Skip to main content

Overview

The Texas Internal Auditing Act (Texas Government Code, Chapter 2102) requires certain state agencies and higher education institutions to implement an internal auditing program that includes preparing an annual audit plan, conducting periodic audits, and submitting an annual report to the Governor, the Legislative Budget Board, the State Auditor, and the entities' governing boards and chief executives. The State Auditor is charged with prescribing the form and content of the annual report.

Questions

If you have any questions, contact Kelsey Arnold at (512) 936-9870, Charles Wilson at (512) 936-9313, or the SAO Internal Audit Coordinator at iacoordinator@sao.texas.gov.

Annual Report Requirements

The purpose of the annual report is to provide information on the assurance services, consulting services, and other activities of the internal audit function. In addition, the annual report assists oversight agencies in their planning and coordination efforts.

The following information should be included in the annual report.

Note: These guidelines represent the SAO's minimum requirements and do not preclude an entity from including additional information.

Include a brief explanation of the procedures followed to post the internal audit annual report and audit plan on the agency's website in compliance with the provisions of Texas Government Code, Section 2102.015.

  • Include a list of audits planned for the prior fiscal year, and for each audit completed provide report numbers, dates, and titles.
  • If an audit was not completed or is ongoing as a carry-over project, include the current status of the audit.
  • Include a brief explanation for any deviations from the audit plan.

Note: For higher education institutions

Report the findings for the higher education institution assessment required by Texas Education Code, Section 51.9337(h), in this section or in a separate report to the SAO.

Include a list of all external audit services that were either procured or ongoing during the fiscal year.

  • Examples of those services may include, but are not limited to, financial and performance audits and attestation engagements, such as a review or an agreed-upon procedures engagement.

Include a copy of the executive summary or a summary of issues from the most recent external quality assurance review or peer review report.

  • Include the approved audit plan.
    • If the plan is pending approval from the governing board or chief executive and is not submitted with the annual report, specify the date that the plan will be submitted.
    • If the audit plan is modified during the fiscal year, submit a copy of the revised plan to the oversight agencies.
  • Include the budgeted hours for all projects.
  • Include a list of additional risks ranked as "high" that were identified but are not included in the audit plan.
  • Include a brief description of the risk assessment or methodology used to develop the audit plan, including consideration, if any, of:
    • The applicable information technology risks related to Title 1, Texas Administrative Code, Chapter 202 (Information Security Standards).
    • Benefits proportionality.
    • Methods for ensuring compliance with contract processes and controls and for monitoring agency contracts, as required by Texas Government Code, Section 2102.005(b).

Note: For higher education institutions

Rider 8, page III-5, the General Appropriations Act (88th Legislature), requires each higher education institution to consider audits of benefits proportionality when developing their annual internal audit plans for fiscal years 2024 and 2025.

  • Include a brief description of the entity's actions taken to comply with the fraud reporting requirement of Section 7.09, page IX-40, the General Appropriations Act (88th Legislature).
  • Include a brief description of the entity's process to comply with the investigation coordination requirements of Texas Government Code, Section 321.022.

Note: Examples could include (1) information provided on the entity's website that indicates how to report suspected fraud, waste, or abuse involving state resources directly to the SAO and (2) a brief description of the entity's procedures for reporting suspected fraud, waste, or abuse involving state funds to the SAO.

Report Submission and Posting Requirements

The Governor's Office, the SAO, and the Legislative Budget Board should receive both the annual report and periodic internal audit reports. Contact information and submission instructions are included below.

The annual report is due November 1 (Texas Government Code, Section 2102.009).

Each periodic internal audit report should be submitted within 30 days after the date the report is submitted to the entity's governing board or to the chief executive if the entity does not have a governing board (Texas Government Code, Section 2102.0091).

Note: Reports sent to the SAO are presumed to be public information unless they are specifically marked as confidential by your entity. Contact the applicable SAO contact manager to discuss any reports your entity considers confidential prior to submitting those reports.

Agency and Phone Number Electronic Submission of Reports
Governor's Office - Budget and Policy Division
Phone: (512) 463-1778
Send to: Brady Franks
budgetandpolicyreports@gov.texas.gov
State Auditor's Office
Phone: (512) 936-9500
Send to: Internal Audit Coordinator
iacoordinator@sao.texas.gov

Confidential and Large Reports: SAO Secure File Sharing System (contact SAO for instructions)
Legislative Budget Board
Phone: (512) 463-1200
Send to: Christopher Mattsson
audit@lbb.texas.gov

Texas Government Code, Section 2102.015, requires state agencies and higher education institutions to post annual reports and approved internal audit plans on their websites.

The reports are considered to be approved if they are approved by the entity's governing board or by the chief executive if the entity does not have a governing board. The entity should post the reports within 30 days of approval.

Texas Government Code, Section 2102.015, also requires entities to update the posting described above to include the following information on their websites:

  • A "detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns, if any, raised by the audit plan or annual report."
  • A "summary of the action taken by the agency to address the concerns, if any, that are raised by the audit plan or annual report."

Including the summaries outlined above in the annual report and posting that annual report on the entity's website fulfills the minimum requirement but does not preclude an entity from posting more frequent updates to its website.

Texas Government Code, Section 2102.015, also specifies that an entity "is not required to post information contained in the agency's internal audit plan or annual report if the information is excepted from public disclosure under Chapter 552 [of the Texas Government Code]." For questions about whether information in the internal audit plan or annual report is excepted from disclosure under Chapter 552, consult with your entity's legal counsel or public information officer, as appropriate.

Entities that are not subject to the Texas Internal Auditing Act and that do not prepare internal audit plans or internal audit annual reports are not required to post those items on their websites.

Entities that contract for internal audit services should post internal audit plans, the annual report, and required updates as prepared by the contracted auditor.