Advanced Search

Internal Auditing


Published: 2015

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
The Oregon Administrative Rules contain OARs filed through November 15, 2015

 

QUESTIONS ABOUT THE CONTENT OR MEANING OF THIS AGENCY'S RULES?
CLICK HERE TO ACCESS RULES COORDINATOR CONTACT INFORMATION

 

DEPARTMENT OF ADMINISTRATIVE SERVICES

 






























DIVISION 700
INTERNAL AUDITING





























125-700-0010
Purpose
The Oregon Department of Administrative
Services is responsible for adopting rules setting standards and policies for internal
audit functions within state government under authority provided in ORS 184.360(3).
The rules include, but are not limited to:
(1) Standards for internal
audits that are consistent with and incorporate commonly recognized industry standards
and practices; and
(2) Policies and procedures
that ensure the integrity of the internal audit process.
Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2006, f. &
cert. ef. 1-30-06; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
125-700-0015
Definitions
(1) Agency: “State Agency”
means any elected or appointed officer, board, commission, department, institution,
branch or other unit of the state government.
(2) Audit: An objective examination
of evidence for the purpose of providing an independent assessment on risk management,
control, or governance processes for the organization. Examples include financial,
performance, compliance, systems security and due diligence assurance engagements.
(3) Audit Committee: A committee
that provides oversight of internal auditing for the agency. The purpose of the
audit committee is to enhance the quality and independence of the internal audit
function, thereby helping to ensure the integrity of the internal audit process.
(4) Chief Audit Executive:
Top position within the organization responsible for internal audit activities.
Normally, this would be the internal audit director. In the case where internal
audit activities are obtained from outside service providers, the chief audit executive
is the person responsible for overseeing the service contract and the overall quality
assurance of these activities, reporting to senior management and the board regarding
internal audit activities, and follow-up of engagement results.
(5) Internal Audit Function:
A program within an agency that provides independent, objective assurance and consulting
services designed to add value and improve an organization’s operations and
facilitate oversight, accountability, and transparency.
(6) Internal Auditing: An
independent, objective assurance and consulting activity designed to add value and
improve an organization's operations. It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness
of risk management, control, and governance processes.
(7) Professional Auditing
Standards: Principles established to ensure the competence and independence of the
audit function and the quality of audit work. The Code of Ethics and International
Standards for the Professional Practice of Internal Auditing promulgated by the
Institute of Internal Auditors, and Generally Accepted Government Auditing Standards,
promulgated by the Government Accountability Office, are the two major sets of standards
that govern both the conduct of audit work and the audit function.
(8) Risk: The possibility
of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact (the effect) and likelihood (the probability
the event will occur).
(9) Risk Assessment: A process
of identifying, analyzing and prioritizing risks to the achievement of an agency’s
mission, goals, or objectives.
(10) Risk Management: A process
to identify, assess, manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the organization's objectives.
Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2006, f. &
cert. ef. 1-30-06; DAS 1-2010(Temp), f. & cert. ef 6-29-10 thru 12-26-10; Administrative
correction 1-25-11; DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14,
cert. ef. 5-1-14
125-700-0125
Internal
Auditing Requirements
(1) In every agency that meets one or
more of the criteria below, the agency head shall establish, maintain, and fully
support an internal audit function or contract for the equivalent, within existing
resources.
(a) Total biennial expenditures
exceed $100 million;
(b) Number of full-time equivalent
employees exceeds 400; or
(c) Dollar value of cash
and cash equivalent items received and processed annually exceeds $10 million.
(2) Exceptions to having
an internal audit function or contract equivalent may be requested in writing by
agency heads to the Chief Operating Officer of the Department of Administrative
Services. Each exception request will be reviewed and decisions made on a case-by-case
basis.
(3) For agencies not meeting
the criteria above, an internal audit function is encouraged. Agencies that have
an internal audit function must follow this OAR.
Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
125-700-0135
Agency
Internal Audit Function Governance
(1) Agency internal audit functions
shall select appropriate professional auditing standards to follow in performing
their audit work.
(2) To help ensure the integrity
of the internal audit process agency management shall take reasonable steps necessary
to assist the internal audit function to comply with the selected professional auditing
standards.
(3) The agency's internal
audit charter shall specify the internal audit function's purpose, authority, responsibilities,
and the professional auditing standards the function will follow. The agency’s
charter must be approved by the audit committee.
(4) The internal audit staff
shall have unrestricted access to all systems, processes, operations, functions,
and activities within an agency as needed to perform job responsibilities.
(5) Each agency having an
internal audit function shall establish and maintain an audit committee.
(a) The role and function
of the audit committee shall be stated in a formal, written charter that describes
the authority, responsibilities, and structure of the audit committee. The charter
must be approved and periodically reviewed by the audit committee and governing
board (or agency head in the absence of a governing board).
(b) The primary purpose of
the audit committee is to enhance the quality and independence of the audit function,
thereby helping ensure the integrity of the internal audit process.
(c) If the agency has a governing
board or commission, the audit committee must include one or more board or commission
members. If there is no board or commission, agencies are encouraged to include
qualified individuals from outside the agency on the audit committee, to enhance
public accountability and transparency, and increase independence of the internal
audit activity.
(6) The agency’s audit
committee will assure follow-up on internal audit reporting findings and recommendations
to determine whether proper corrective action has been completed or that senior
management has assumed the risk of not taking the recommended corrective action.
(7) The internal audit function
shall report results to the agency head, executive designee, agency management and
the audit committee on internal audit activities.
Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
125-700-0140
Planning
and Reporting Responsibilities
(1) Each agency's Chief Audit Executive
shall prepare an audit plan of engagements based on the most recent risk assessment.
The plan should be risk-based and consistent with organizational goals. The plan
must be reviewed and approved by the audit committee. At least one risk-based audit
shall be selected and performed from the risk assessment each calendar year.
(2) Each agency’s Chief
Audit Executive shall identify an audit topic related to governance and risk management
at least once every five years. Examples of audit topics include ethics, strategic
management, performance management, the alignment of information technology with
the agency’s strategies and objectives, systems in place to assure compliance
with laws and regulations, and processes in place to prevent and detect fraud.
(3) Each agency's Chief Audit
Executive shall prepare an annual report covering the time period of July 1 through
June 30 of the preceding year, in a format that has been requested by the Oregon
Department of Administrative Services.
(a) The annual report must
be submitted to the agency head, audit committee, and the Internal Audit Section
of the Oregon Department of Administrative Services no later than September 30th
of each year.
(b) Information not included
in an agency’s report must be available for review upon request of the Oregon
Department of Administrative Services.
(4) Completed risk assessments
and internal audits need to be filed with the Division of Audits of the Office of
the Secretary of State.
Stat. Auth.: ORS 297.250, ORS 184.360
Stats. Implemented: ORS 297.250(1),
184.360(4), 184.360(5), 184.360(6)
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
125-700-0145
External Review
(1) Agency internal audit functions
must have an external review to determine whether the function is operating in accordance
with professional auditing standards. This review must result in an issued report.
(2) A copy of the external
review report will be provided to the audit committee and to the Internal Audit
Section of the Oregon Department of Administrative Services with the internal audit
function’s annual report.
(3) Agency internal audit
functions may have the review performed by an external provider, or may participate
in a coordinated effort through the Department of Administrative Services to have
a review performed by internal audit staff from other state agencies.
(a) Reviews performed under
this coordinated effort must be performed by at least two auditors, and led by an
auditor with formal training or experience performing external reviews.
(b) Agency internal audit
functions who choose to participate in the coordinated effort must also volunteer
time to perform reviews at other agencies.
Stats. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
125-700-0150
Internal
Audit Independence
(1) The agency's Chief Audit Executive
reporting position must be at an administrative level that will maximize both independence
and objectivity. In most cases, the Chief Audit Executive must report administratively
to the agency head or executive designee, and must report functionally to the audit
committee.
(2) The Chief Audit Executive
must have unrestricted access to decision-makers and decision-making bodies and
to the information and employees needed to perform internal audit duties and responsibilities.
The Chief Audit Executive must be free to obtain advice and information from sources
inside and outside the agency.
(3) The internal auditor(s)
must be free of undue influence to limit the audit scope and audit assignment schedule.
(4) The internal audit function
must be free of any responsibilities that would impair its ability to make independent
reviews of all aspects of the agency's operations.
(5) A scope limitation, including
resource limitations, placed upon an internal audit function that precludes it from
meeting objectives must be communicated in writing to the audit committee and, if
applicable, agency management, along with its potential effect.
Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
125-700-0155
Audit Records and Retention
(1) The agency's internal audit function,
must maintain audit work papers and reports in accordance with records retention
requirements. The internal audit function should ensure that its records retention
schedule will allow it to keep the documents until an external peer review has been
performed, and audit findings and recommendations have been appropriately followed-up
on. Refer to State Archive requirements and OAR 166-300-0025 for record retention
schedules. Records must be kept so they can be retrieved, if necessary.
(2) The agency's Chief Audit
Executive must follow appropriate data classification procedures to monitor and
control confidential and sensitive internal audit documents. Confidential documents
are those designated as confidential by agency policy or covered by ORS 192.496
through 192.505.
Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14

The official copy of an Oregon Administrative Rule is
contained in the Administrative Order filed at the Archives Division,
800 Summer St. NE, Salem, Oregon 97310. Any discrepancies with the
published version are satisfied in favor of the Administrative Order.
The Oregon Administrative Rules and the Oregon Bulletin are
copyrighted by the Oregon Secretary of State. Terms
and Conditions of Use