives from agencies other than the Department of Administrative Services; and

(f) Not more than nine other persons appointed by the Director of the Oregon Department of Administrative Services representing state, local, non-profit and private sector internal auditing expertise.

(3) Appointed members shall serve two-year terms, and may be reappointed at the discretion of the Committee Chair.

(4) The Committee shall meet regularly to discuss statewide audit matters and issues of interest.

(5) The Committee shall document its full mission, objectives, responsibilities and organization in a formal charter, to be reviewed by the Committee annually. Responsibilities must include:

(a) Reviews and recommends revisions to the Statewide Annual Internal Audit Activity Report prepared by the Department of Administrative Services for Legislative Leadership.

(b) Brings forward for discussion issues impacting the state’s internal audit community.

(c) Promotes best practices and training to enhance internal auditing and agency management practices in state government.

(d) Makes recommendations to ensure the independence and objectivity of the internal audit functions within state government.

(e) Reviews reports and other data to make recommendations to improve statewide management in areas that involved recurring or material findings that impact multiple agencies or areas of statewide risk-based concerns.

(f) Provides testimony or presentations to legislative committees, management teams or agency audit committees regarding internal audit, as necessary.

NOTE: Portions of this section previously existed as rule 125-500-0012.

Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11

125-700-0125

Internal Auditing Requirements

(1) In every agency that meets one or more of the criteria below, the agency head shall establish, maintain, and fully support a full-time internal audit function or contract for the equivalent, within existing resources. Exceptions may be requested in writing by agencies to the Director of the Department of Administrative Services and will be reviewed by the Committee.

(a) Total biennial expenditures exceed $100 million;

(b) Number of full-time equivalent employees exceeds 400; or

(c) Dollar value of cash and cash equivalent items received and processed annually exceeds $10 million.

(2) For agencies not meeting the criteria above, an internal audit function is encouraged. Agencies that have an internal audit function must follow this OAR and are subject to DAS oversight.

NOTE: Portions of this section previously existed as rule 125-500-0020.

Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11

125-700-0130

Agency Internal Audit Function Responsibilities

(1) The agency’s Chief Audit Executive should coordinate with the agency head, the audit committee, appropriate state or federal oversight boards or commissions (as applicable), and the Oregon Audits Division and serve as the agency representative on audit matters.

(2) The internal audit function shall report to the agency head, applicable agency management and the audit committee on activities and results of their work. Examples of such work include the following:

(a) Governance of agency’s processes and organizational structures implemented by the governing board, commission, and management in order to inform, direct, manage, and monitor the activities of the agency toward the achievement of its objectives.

(b) Information technology processes, information criteria, and resource activities, including but not limited to planning and organization, acquisition and implementation, delivery and support, and monitoring. Information criteria should include effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability.

(c) Internal controls and compliance with applicable laws, rules, regulations and contract provisions.

(d) Performance audits to determine whether a program makes efficient use of resources and the effectiveness with which operations are carried out and it achieves results.

(3) The internal audit function should incorporate sustainability plan criteria into standards used for conducting agency internal audits, where appropriate.

(4) The agency’s internal audit function must follow-up on internal audit report findings and recommendations to determine whether proper corrective action has been completed or that senior management has assumed the risk of not taking the recommended corrective action.

NOTE: Portions of this section previously existed as rule 125-500-0030.

Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11

125-700-0135

Agency Internal Audit Function Governance

(1) Agency internal audit functions shall select appropriate professional auditing standards to follow in performing their audit work.

(2) The agency's internal audit function's purpose, authority, and responsibilities shall be formally defined in the agency's Internal Audit Charter. The agency's charter must be consistent with professional auditing standards and approved by the audit committee or board.

(3) The internal audit staff shall have unrestricted access to all systems, processes, operations, functions, and activities within an agency as needed to perform job responsibilities.

(4) Each agency having an internal audit function shall establish and maintain an audit committee.

(a) If the agency has a governing board or commission, the audit committee must include one or more board or commission members. If there is no board or commission, the committee must include senior management officials not directly responsible for the internal audit function.

(b) Agencies are encouraged to include qualified individuals from outside the agency on the audit committee, to enhance public accountability and transparency, and increase independence of the internal audit activity.

(5) The role and function of the audit committee shall be stated in a formal, written charter that describes the authority, responsibilities, and structure of the audit committee in accordance with professional auditing standards. The charter must be approved and periodically reviewed by the audit committee.

(6) The internal audit function shall report to the agency head, agency management and the audit committee on all internal audit activities.

NOTE: Portions of this section previously existed as rule 125-500-0040.

Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11

125-700-0140

Planning and Reporting Responsibilities

(1) Each agency's Chief Audit Executive shall prepare an audit plan in accordance with standards. The plan must be reviewed and approved by the agency head and audit committee and submitted to the Oregon Department of Administrative Services. The plan must be:

(a) Risk-based to help ensure priorities of the internal audit activity that are consistent with the organization's goals;

(b) Include significant risks and exposures within the organization;

(c) Include an assessment of the agency's performance measurement system by assessing its integrity and accuracy;

(2) The agency's Chief Audit Executive shall prepare an annual report covering the time period of July 1 through June 30 of the preceding year, in a format approved by the Department of Administrative Services that includes:

(a) The annual risk assessment and audit plan;

(b) All internal audit reports; and

(c) A listing of consulting and other value-added audit activities provided to agency management by the internal audit function.

(3) The annual report must be submitted to the agency head, audit committee, and the Internal Audit Section of the Oregon Department of Administrative Services no later than September 30th of each year.

(4) Information not included in an agency’s report must be available for review upon request of the Committee.

NOTE: Portions of this section previously existed as rule 125-500-0050.

Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11

125-700-0145

External Review

(1) State internal audit functions must have an external review to determine whether the function is operating in accordance with professional auditing standards. This review must result in an issued report.

(2) A copy of the external review report will be provided to the Internal Audit Section of the Oregon Department of Administrative Services with the internal audit function’s annual report.

(3) State internal audit functions may have the review performed by an external provider, or may participate in a coordinated effort through the Department of Administrative Services to have a review performed by internal audit staff from other state agencies.

(a) Reviews performed under this coordinated effort must be performed by at least two auditors, and led by an auditor with formal training or experience performing external reviews.

(b) State internal audit functions who choose to participate in the coordinated effort must also volunteer time to perform reviews at other agencies.

Stats. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11

125-700-0150

Internal Audit Independence

(1) The agency's Chief Audit Executive reporting position must be at an administrative level that will maximize objectivity. In most cases, the Chief Audit Executive must report administratively to the agency head or designee, and functionally to the audit committee.

(2) The Chief Audit Executive must have unrestricted access to decision-makers and decision-making bodies and to the information and employees needed to perform internal audit duties and responsibilities.

(3) The internal auditor(s) must be free of undue influence to limit the audit scope and audit assignment schedule.

(4) The Chief Audit Executive must be free to obtain advice and information from sources inside and outside the agency. These sources may include, but should not be limited to professional colleagues, the Oregon Audits Division, the Oregon Department of Administrative Services, and relevant professional organizations.

(5) The internal audit function must be free of any responsibilities that would impair its ability to make independent reviews of all aspects of the agency's operations.

(6) The agency's Chief Audit Executive must periodically assess whether the purpose, authority, and responsibility, as defined in the audit charter, and resources required to accomplish the work continue to be adequate to enable the internal audit staff to accomplish their objectives. The result of this periodic assessment must be communicated to the audit committee and, if applicable, senior management.

(7) A scope limitation, including resource limitations, placed upon an internal audit function that precludes them from meeting objectives and executing plans must be communicated in writing to the audit committee and, if applicable, agency management, along with its potential effect. The agency's Chief Audit Executive must periodically inform the committee regarding scope limitations that were previously communicated and accepted.

NOTE: Portions of this section previously existed as rule 125-500-0045.

Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11

125-700-0155

Audit Records and Retention

(1) The agency's internal audit function, must maintain audit work papers and reports in accordance with records retention requirements. The internal audit function should ensure that its records retention schedule will allow it to keep the documents until an external peer review has been performed, and audit findings and recommendations have been appropriately followed-up on. Refer to State Archive requirements and OAR 166-300-0025 for record retention schedules. Records must be kept so they can be retrieved, if necessary.

(2) The agency's Chief Audit Executive must follow appropriate data classification procedures to monitor and control confidential and sensitive internal audit documents. Confidential documents are those designated as confidential by agency policy or covered by ORS 192.496 through 192.505.

NOTE: Portions of this section previously existed as rule 125-500-0060.

Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11

The official copy of an Oregon Administrative Rule is contained in the Administrative Order filed at the Archives Division, 800 Summer St. NE, Salem, Oregon 97310. Any discrepancies with the published version are satisfied in favor of the Administrative Order. The Oregon Administrative Rules and the Oregon Bulletin are copyrighted by the Oregon Secretary of State. Terms and Conditions of Use

Oregon Secretary of State • 136 State Capitol • Salem, OR 97310-0722
Phone: (503) 986-1523 • Fax: (503) 986-1616 • oregon.sos@state.or.us

© 2013 State of Oregon All Rights Reserved​