20010     CENTRAL AUDIT ORGANIZATIONS 
(Renumbered from 20005, Revised 12/00)

The State's central audit organizations include the Department of Finance, the Bureau of State Audits, and the State Controller's Office.

Department of Finance

The Director of the Department of Finance has general responsibility for supervising matters concerning the State's financial and business policies.  Additionally, the Director is responsible for coordinating the internal audit function for the executive branch of state government, as well as acting as the Governor's representative in coordinating the executive branch response to the BSA's annual single audit of the State.

Numerous statutes require the DOF to perform audits of various state funds and/or programs. As a result, the DOF's Office of State Audits and Evaluations assists in fulfilling these responsibilities.  The Department's broad oversight responsibilities result in a wide variety of audits being conducted, including financial audits, financial related audits, performance audits, information technology audits, and compliance audits.  Additionally, the Department monitors and coordinates the implementation of the Financial Integrity and State Manager's Accountability Act as described in SAM Sections 20050 and 20060.  As part of the Department's internal control oversight function, the DOF evaluates the work of the State's internal audit organizations by completing Quality Assurance Reviews, and issues Audit Memos instructing internal audit organizations on audit policies, procedures, and requirements. Finally, the Department performs reviews of suspected instances of fraud and special program reviews as requested by the Governor's Office, the Director of the DOF, or other state agencies. Many of these activities are conducted through interagency agreements.

Bureau of State Audits

Senate Bill 37, Chapter 12, Statues of 1993 (GC 8543), created the Bureau of State Audits as part of the Executive Branch.  To assure its independence, the BSA is free from the control of the Executive and Legislative branches; a state commission oversees its administrative operations.  The BSA, under the direction of the State Auditor, performs an annual examination (single audit) of the State's general-purpose financial statements as prepared by the SCO.  The federal government, as a condition of receiving federal funds, requires this audit.  The single audit also includes a review of major federal programs for compliance with federal laws and regulations, and recommendations to improve the State's financial systems and internal control.

The BSA also conducts financial and performance audits as directed by statute, and other government audits requested by the Joint Legislative Audit Committee.  The BSA has the explicit authority to audit any entity that receives state funds.  Consequently, it sometimes audits at the local government level.  In addition, the BSA administers the "Reporting of Improper Governmental Activities Act," which includes a hotline for anonymous reporting.

State Controller's Office

The primary function of the State Controller's Office is to provide sound fiscal control over both receipts and disbursements of public funds and to report periodically on the financial operations and condition of both state and local government.  Consequently, the SCO performs financial audits and financial related audits of federal and state funds, and audits state entities' payroll procedures in connection with the SCO's central disbursing function.  Additionally, the SCO performs audits under contract for state and federal entities and is responsible for coordinating single audit activities in local government and K-12 school districts.

The SCO also provides pre-audits and post-audits of claims for payment as part of the state's central disbursement function.  The SCO functions in a coordinating role for Auditor/Controllers at the local government level.

20020     AUDIT COORDINATION 
(Revised 08/06)

General

AB 861, Chapter 1167, Statutes of 1981 (GC 12430), provides that all audit activities of the State Controller's Office, the Bureau of State Audits, and the Department of Finance shall be coordinated so that duplication of auditing effort may be minimized.  This coordination is achieved through the AB 861 committee composed of the State Controller, the State Auditor, and the Director of the Department of Finance.  The committee meets on an as-needed basis to coordinate audit coverage and minimize audit duplication.

To prevent duplication of the annual financial audit conducted by the BSA, GC 8546.4(e) prescribes that except for those state agencies that are required by state law to obtain an annual audit, no state entity shall encumber funds appropriated by the Legislature for the purpose of funding annual financial audits that may be covered by the single audit performed by the BSA.

In addition, GC 8546(e) states that no state entity shall enter into a contract for a financial or compliance audit without prior written approval of the Director of the DOF and the State Controller.

Internal Audit Coordination

GC 12430 assigns the Director of the DOF the primary responsibility of coordinating state internal audit entities.  This coordination activity will not affect audit activities that are an integral part of an entity's functions; such as regulatory and tax auditors, or other auditors who work directly with selected industries or taxpayers.

To help coordinate internal auditing, the DOF, as required by GC 13405(d), has developed an internal control audit guide, as well as supplemental audit guides applicable to institutional stores and trust operations.  Copies of these guides may be obtained from the OSAE, or electronically at the OSAE web page at www.dof.ca.gov/fisa/osae/osaehome.htm.

The DOF also issues Audit Memos on an as-needed basis.  These memos may establish uniform policy, interpretations, procedures or technical requirements, or provide advice or information.  Copies are available from the OSAE, or electronically at the OSAE web page at www.dof.ca.gov/fisa/osae/osaehome.htm.

In addition, the DOF may coordinate the implementation of internal audit standards by conducting Quality Assurance Reviews of internal audit units.

Single Audit Coordination

Pursuant to the Federal Single Audit Act of 1984 and the Single Audit Act Amendment of 1996, the Federal Office of Management and Budget has issued Circular A-133.  This circular sets standards for the audits of states, local governments, and non-profit organizations expending federal awards.

At the state level, California meets the federal requirements through the BSA's annual single audit of the general purpose financial statements included in the SCO's Annual Report to the Governor.

As part of its annual audit of the State, the BSA requests the Director of the DOF to make certain representations regarding the State's financial operations.  To allow the DOF to submit a single representation letter to the BSA, each entity head is required to submit annually to the DOF a representation letter on the entity's operations. A sample representation letter can be obtained from the OSAE.  The "as of" date for the representation letter will be communicated annually to the agencies by the OSAE.  These letters are compiled into a single representation letter that the DOF submits to the BSA for the State's annual single audit.

In conjunction with the single audit, the SCO submits an audit inquiry letter to the Attorney General requesting information on pending or threatened litigation.  This information is then forwarded to the BSA.

Federal Audit Coordination

To ensure that federal audit requests are coordinated in accordance with GC Section 12430, state agencies shall immediately notify the Director of the Department of Finance, the State Auditor, and the State Controller, when they are required to obtain federally required audits as stated in GC 8546.4(d).  The three audit agencies shall coordinate the procurement by state agencies of the federally required audits, including any negotiations with cognizant federal agencies.

20030     INTERNAL AUDIT ORGANIZATIONS 
(New 12/00)

Many state agencies have internal audit organizations.  These organizations assist management in finding and correcting problems in financial operations, perform special operational reviews and fraud investigations, and review internal control.  Internal control reviews help management fulfill their responsibilities under the Financial Integrity and State Manager's Accountability Act.  See SAM Sections 20050 and 20060

20040     AUDIT STANDARDS 
(Revised 03/08)

Various organizations promulgate audit standards for auditors to follow.  Standards are designed to enhance the quality and consistency of audits and audit reports.

Internal Audit Standards

The Institute of Internal Auditors promulgates standards and guidelines for internal auditors in a publication titled the International Standards for the Professional Practice of Internal Auditing (ISPPIA).  These standards are designed for all types of internal audits.

The ISPPIA cover independence, professional proficiency, scope of work, performance of audit work, and management of the internal audit organization.  However, manegement must ensure that an internal audit organization is independent of the activities and programs it audits.

Government Auditing Standards

The United States General Accounting Office has developed Government Auditing Standards (GAS) for all types of external audits.  Government Auditing Standards, a publication by the Comptroller General of the United States and often referred to as the "Yellow Book," explains the standards.

Various federal laws and regulations, such as the Single Audit Act of 1984, the Single Audit Act Amendment of 1996, and the OMB Circular A-133, require that government and non-governmental auditors of State and local governments and various other federal funds recipients follow GAS in order for the results to be accepted by the federal government.

Generally Accepted Auditing Standards

The American Institute of Certified Public Accountants (AICPA) requires adherence to Generally Accepted Auditing Standards (GAAS) for external audits of financial statements and recognizes Statements on Auditing Standards as interpretations of those standards.  Statements on Standards for Attestation Engagements supplement these standards. Together these standards provide general framework and guidelines when performing various audits from an external audit perspective. 

Quality Assurance Audits

GC 13886.5 requires agencies with internal auditing activities to follow the general and specific standards of internal auditing prescribed by the Institute of Internal Auditors or the Comptroller General of the United States, as appropriate.

In accordance with GC 12430, the DOF may perform quality assurance reviews of the internal audit untis to determine their compliance with appropriate audit standards.  The reviews result in audit reports, each containing an opinion that the internal audit unit fully complies, adequately complies, or does not comply with the required standards.

20050     INTERNAL CONTROL 
(Revised 03/08)

State entity heads, by reason of their appointments, are accountable for activities carried out in their agencies.  This responsibility includes the establishment and maintenance of internal accounting and administrative controls. Each system an entity maintains to regulate and guide operations should be documented through flowcharts, narratives, desk procedures, and organizational charts.  The ultimate responsibility for good internal control rests with management.

Financial Integrity and State Manager's Accountability Act

Because governments are susceptible to fraud, waste, and abuse, increased attention has been directed toward strengthening internal control to help restore confidence in government and improve its operations. In particular, the Financial Integrity and State Manager's Accountability Act was enacted to inhibit waste of resources and create savings. GC 13400 through 13407 describes the Legislative findings, entity responsibilities, and entity reports on the adequacy of internal control.

GC 13403 defines internal accounting and administrative controls and sets forth the elements of a satisfactory system of internal control.  As stated in GC 13403, internal accounting and administrative controls are the methods through which state entity heads can give reasonable assurance that measures to safeguard assets, check the accuracy and reliability of accounting data, promote operational efficiency, and encourage adherence to prescribe managerial policies are being followed.

Internal accounting controls comprise the methods and procedures directly associated with safeguarding assets and assuring the reliability of accounting data.  Internal administrative controls comprise the methods and procedures that address operational efficiency and adherence to management policies.

Furthermore, GC 13403 states the elements of a satisfactory system of internal accounting and administrative controls, shall include, but are not limited to:

Institute of Internal Auditors

The International Standards for the Professional Practice of Internal Auditing (ISPPIA), issued by the Institute of Internal Auditors, defines internal control as a process designed to provide an organization reasonable assurance regarding the achievement of the following primary objectives:

1. The reliability and integrity of information.
   
2. Compliance with policies, plans, procedures, laws and regulations.
   
3. The safeguarding of assets.
   
4. The economical and efficient use of resources
   
5. The accomplishment of established objectives and goals for operations or programs

 
COSO Framework
 
The auditing profession has widely accepted the Committee of Sponsoring Organizations of the Treadway Commission's report titled The Internal Control - Integrated Framework (COSO Report) as a general definition of internal control.  The COSO Report defines internal control as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:

1. Effectiveness and efficiency of operations
   
2. Reliability of financial reporting
   
3. Compliance with applicable laws and regulations

Internal control consists of five interrelated components:

20060     INTERNAL CONTROL REPORTING 
(Revised 03/08)

Pursuant to the FISMA (GS 13405), the head of each state entity shall, on a biennial basis but no later than December 31 of each odd-numbered year, conduct an internal review and prepare a report on the adequacy of their entity's system's of internal accounting and administrative control in accordance with the guide prepared by the DOF.  The report, including the entity's response to the review recommendations, shall identify any material inadequacy or material weakness in an entity's systems of internal accounting and administrative control that prevents the head of the entity from stating that the entity's systems comply with the FISMA.  The submission should consist of a transmittal letter, the review report on internal accounting and administrative control, and management's response to the review report.

For entities that report to an Agency Secretary, the transmittal letter should be addressed and sent to the Agency Secretary.  The entity should forward copies of the transmital letter and review report to the Legislature, the State Auditor, the Governor, the Director of the Department of Finance, and the State Library.

For entities that do not report to an Agency Secretary, the transmittal letter should be addressed and sent to the Director of the Department of Finance.  The entity should forward copies of the transmittal letter and review report to the Legislature, the State Auditor, the Governor, and the State Library.

Within 30 days after the report is submitted, the entity will provide to the Director of the Department of Finance a plan and schedule for correcting the identified inadequancies and weaknesses in the review report.  The plan will be updated and submitted every six months until all corrections are completed.

The state entity head must investigate any allegation that an employee provided false or misleading information in connection with the evaluation of an entity's system of internal control or in connection with the preparation of the biennial report.  The state entity head must submit a report on all the allegations made and the actions taken to resolve them to the Director of the Department of Finance within 90 days from receiving the allegation.

All internal control reviews are to be completed in accordance with the guide prepared by the DOF.  Internal audit units will conduct these reviews in accordance with appropriate standards as required by GC 13886.5.  The review will examine internal accounting control and fiscal compliance practices in use at the time of the review.  The transmittal letter and guide can be obtained from the OSAE, or electronically at the OSAE web page at http://www.dof.ca.gov/osae/.

In conjunction with the audits performed by internal audit units, OSAE is available to assist entity heads in evaluating their internal control reporting responsibilities.

20070     FEDERAL PASS-THROUGH FUNDS 
(Renumbered from 20045, 20050, Revised 12/00)

The Federal Single Audit Act of 1984 as amended by the Single Audit Act Amendment of 1996 and amendments in conjunction with the OMB Circular A-l33, defines a pass-through entity as a non-federal entity that provides a federal award to a sub recipient to carry out a federal program.  OMB Circular A-133 Sub-Section .310(b) requires a schedule of expenditures of federal awards be prepared each year and lists the requirements for completing the schedule of expenditures, including the requirement to identify the total amount provided to sub recipients.

To facilitate the identification and tracking of federal funds transferred between state agencies or state agencies and local governments, each contract, interagency agreement, or any other document controlling the disbursement of federal financial assistance must cite the applicable catalog number from the Catalog of Federal Domestic Assistance.  If state matching funds are involved, specify the percentage of state and federal funds.  Where federal funds are disbursed through a claim schedule, the catalog number should be recorded.

The OMB Circular A-133, Subpart D describes the responsibilities of federal agencies and pass-through entities.  Specifically, Section .400(d) prescribes the responsibilities of a pass-through entity for the federal awards it makes.

To ensure that the State of California carries out its responsibilities in accordance with this federal act, the following procedures shall apply:

20080     NOTIFICATION OF ACTUAL OR SUSPECTED FRAUD AND IRREGULARITIES 
(Revised 08/06)

An entity will notify the OSAE and the BSA of all cases of actual or suspected fraud, defalcation, theft, or other irregularities it has become aware of either internally or by referral.  This requirement applies to all incidents involving state assets, whether alleged against state employees or others.

Notification will be made to the OSAE and the BSA in writing not later than the first business day following the actual or suspected fraud, theft, or irregularity.  The notification will include, as a minimum, the sequence of events, the internal controls that failed, the means of discovery, the corrective actions taken, the actual or estimated dollar amount, and any punitive actions taken or being considered.  In those instances where complete information is not available by the first business day following discovery, a preliminary notification will be made. A complete notification will be made within thirty days.  If not completed within thirty days, a progress report will be submitted every thirty days until the entity has resolution or has referred the incident to the proper authority.

Additionally, agencies will notify the OSAE of material irregularities in their annual Letter of Representation in accordance with SAM Section 20020 (Single Audit Coordination).  For reporting lost, stolen or destroyed property.  See SAM Section 8643.

20090     REPORTING MATRIX 
(Revised 03/08)

Document	Required	Due Date	Submit to
Single Audit Representation Letter	All State entities	Upon notification, each year	DOF
FISMA Transmittal Letter and Review Report	All State entities	Biennial but no later than December 31, of each, odd-numbered year	DOF
Corrective Action Plan	All State entities	Within 30 days after submitting the FISMA Report	DOF