Skip to main content

Overview

The Texas Internal Auditing Act (Texas Government Code, Chapter 2102, or the Act) requires certain state agencies and higher education institutions to implement an internal auditing program and appoint an internal auditor.

In addition, the Act requires those entities to submit an internal audit annual report each year to the Governor, the Legislative Budget Board, the Sunset Advisory Commission, the State Auditor’s Office (SAO), and the entities’ governing boards and chief executives. The SAO is charged with prescribing the form and content of that annual report.

In compliance with that mandate, the SAO sets forth these guidelines to assist agencies and higher education institutions in preparing the internal audit annual report. These guidelines represent the SAO’s minimum requirements and do not preclude an entity from including additional information in its annual report.

What's New

Higher Education Institution Benefits Proportionality Audit Work

The SAO has updated its prescribed methodology to reflect the revised requirements in Rider 8, page III-44, General Appropriations Act (85th Legislature, Conference Committee Report), for higher education institutions’ (excluding public community/junior colleges) internal audits of benefits proportionality.

Submitting and Posting the Internal Audit Plan and Internal Audit Annual Report

In accordance with Texas Government Code, Sections 2102.009 and 2102.0091, the annual report for fiscal year 2017 is due November 1, 2017 . In addition, each periodic internal audit report should be submitted “not later than the 30th day after the date the report is submitted to the state agency’s governing board or the administrator of the state agency if the state agency does not have a governing board.” Specific guidance on the following is available.

  • Required items that should appear in the annual report. The reporting requirements can be found in Texas Government Code, Chapter 2102.
  • Contact information for submitting the annual report electronically to the required agencies. Recommended electronic formats include Microsoft Word, Adobe Acrobat (PDF), or HTML.
  • Details regarding the posting requirements in Texas Government Code, Section 2102.015.
  • Details regarding higher education institutions’ benefits proportionality audit requirements.

Questions

If you have any questions, contact Kathryn Hawkins at (512) 936-9658 or Michael Stiernberg at (512) 936-9455 at the SAO, or via e-mail at iacoordinator@sao.texas.gov.

Internal Audit Annual Report

The purpose of the internal audit annual report is to provide information on the assurance services, consulting services, and other activities of the internal audit function. In addition, the annual report assists oversight agencies in their planning and coordination efforts.

Note: All periodic internal audit reports and annual reports that are sent to the SAO are presumed to be public information unless they are specifically marked as confidential. If you have a report with content that you consider confidential, contact your entity’s assigned SAO contact manager to discuss that prior to submitting the report.

Requirements for the Fiscal Year 2017 Internal Audit Annual Report

The following information should be included in the fiscal year 2017 annual report:

  1. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web site
    • Include a brief explanation of procedures your entity will follow to comply with the provisions of Texas Government Code, Section 2102.015.
  2. Internal Audit Plan for Fiscal Year 2017
    • Include a list of fiscal year 2017 planned audits, and indicate report numbers, report dates, report titles, and whether the audits were completed (if an audit was not completed, include the current status of the audit).
    • Include a brief explanation for any deviations from the fiscal year 2017 audit plan that your entity submitted on or before November 1, 2016, as part of its annual report.

    Note: For higher education institutions:
    • Clearly indicate which audit(s) were performed to address the benefits proportionality audit requirement prescribed in Rider 8, page III-44, the General Appropriations Act (85th Legislature, Conference Committee Report).
    • Report the findings for the higher education institution assessment required by Texas Education Code, Section 51.9337(h), in this section or in a separate report to the SAO.
  3. Consulting Services and Nonaudit Services Completed
    • Include a list of consulting services, as defined in the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, and a list of nonaudit services, as defined in Government Auditing Standards, 2011 Revision, Sections 3.33 – 3.58, that were completed during fiscal year 2017.
    • Include report numbers, dates, and titles, as well as the high-level objective(s) of each project.
    • Summarize the key consulting services and nonaudit service observations, results, and recommendations, if applicable.
  4. External Quality Assurance Review (Peer Review)
    • Include a copy of the executive summary or a summary of issues from the most recent external quality assurance review or peer review report.
  5. Internal Audit Plan for Fiscal Year 2018
    • Include the fiscal year 2018 approved audit plan. If you are awaiting approval from your governing board or chief executive for your entity’s fiscal year 2018 audit plan and do not submit that plan with your annual report, specify the date on which you will submit your fiscal year 2018 audit plan.
    • Include the budgeted hours for all projects.
    • Indicate which projects in the audit plan, if any, address the following:
      • Benefits proportionality, expenditure transfers, capital budget controls, or any other limitation or restriction in the General Appropriations Act.
      • Contract management and other requirements.
    • Include a list of additional risks ranked as “high” that you have identified but are not included in the fiscal year 2018 audit plan.
    • Include a brief description of the risk assessment or methodology used to develop the audit plan, including consideration, if any, of risks associated with (1) the applicable information technology risks related to Title 1, Texas Administrative Code, Chapter 202, Information Security Standards, and (2) benefits proportionality.

    Note: If the audit plan is modified during fiscal year 2018, submit a copy of the revised plan to the oversight agencies.
  6. External Audit Services Procured in Fiscal Year 2017
    • Include a list of all external audit services that were procured or were ongoing in fiscal year 2017. Examples of those services may include, but are not limited to, financial and performance audits and attestation engagements such as a review or an agreed-upon procedures engagement.
  7. Reporting Suspected Fraud and Abuse
    • Include a brief description of the entity’s actions taken to comply with the fraud reporting requirements of Section 7.09, page IX-38, the General Appropriations Act (85th Legislature, Conference Committee Report).
    • Include a brief description of the entity’s process to comply with the investigation coordination requirements of Texas Government Code, Section 321.022.

    Note: Examples could include (1) information provided on the entity’s Internet Web site that indicates how to report suspected fraud, waste, and abuse involving state resources directly to the SAO and (2) a brief description of the entity’s procedures for reporting suspected fraud, waste, and abuse involving state funds to the SAO.

Submit Reports

Where to Send the Internal Audit Annual Report and Periodic Internal Audit Reports

Oversight Agencies

The Governor’s Office, the SAO, the Legislative Budget Board, and the Sunset Advisory Commission should receive the annual report and periodic internal audit reports.

  • The internal audit annual report for fiscal year 2017 is due November 1, 2017.
  • Each periodic internal audit report should be submitted “not later than the 30th day after the date the report is submitted to the state agency’s governing board or the administrator of the state agency if the state agency does not have a governing board” (Texas Government Code, Section 2102.0091).
  • Send the reports electronically in Microsoft Word, Adobe Acrobat (PDF), or HTML, attached to an e-mail, to the addresses below.
  • Send confidential reports and files larger than 30 MB to the SAO via the secure FTP server (contact SAO for instructions).
Important: Include the phrase “Internal Audit Annual Report” or “Periodic Internal Audit Report” in the subject field of the e-mail.

Agency and Phone Number Electronic Submission of Reports
Governor’s Budget and Policy Division
Phone: (512) 463-1778
Send to: Drew DeBerry
budgetandpolicyreports@gov.texas.gov
State Auditor’s Office
Phone: (512) 936-9500
Send to: Internal Audit Coordinator
iacoordinator@sao.texas.gov

Confidential and Large Reports - SAO FTP Server (contact SAO for instructions)
Legislative Budget Board
Phone: (512) 463-1200
Send to: Julie Ivie
audit@lbb.state.tx.us
Sunset Advisory Commission
Phone: (512) 463-1300
Send to: Ken Levine
sunset@sunset.texas.gov

Posting Requirements

Summary of Texas Government Code, Section 2102.015

Texas Government Code, Section 2102.015, requires state agencies and higher education institutions, as defined in the statute, to post certain information on their Internet Web sites. Below is a summary of the provisions of that statute and guidance on submission of reports.

Within 30 days of approval, an entity should post the following information on its Internet Web site:

  • The approved fiscal year 2018 audit plan, as required by Texas Government Code, Section 2102.008.
  • The fiscal year 2017 internal audit annual report, as required by Texas Government Code, Section 2102.009.

The above reports are considered to be approved if they are approved by an entity’s governing board or by the chief executive if the entity does not have a governing board.

Texas Government Code, Section 2102.015, also requires entities to update the posting described above to include the following information on the Web site:

  • A “detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns, if any, raised by the audit plan or annual report.”
  • A “summary of the action taken by the agency to address the concerns, if any, that are raised by the audit plan or annual report.”

Including the summaries outlined above in the fiscal year 2017 annual report and posting that annual report on an entity’s Internet Web site fulfills the minimum requirement but does not preclude an entity from posting more frequent updates to its Web site. To address these requirements, an entity could summarize fiscal year 2017 internal audit recommendations and report on its action and progress toward implementing those recommendations. Suggested progress classifications include: fully implemented, substantially implemented, incomplete/ongoing, or not implemented.

Texas Government Code, Section 2102.015, also specifies that a “state agency is not required to post information contained in the agency’s internal audit plan or annual report if the information is excepted from public disclosure under Chapter 552 [of the Texas Government Code].” If you have questions about whether information in your internal audit plan or annual report is excepted from disclosure under Chapter 552, consult with your entity’s legal counsel or public information officer, as appropriate.

Entities that are not subject to the Texas Internal Auditing Act and that do not prepare internal audit plans or internal audit annual reports are not required to post those items on their Internet Web sites.

Entities that contract for internal audit services should post internal audit plans, the annual report, and required updates as prepared by the contracted auditor.

Benefits Proportionality

Higher Education Institution Benefits Proportionality Audit Requirements

Rider 8, page III-44, the General Appropriations Act (85th Legislature, Conference Committee Report) requires each higher education institution, excluding public community/junior colleges, to conduct an internal audit of benefits proportional by fund using a methodology approved by the SAO. Below is a summary of the provisions of that rider.

The rider requires the following:

  • The audit must be conducted using the methodology approved by the SAO.
  • The audit must examine fiscal years 2015 through 2017.
  • Higher education institutions must submit a copy of the audit report to the Legislative Budget Board, the Comptroller of Public Accounts, and the SAO no later than August 31, 2018.
  • If the audit identifies that the institution received excess General Revenue due to noncompliance with the proportionality requirements provided by Section 6.08, page IX-28, the General Appropriations Act (85th Legislature, Conference Committee Report), the institution must submit a reimbursement payment to the Comptroller of Public Accounts within two years from the conclusion of the audit.
  • Higher education institutions must consider audits of benefits proportional when developing their annual internal audit plans for fiscal years 2018 and 2019.

Audit Methodology

In compliance with the rider requirements, the SAO prescribes the following methodology for higher education institution internal audits of benefits proportional by fund. These guidelines represent the minimum requirements and do not preclude an entity from incorporating additional procedures in its audit(s).

The methodology for the higher education institution benefits proportional internal audit should, at a minimum, comply with Texas Government Code, Section 2102.011, and include the following areas:

  1. Auditing compliance with applicable requirements prescribed by Section 6.08, page IX-28, the General Appropriations Act (85th Legislature, Conference Committee Report).
  2. Auditing the accuracy of the report demonstrating proportionality required by Section 6.08(g).
  3. Disclosing in the audit report (a) the aggregate dollar amount of all instances of noncompliance with the proportionality requirements identified during the audit, regardless of materiality, and (b) the status of any resulting reimbursement payments to the Comptroller of Public Accounts.

In addition, the audit report must include a statement certifying that the audit incorporated the methodology prescribed by the SAO.

The scope of the audit(s) should include fiscal years 2015 through 2017.

For questions regarding the benefits proportional internal audit methodology approved by the SAO, contact your assigned SAO contact manager.