Internal Auditing Requirements
The Texas Internal Auditing Act (Texas Government Code, Chapter 2102, or the Act) requires certain state agencies and higher education institutions to implement an internal auditing program and appoint an internal auditor.
In addition, the Act requires those entities to submit an internal audit annual report each year to the Governor, the Legislative Budget Board, the State Auditor, and the entities’ governing boards and chief executives. The State Auditor is charged with prescribing the form and content of the annual report and other internal audit requirements.
In compliance with that mandate, the State Auditor’s Office (SAO) sets forth these guidelines to assist agencies and higher education institutions in preparing the internal audit annual report and complying with other internal audit requirements. These guidelines represent the SAO’s minimum requirements and do not preclude an entity from including additional information.
Specific guidance is available on the following:
- Requirements for the internal audit annual report.
- Submission of the annual report and periodic internal audit reports.
- Posting requirements in Texas Government Code, Section 2102.015.
- Higher education institutions’ benefits proportionality audit requirements.
- Contract audit reporting for the largest 25 state agencies and higher education institutions.
If you have any questions, contact Charles Wilson at (512) 936-9313 or the SAO Internal Audit Coordinator at firstname.lastname@example.org.
Internal Audit Annual Report
The purpose of the internal audit annual report is to provide information on the assurance services, consulting services, and other activities of the internal audit function. In addition, the annual report assists oversight agencies in their planning and coordination efforts.
In accordance with Texas Government Code, Section 2102.009, the internal audit annual report for fiscal year 2022 is due November 1, 2022.
Fiscal Year 2022 Report Requirements
The following information should be included in the fiscal year 2022 annual report:
- Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on the website.
- Include a brief explanation of the procedures followed to comply with the provisions of Texas Government Code, Section 2102.015.
- Include a list of fiscal year 2022 planned audits, and indicate report numbers, report dates, report titles, and whether the audits were completed (if an audit was not completed or is ongoing as a carry-over project, include the current status of the audit).
- Include a brief explanation for any deviations from the fiscal year 2022 audit plan, which was submitted as part of the annual report due November 1, 2021.
- Include notice if audit results are only included in the internal audit annual report.
- Clearly indicate which audit(s) were performed to address the benefits proportionality audit requirement prescribed in Rider 8, page III-50, the General Appropriations Act (87th Legislature).
- Report the findings for the higher education institution assessment required by Texas Education Code, Section 51.9337(h), in this section or in a separate report to the SAO.
- Include a list of consulting services, as defined in the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, and a list of nonaudit services, as defined in Government Auditing Standards, 2018 Revision, Technical Update April 2021, Sections 3.64 – 3.106 that were completed during fiscal year 2022.
- Include report numbers, dates, and titles, as well as the high-level objective(s) of each project.
- Summarize the key consulting services and nonaudit service observations, results, and recommendations, if applicable.
- Include a copy of the executive summary or a summary of issues from the most recent external quality assurance review or peer review report.
- Include the fiscal year 2023 approved audit plan. If the plan is pending approval from the governing board or chief executive and is not submitted with the annual report, specify the date that the plan will be submitted.
- Include the budgeted hours for all projects.
- Indicate which projects in the audit plan, if any, address the following:
- Benefits proportionality, expenditure transfers, capital budget controls, or any other limitation or restriction in the General Appropriations Act.
- Contract management and other requirements.
- Include a list of additional risks ranked as “high” that were identified but are not included in the fiscal year 2023 audit plan.
- Include a brief description of the risk assessment or methodology used to develop the audit plan, including consideration, if any, of risks associated with:
- The applicable information technology risks related to Title 1, Texas Administrative Code, Chapter 202 (Information Security Standards).
- Benefits proportionality.
- Methods for ensuring compliance with contract processes and controls and for monitoring agency contracts, according to Texas Government Code, Section 2102.005(b).
- Include a list of all external audit services that were procured or were ongoing in fiscal year 2022. Examples of those services may include, but are not limited to, financial and performance audits and attestation engagements such as a review or an agreed-upon procedures engagement.
- Include a brief description of the entity’s actions taken to comply with the fraud reporting requirement of Section 7.09, page IX-38, the General Appropriation Act (87th Legislature).
- Include a brief description of the entity’s process to comply with the investigation coordination requirements of Texas Government Code, Section 321.022.
Where to Send the Internal Audit Annual Report and Periodic Internal Audit Reports
The Governor’s Office, the SAO, and the Legislative Budget Board should receive the annual report and periodic internal audit reports.
- The internal audit annual report for fiscal year 2021 is due November 1, 2022 (Texas Government Code, Section 2102.009).
- Each periodic internal audit report should be submitted within 30 days after the date the report is submitted to the entity's governing board or the chief executive if the entity does not have a governing board (Texas Government Code, Section 2102.0091).
- Send the reports electronically as Microsoft Word, Adobe Acrobat (PDF), or HTML files, attached to an email, to the addresses below.
- Send confidential reports and files larger than 30 MB to the SAO via the secure file sharing system.
Important: Include the phrase “Internal Audit Annual Report” or “Periodic Internal Audit Report” in the subject field of the email.
|Agency and Phone Number||Electronic Submission of Reports|
Governor’s Office - Budget and Policy Division
Phone: (512) 463-1778
Send to: Sarah Hicks
State Auditor’s Office
Phone: (512) 936-9500
Send to: Internal Audit Coordinator
Confidential and Large Reports: SAO Secure File Sharing System (contact SAO for instructions)
Legislative Budget Board
Phone: (512) 463-1200
Send to: Christopher Mattsson
Summary of Texas Government Code, Section 2102.015
Texas Government Code, Section 2102.015, requires state agencies and higher education institutions, as defined in the statute, to post certain information on their websites. Below is a summary of the provisions of that statute.
Within 30 days of approval, an entity should post the following information on its website:
- The approved fiscal year 2023 audit plan, as required by Texas Government Code, Section 2102.008.
- The fiscal year 2022 internal audit annual report, as required by Texas Government Code, Section 2102.009.
The above reports are considered to be approved if they are approved by an entity’s governing board or by the chief executive if the entity does not have a governing board.
Texas Government Code, Section 2102.015, also requires entities to update the posting described above to include the following information on their websites:
- A “detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns, if any, raised by the audit plan or annual report.”
- A “summary of the action taken by the agency to address the concerns, if any, that are raised by the audit plan or annual report.”
Including the summaries outlined above in the fiscal year 2022 annual report and posting that annual report on the entity’s website fulfills the minimum requirement but does not preclude an entity from posting more frequent updates to its website. To address these requirements, an entity could summarize fiscal year 2022 internal audit recommendations and report on its action and progress toward implementing those recommendations. Suggested progress classifications include: fully implemented, substantially implemented, incomplete/ongoing, or not implemented.
Texas Government Code, Section 2102.015, also specifies that an entity “is not required to post information contained in the agency’s internal audit plan or annual report if the information is excepted from public disclosure under Chapter 552 [of the Texas Government Code].” For questions about whether information in the internal audit plan or annual report is excepted from disclosure under Chapter 552, consult with your entity’s legal counsel or public information officer, as appropriate.
Entities that are not subject to the Texas Internal Auditing Act and that do not prepare internal audit plans or internal audit annual reports are not required to post those items on their websites.
Entities that contract for internal audit services should post internal audit plans, the annual report, and required updates as prepared by the contracted auditor.
Higher Education Institution Benefits Proportionality Audit Requirements
Rider 8, page III-50, the General Appropriations Act (87th Legislature), requires each higher education institution, excluding public community/junior colleges, to conduct an internal audit of benefits proportional by method of finance using a methodology approved by the SAO. Below is a summary of the provisions of that rider.
The rider requires the following:
- The audit must be conducted using the methodology approved by the SAO.
- The audit must examine fiscal years 2019 through 2021
- Higher education institutions must submit a copy of the audit report to the Legislative Budget Board, the Comptroller of Public Accounts, and the SAO no later than August 31, 2022 .
- If the audit identifies that the institution received excess General Revenue due to noncompliance with the proportionality requirements provided by Section 6.08, page IX-28, the General Appropriations Act (87th Legislature), the institution must submit a reimbursement payment to the Comptroller of Public Accounts within two years of the conclusion of the audit.
- Higher education institutions must consider audits of benefits proportional when developing their annual internal audit plans for fiscal years 2022 and 2023.
In compliance with the rider requirements, the SAO prescribes the following methodology for higher education institution internal audits of benefits proportional by method of finance. These guidelines represent the minimum requirements and do not preclude a higher education institution from incorporating additional procedures in its audit(s).
The methodology for the higher education institution benefits proportional internal audit should, at a minimum, comply with Texas Government Code, Section 2102.011, and include the following areas:
- Auditing compliance with applicable requirements prescribed by Section 6.08, page IX-28, the General Appropriations Act (87th Legislature).
- Auditing the accuracy of the report demonstrating proportionality required by Section 6.08(g).
- Disclosing in the audit report (a) the aggregate dollar amount of all instances of noncompliance with the proportionality requirements identified during the audit, regardless of materiality, and (b) the status of any resulting reimbursement payments to the Comptroller of Public Accounts.
In addition, the audit report must include a statement certifying that the audit incorporated the methodology prescribed by the SAO.
The scope of the audit(s) should include fiscal years 2019 through 2021.
For questions regarding the benefits proportional internal audit methodology approved by the SAO, contact the higher education institution's SAO contact manager.
Contract Audit Reporting For Select State Entities
Texas Government Code, Section 2261.258, requires the SAO to assign contract monitoring ratings each fiscal year to the largest 25 state agencies, as determined by the Legislative Budget Board. The rating is based on a variety of factors, including the results of contracting-related audits conducted by the agency’s internal audit division.
To assist the SAO in performing this function, the 25 state agencies should include certain information in the internal audit annual report. Specifically, agencies should identify each audit report related to their contracts and contract processes and controls completed in the last five years (fiscal years 2018 to current), including:
- Report Title.
- Report Number.
- Report Date.
- Any follow-up audit work performed by internal audit on the report (along with report title, number, and date).