Department of Administrative Services
Chapter 125
Division 700
INTERNAL AUDITING
125-700-0010
Purpose
The Oregon Department of Administrative Services is responsible for adopting rules setting standards and policies for internal audit functions within state government under authority provided in ORS 184.360(3). The rules include, but are not limited to:
(1) Standards for internal audits that are consistent with and incorporate commonly recognized industry standards and practices; and
(2) Policies and procedures that ensure the integrity of the internal audit process.
Statutory/Other Authority: ORS 184.360
Statutes/Other Implemented: ORS 184.360(3)
History:
DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0015
Definitions
(1) Agency: “State Agency” means any elected or appointed officer, board, commission, department, institution, branch, or other unit of the state government.
(2) Assurance Audit Services: An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.
(3) Consultation Audit Services: Advisory and related client services activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
(4) Audit Committee: A committee that provides oversight of internal auditing for the agency. The purpose of the audit committee is to enhance the quality and independence of the internal audit function, thereby helping to ensure the integrity of the internal audit process.
(5) Chief Audit Executive: Top position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from outside service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow-up of engagement results.
(6) Internal Audit Function: A program within an agency that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations and facilitate oversight, accountability, and transparency.
(7) Internal Audit Services: Specific activities provided by auditors within the internal audit function. Examples include risk assessments, assurance audit services, and internal audit plans.
(8) Internal Auditing: An independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
(9) Professional Auditing Standards: Principles established to ensure the competence and independence of the audit function and the quality of audit work. The Code of Ethics and International Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors, and Generally Accepted Government Auditing Standards, promulgated by the Government Accountability Office, are the two major sets of standards that govern both the conduct of audit work and the audit function.
(10) Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact (the effect) and likelihood (the probability the event will occur).
(11) Risk Assessment: A process of identifying, analyzing, and prioritizing risks to the achievement of an agency’s mission, goals, or objectives.
(12) Risk Management: A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.
(13) Cash Equivalents: Cash equivalents are the total value of cash on hand that includes items that are similar to cash; low-risk securities include U.S. government T-bills, bank CD’s, bankers’ acceptance, corporate commercial paper, and other money market instruments. For the purpose of this rule the amount reflected in Oregon Accounting Manual GL3100 will be used.
(14) Audit Plan (Risk Based): A Plan to determine the priorities of the internal audit function, consistent with the agency’s goals.
(15) Quality Assurance and Improvement Plan (QAIP): An evaluation of whether the internal audit activity is in conformance with professional standards.
(16) External Assessment: An assessment by a qualified, independent assessor or assessment team from outside the organization in the form of a full external assessment or an internal assessment with external validation.
(17) Independence: Freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.
(18) Objectivity: An impartial, unbiased attitude and avoidance of conflicts of interest.
(19) Cash Revenue: Any and all cash income realized as a result of operating activities calculated in accordance with generally accepted accounting principles.
Statutory/Other Authority: ORS 184.360
Statutes/Other Implemented: ORS 184.360(3)
History:
DAS 3-2022, amend filed 04/27/2022, effective 05/01/2022
DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11
Reverted to DAS 1-2006, f. & cert. ef. 1-30-06
DAS 1-2010(Temp), f. & cert. ef 6-29-10 thru 12-26-10
DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0125
Internal Auditing Requirements
(1) Agencies that meets two or more of the criteria below for the last two consecutive biennium, the agency head shall establish, maintain, and fully support an internal audit function within existing resources. Agencies may outsource some internal audit activities if the agency determines that it is more cost efficient and meets OAR 125-700-0126.
(a) Total biennial expenditures exceed $200 million.
(b) Number or full-time equivalent employees exceeds 400 reflected in the Legislative Adopted Budget.
(c) Dollar value of cash revenue and cash equivalent items received and processed annually exceeds $20 million as reflected in GL 3100.
(d) Agencies that are being funded over 50% from accounts in “other funds” and/or “federal funds” reflected in the Legislative Adopted Budget.
(2) For agencies that meet the requirement of this OAR, the internal audit function shall be staffed with a minimum of 1 FTE. This position shall be budgeted and maintained at the Chief Audit Executive level. Subsequent FTE may be budgeted at lower positions and reports to the Chief Audit Executive.
(3) Exceptions to having an internal audit function may be requested in writing by agency heads to the Chief Operating Officer of the Department of Administrative Services. Each exception request will be reviewed and decisions made on a case-by-case basis.
(4) For agencies not meeting the criteria above, an internal audit function is encouraged. Agencies that have an internal audit function must follow this OAR.
Statutory/Other Authority: ORS 184.360
Statutes/Other Implemented: ORS 184.360(3)
History:
DAS 3-2022, amend filed 04/27/2022, effective 05/01/2022
DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11
125-700-0126
Contracted Internal Audit Services
(1) All agencies are able to contract for internal audit services according to laws, rules, and statewide policies guiding procurement processes.
(2) Agencies meeting the requirement to establish, maintain, and fully support an internal audit function set in OAR 125-700-0125 may contract for internal audit services to meet, in whole or in part, requirements for audit work set in this chapter and ORS 184.360, including:
(a) Completion of a risk assessment of the entire agency which conforms to audit standards established by nationally recognized entities such as the United State Government Accountability Office or the Institute of Internal Auditors.
(b) Selection and performance of at least one audit identified in the agency risk assessment per year.
(c) Performance of an audit related to governance and risk management at least once every five years.
(3) Agencies meeting the requirement to establish, maintain and fully support an internal audit function set in OAR 125-700-0125 and using contracted internal audit services to meet, in whole or in part, requirements set in this chapter and ORS 184.360 may not contract for management of the internal audit function. These agencies retain responsibility for maintaining an effective internal audit activity in accordance with standards and policies for management of internal audit set in this chapter related to Governance (0135), Planning and Reporting (0140), and External Review (0145).
(4) Providers of contracted internal audit services will:
(a) Make the contracting agency aware of its responsibility to maintain an effective internal audit activity in accordance with professional auditing standards, the rules of this chapter, and ORS 184.360.
(b) Attest whether or not the agency has and/or conforms to an existing QAIP, or disclose to senior management and the board any instances where the internal audit activity does not conform with the Standards or the Code of Ethics and how the lack of conformance impacts the overall scope or operation of the internal audit activity
(c) Provide to the agency documentation necessary to demonstrate compliance with the established the QAIP, professional audit standards, rules of this chapter, and ORS 184.360.
Statutory/Other Authority: ORS 184.360
Statutes/Other Implemented: ORS 184.360(3)
History:
DAS 3-2022, adopt filed 04/27/2022, effective 05/01/2022
125-700-0135
Agency Internal Audit Function Governance
(1) Agency internal audit functions shall be governed by appropriate professional auditing standards such as The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) or the Generally Accepted Government Auditing Standards (GAGAS) of the United States Government Accountability Office (GAO).
(2) To help ensure the integrity of the internal audit process, agency management shall take reasonable steps necessary to support the internal audit function in complying with the selected professional auditing standards. This may include obtaining audit related certifications, continuing professional education training and membership to professional auditing associations.
(3) The agency's internal audit charter shall formally define the internal audit function's purpose, authority, responsibility, and the professional auditing standards the function will follow. The internal audit charter must be approved and periodically reviewed by the audit committee and agency senior management.
(4) Internal audit staff shall have unrestricted access to all systems, processes, operations, functions, data, personnel, and activities within an agency as needed to perform job responsibilities.
(5) Each agency having an internal audit function shall establish and maintain an audit committee. The primary purpose of the audit committee is to enhance the quality and independence of the internal audit function, thereby helping ensure the integrity of the internal audit process. This is achieved at minimum by:
(a) Having a formal, written charter that establishes the audit committee’s mandate, authority, and functional reporting relationship including the roles and responsibilities of the audit committee and its members. The charter must be approved and periodically reviewed by the audit committee and agency head.
(b) Include at least one qualified external member that is independent of agency management on the audit committee to enhance public accountability and transparency and increase independence of the internal audit activity.
(c) If the agency has a governing board or commission, the audit committee must include at least one board or commission member. This member can be used to meet the requirement listed in “(b)” above.
(d) The audit committee shall approve the risk-based internal audit plan. The audit committee shall also review internal audit reports on the progress of internal and external audit report findings and recommendations to determine whether proper corrective action has been completed or that senior management has assumed the risk of not taking the recommended corrective action.
Statutory/Other Authority: ORS 184.360
Statutes/Other Implemented: ORS 184.360(3)
History:
DAS 3-2022, amend filed 04/27/2022, effective 05/01/2022
DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11
125-700-0140
Planning and Reporting Responsibilities
(1) Each agency’s Chief Audit Executive shall prepare an agency-wide risk assessment in accordance with audit standards.
(2) Each agency’s Chief Audit Executive shall prepare an audit plan of engagements based on the most recent risk assessment. The plan should reflect the priorities of the internal audit function and be consistent with the agency’s goals. Plan shall be reviewed and approved by the audit committee, along with any significant modifications to the plan. At least one risk-based audit shall be selected from the audit plan and performed annually.
(3) Each agency’s Chief Audit Executive shall identify an audit topic related to governance and risk management at least once every five years. Examples of audit topics include ethics, diversity/equity/inclusion, strategic management, performance management, the alignment of information technology with the agency’s strategies and objectives, systems in place to assure compliance with laws and regulations, and processes in place to prevent and detect fraud.
(4) Each agency's Chief Audit Executive shall provide information on the activities performed by the internal audit function covering the time period of July 1 through June 30 of the preceding year; to the Oregon Department of Administrative Services.
(a) The required information shall be submitted to the Oregon Department of Administrative Services no later than September 30th of each year and be included in the Statewide Annual Report on Internal Audit Activities.
(b) The information may include, but not be limited to:
(A) Staff Information such as education, certification, training, etc.
(B) Quality Assurance Reviews
(C) Audit Committee makeup
(D) Audit and/or Consulting Engagements performed
(E) Chief Audit Executive Reporting Structure
(F) Risk Assessments and Audit Plans
(G) Internal Audit Function Performance Measures
(c) Information not included in an agency’s report must be available for review upon request of the Oregon Department of Administrative Services.
(d) Agency’s shall provide DAS with supporting documentation related to submitted information upon request.
(5) The agency’s Chief Audit Executive must periodically assess whether the purpose, authority, and responsibility, as defined in the audit charter, and resources required to accomplish the work continue to be adequate to enable the internal audit staff to accomplish their objectives. The result of this periodic assessment must be communicated to the audit committee and, if applicable, senior management.
(6) Completed risk assessments and internal audits need to be filed with the Audits Division of the Office of the Secretary of State.
Statutory/Other Authority: ORS 184.360
Statutes/Other Implemented: ORS 184.360(3)
History:
DAS 3-2022, amend filed 04/27/2022, effective 05/01/2022
DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11
125-700-0145
External Review
(1) Agency internal audit functions must have an external assessment to determine whether the function is operating in accordance with professional auditing standards. The frequency of external assessments are pre-defined by professional auditing standards.
(2) A copy of the external assessment report will be provided to the audit committee and to the Internal Audit Section of the Oregon Department of Administrative Services.
(3) Agency internal audit functions may have the assessment performed by either of the following means:
(a) an interagency program administered by the Department of Administrative Services Statewide Coordinator Internal Audit Function;
(b) an independent contracted provider or;
(c) a self-assessment with independent external validation.
Statutory/Other Authority: ORS 184.360
Statutes/Other Implemented: ORS 184.360(3)
History:
DAS 3-2022, amend filed 04/27/2022, effective 05/01/2022
DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11
125-700-0150
Internal Audit Independence
(1) In order to maximize both independence and objectivity of the audit function and allow the internal audit function to fulfill its responsibilities, the agency Chief Audit Executive must report functionally to the agency audit committee, and administratively t the agency Director, Deputy Director, or equivalent.
(2) The Chief Audit Executive must have unrestricted access to decision-makers and decision-making bodies and to the information and employees needed to perform internal audit duties and responsibilities. The Chief Audit Executive may not defer ultimate judgement on audit matters to others and must be free to obtain advice and information from sources inside and outside the agency. To be effective in their role, the Chief Audit Executive should be a non-voting member of the agency’s senior management team and attend Executive/Leadership team meetings.
(3) The internal audit function must be free from interference in determining the scope of internal auditing, performing work and communicating results. The Chief Audit Executive must disclose such interference to the audit committee and discuss the implications.
(4) The internal audit function must be free of any operational and management responsibilities that would impair its ability to make independent reviews of all aspects of the agency's operations.
(5) Where the Chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity.
(6) A scope limitation, including resource limitations, placed upon an internal audit function that precludes it from meeting objectives must be communicated in writing to the audit committee and, if applicable, agency management, along with its potential effect.
Statutory/Other Authority: ORS 184.360
Statutes/Other Implemented: ORS 184.360(3)
History:
DAS 3-2022, amend filed 04/27/2022, effective 05/01/2022
DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11
125-700-0155
Audit Records and Retention
(1) The agency's internal audit function, must maintain audit work papers and reports in accordance with records retention requirements. The internal audit function should ensure that its records retention schedule will allow it to keep the documents until an external peer review has been performed, and audit findings and recommendations have been appropriately followed-up on. Refer to State Archive requirements and OAR 166-300-0025 for record retention schedules. Records must be kept so they can be retrieved, if necessary.
(2) The agency's Chief Audit Executive must follow appropriate data classification procedures to monitor and control confidential and sensitive internal audit documents. Confidential documents are those designated as confidential by agency policy or covered by ORS 192.496 through 192.505.
Statutory/Other Authority: ORS 184.360
Statutes/Other Implemented: ORS 184.360(3)
History:
DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14
DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11