OAR 125-700-0140
Planning and Reporting Responsibilities
(1)
Each agency’s Chief Audit Executive shall prepare an audit plan of engagements based on the most recent risk assessment. The plan should be risk-based and consistent with organizational goals. The plan must be reviewed and approved by the audit committee. At least one risk-based audit shall be selected and performed from the risk assessment each calendar year.(2)
Each agency’s Chief Audit Executive shall identify an audit topic related to governance and risk management at least once every five years. Examples of audit topics include ethics, strategic management, performance management, the alignment of information technology with the agency’s strategies and objectives, systems in place to assure compliance with laws and regulations, and processes in place to prevent and detect fraud.(3)
Each agency’s Chief Audit Executive shall prepare an annual report covering the time period of July 1 through June 30 of the preceding year, in a format that has been requested by the Oregon Department of Administrative Services.(a)
The annual report must be submitted to the agency head, audit committee, and the Internal Audit Section of the Oregon Department of Administrative Services no later than September 30th of each year.(b)
Information not included in an agency’s report must be available for review upon request of the Oregon Department of Administrative Services.(4)
Completed risk assessments and internal audits need to be filed with the Division of Audits of the Office of the Secretary of State.
Source:
Rule 125-700-0140 — Planning and Reporting Responsibilities, https://secure.sos.state.or.us/oard/view.action?ruleNumber=125-700-0140
.