Internal Auditing Requirements
The Texas Internal Auditing Act (Texas Government Code, Chapter 2102, or the Act) requires certain state agencies and higher education institutions to implement an internal auditing program and appoint an internal auditor.
In addition, the Act requires those entities to submit an internal audit annual report each year to the Governor, the Legislative Budget Board, the State Auditor, and the entities’ governing boards and chief executives. The State Auditor is charged with prescribing the form and content of the annual report and other internal audit requirements.
In compliance with that mandate, the State Auditor’s Office (SAO) sets forth these guidelines to assist agencies and higher education institutions in preparing the internal audit annual report and complying with other internal audit requirements. These guidelines represent the SAO’s minimum requirements and do not preclude an entity from including additional information.
Specific guidance is available on the following:
- Requirements for the internal audit annual report.
- Submission of the annual report and periodic internal audit reports.
- Posting requirements in Texas Government Code, Section 2102.015.
- Contract audit reporting for the largest 25 state agencies and higher education institutions.
If you have any questions, contact Kelsey Arnold at (512) 936-9870, Charles Wilson at (512) 936-9313 or the SAO Internal Audit Coordinator at email@example.com.
Internal Audit Annual Report
The purpose of the internal audit annual report is to provide information on the assurance services, consulting services, and other activities of the internal audit function. In addition, the annual report assists oversight agencies in their planning and coordination efforts.
In accordance with Texas Government Code, Section 2102.009, the internal audit annual report for fiscal year 2023 is due November 1, 2023.
Fiscal Year 2023 Report Requirements
The following information should be included in the fiscal year 2023 annual report:
- Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan and Internal Audit Annual Report on the website.
- Include a brief explanation of the procedures followed to comply with the provisions of Texas Government Code, Section 2102.015.
- Internal Audit Plan for Fiscal Year 2023
- Include a list of fiscal year 2023 planned audits, and indicate report numbers, report dates, report titles, and whether the audits were completed (if an audit was not completed or is ongoing as a carry-over project, include the current status of the audit).
- Include a brief explanation for any deviations from the fiscal year 2023 audit plan, which was submitted as part of the annual report due November 1, 2022.
- Include notice if audit results are only included in the internal audit annual report.
- Clearly indicate which audit(s) were performed to address the benefits proportionality audit requirement prescribed in Rider 8, page III-50, the General Appropriations Act (87th Legislature).
- Report the findings for the higher education institution assessment required by Texas Education Code, Section 51.9337(h), in this section or in a separate report to the SAO.
Consulting Services and Nonaudit Services Completed
- Include a list of consulting services, as defined in the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing , and a list of nonaudit services, as defined in Government Auditing Standards , that were completed during fiscal year 2023.
- Include report numbers, dates, and titles, as well as the high-level objective(s) of each project.
- Summarize the key consulting services and nonaudit service observations, results, and recommendations, if applicable.
- External Quality Assurance Review (Peer Review)
- Include a copy of the executive summary or a summary of issues from the most recent external quality assurance review or peer review report.
- Internal Audit Plan for Fiscal Year 2024
- Include the fiscal year 2024 approved audit plan. If the plan is pending approval from the governing board or chief executive and is not submitted with the annual report, specify the date that the plan will be submitted. If the audit plan is modified during fiscal year 2024, submit a copy of the revised plan to the oversight agencies.
- Include the budgeted hours for all projects.
- Indicate which projects in the audit plan, if any, address the following:
- Benefits proportionality, expenditure transfers, capital budget controls, or any other limitation or restriction in the General Appropriations Act.
- Contract management and other requirements.
- Include a list of additional risks ranked as “high” that were identified but are not included in the fiscal year 2024 audit plan.
- Include a brief description of the risk assessment or methodology used to develop the audit plan, including consideration, if any, of risks associated with:
- The applicable information technology risks related to Title 1, Texas Administrative Code, Chapter 202 (Information Security Standards).
- Benefits proportionality.
- Methods for ensuring compliance with contract processes and controls and for monitoring agency contracts, according to Texas Government Code, Section 2102.005(b).
- Rider 8 , page III-52, the General Appropriations Act (88th Legislature), requires each higher education institution to consider audits of benefits proportionality when developing their annual internal audit plans for fiscal years 2024 and 2025.
- External Audit Services Procured in Fiscal Year 2023
- Include a list of all external audit services that were procured or were ongoing in fiscal year 2023. Examples of those services may include, but are not limited to, financial and performance audits and attestation engagements such as a review or an agreed-upon procedures engagement.
- Reporting Suspected Fraud and Abuse
- Include a brief description of the entity’s actions taken to comply with the fraud reporting requirement of Section 7.09, page IX-38, the General Appropriation Act (87th Legislature).
- Include a brief description of the entity’s process to comply with the investigation coordination requirements of Texas Government Code, Section 321.022.
Where to Send the Internal Audit Annual Report and Periodic Internal Audit Reports
The Governor’s Office, the SAO, and the Legislative Budget Board should receive the annual report and periodic internal audit reports.
- The internal audit annual report for fiscal year 2023 is due November 1, 2023 (Texas Government Code, Section 2102.009).
- Each periodic internal audit report should be submitted within 30 days after the date the report is submitted to the entity's governing board or the chief executive if the entity does not have a governing board (Texas Government Code, Section 2102.0091).
- Send the reports electronically as Microsoft Word, Adobe Acrobat (PDF), or HTML files, attached to an email, to the addresses below.
- Send confidential reports and files larger than 30 MB to the SAO via the secure file sharing system.
Important: Include the phrase “Internal Audit Annual Report” or “Periodic Internal Audit Report” in the subject field of the email.
|Agency and Phone Number
|Electronic Submission of Reports
Governor’s Office - Budget and Policy Division
Phone: (512) 463-1778
Send to: Sarah Hicks
State Auditor’s Office
Phone: (512) 936-9500
Send to: Internal Audit Coordinator
Confidential and Large Reports: SAO Secure File Sharing System (contact SAO for instructions)
Legislative Budget Board
Phone: (512) 463-1200
Send to: Christopher Mattsson
Summary of Texas Government Code, Section 2102.015
Texas Government Code, Section 2102.015, requires state agencies and higher education institutions, as defined in the statute, to post certain information on their websites. Below is a summary of the provisions of that statute.
Within 30 days of approval, an entity should post the following information on its website:
- The approved fiscal year 2024 audit plan, as required by Texas Government Code, Section 2102.008.
- The fiscal year 2023 internal audit annual report, as required by Texas Government Code, Section 2102.009.
The above reports are considered to be approved if they are approved by an entity’s governing board or by the chief executive if the entity does not have a governing board.
Texas Government Code, Section 2102.015, also requires entities to update the posting described above to include the following information on their websites:
- A “detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns, if any, raised by the audit plan or annual report.”
- A “summary of the action taken by the agency to address the concerns, if any, that are raised by the audit plan or annual report.”
Including the summaries outlined above in the fiscal year 2023 annual report and posting that annual report on the entity’s website fulfills the minimum requirement but does not preclude an entity from posting more frequent updates to its website. To address these requirements, an entity could summarize fiscal year 2023 internal audit recommendations and report on its action and progress toward implementing those recommendations. Suggested progress classifications include: fully implemented, substantially implemented, incomplete/ongoing, or not implemented.
Texas Government Code, Section 2102.015, also specifies that an entity “is not required to post information contained in the agency’s internal audit plan or annual report if the information is excepted from public disclosure under Chapter 552 [of the Texas Government Code].” For questions about whether information in the internal audit plan or annual report is excepted from disclosure under Chapter 552, consult with your entity’s legal counsel or public information officer, as appropriate.
Entities that are not subject to the Texas Internal Auditing Act and that do not prepare internal audit plans or internal audit annual reports are not required to post those items on their websites.
Entities that contract for internal audit services should post internal audit plans, the annual report, and required updates as prepared by the contracted auditor.
Contract Audit Reporting For Select State Entities
Texas Government Code, Section 2261.258, requires the SAO to assign contract monitoring ratings each fiscal year to the largest 25 state agencies, as determined by the Legislative Budget Board. The rating is based on a variety of factors, including the results of contracting-related audits conducted by the agency’s internal audit division.
To assist the SAO in performing this function, the 25 state agencies should include certain information in the internal audit annual report. Specifically, agencies should identify each audit report related to their contracts and contract processes and controls completed in the last five years (fiscal years 2019 to current), including:
- Report Title.
- Report Number.
- Report Date.
- Any follow-up audit work performed by internal audit on the report (along with report title, number, and date).