Internal Auditing Requirements

Include a brief explanation of the procedures followed to post the internal audit annual report and audit plan on the agency's website in compliance comply with the provisions of Texas Government Code, Section 2102.015.

• Include a list of audits planned for the prior fiscal year, and for each audit completed provide report numbers, dates, and titles.
• If an audit was not completed or is ongoing as a carry-over project, include the current status of the audit.
• Include a brief explanation for any deviations from the audit plan.

Note: For higher education institutions

Report the findings for the higher education institution assessment required by Texas Education Code, Section 51.9337(h), in this section or in a separate report to the SAO.

• Include a list of consulting services, as defined in the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing, and a list of nonaudit services, as defined in Government Auditing Standards, that were completed during the fiscal year.
• Include report numbers, dates, and titles, as well as the high-level objective(s) of each project.
• Summarize the key consulting services and nonaudit service observations, results, and recommendations, if applicable.

Include a list of all external audit services that were either procured or ongoing during the fiscal year.

• Examples of those services may include, but are not limited to, financial and performance audits and attestation engagements, such as a review or an agreed-upon procedures engagement.

Include a copy of the executive summary or a summary of issues from the most recent external quality assurance review or peer review report.

• Include the approved audit plan.
• If the plan is pending approval from the governing board or chief executive and is not submitted with the annual report, specify the date that the plan will be submitted.
• If the audit plan is modified during the fiscal year, submit a copy of the revised plan to the oversight agencies.
• Include the budgeted hours for all projects.
• Include a list of additional risks ranked as "high" that were identified but are not included in the audit plan.
• Include a brief description of the risk assessment or methodology used to develop the audit plan, including consideration, if any, of:
• The applicable information technology risks related to Title 1, Texas Administrative Code, Chapter 202 (Information Security Standards).
• Benefits proportionality.
• Methods for ensuring compliance with contract processes and controls and for monitoring agency contracts, as required by Texas Government Code, Section 2102.005(b).

Note: For higher education institutions

Rider 8, page III-5, the General Appropriations Act (88th Legislature), requires each higher education institution to consider audits of benefits proportionality when developing their annual internal audit plans for fiscal years 2024 and 2025.

• Include a brief description of the entity's actions taken to comply with the fraud reporting requirement of Section 7.09, page IX-40, the General Appropriations Act (88th Legislature).
• Include a brief description of the entity's process to comply with the investigation coordination requirements of Texas Government Code, Section 321.022.

Note: Examples could include (1) information provided on the entity's website that indicates how to report suspected fraud, waste, or abuse involving state resources directly to the SAO and (2) a brief description of the entity's procedures for reporting suspected fraud, waste, or abuse involving state funds to the SAO.

The Governor's Office, the SAO, and the Legislative Budget Board should receive both the annual report and periodic internal audit reports. Contact information and submission instructions are included below.

The annual report is due November 1 (Texas Government Code, Section 2102.009).

Each periodic internal audit report should be submitted within 30 days after the date the report is submitted to the entity's governing board or to the chief executive if the entity does not have a governing board (Texas Government Code, Section 2102.0091).

Texas Government Code, Section 2102.015, requires state agencies and higher education institutions to post annual reports and approved internal audit plans on their websites.

The reports are considered to be approved if they are approved by the entity's governing board or by the chief executive if the entity does not have a governing board. The entity should post the reports within 30 days of approval.

Texas Government Code, Section 2102.015, also requires entities to update the posting described above to include the following information on their websites:

• A "detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns, if any, raised by the audit plan or annual report."
• A "summary of the action taken by the agency to address the concerns, if any, that are raised by the audit plan or annual report."

Including the summaries outlined above in the annual report and posting that annual report on the entity's website fulfills the minimum requirement but does not preclude an entity from posting more frequent updates to its website.

Texas Government Code, Section 2102.015, also specifies that an entity "is not required to post information contained in the agency's internal audit plan or annual report if the information is excepted from public disclosure under Chapter 552 [of the Texas Government Code]." For questions about whether information in the internal audit plan or annual report is excepted from disclosure under Chapter 552, consult with your entity's legal counsel or public information officer, as appropriate.

Entities that are not subject to the Texas Internal Auditing Act and that do not prepare internal audit plans or internal audit annual reports are not required to post those items on their websites.

Entities that contract for internal audit services should post internal audit plans, the annual report, and required updates as prepared by the contracted auditor.