13885-13888
GOVERNMENT CODE
SECTION 13885-13888
13885. The Legislature finds and declares as follows: (a) Recent corporate scandals and federal legislation, such as the Sarbanes-Oxley Act of 2002 (P.L. 107-204), focus attention on the importance of internal audit activity to public accountability and governance. (b) Ensuring the independence of internal auditors of state agencies and that their findings are reported to the appropriate levels of government is critical to safeguarding public funds and the public trust. 13886. (a) Any governing body that oversees a state agency that performs or reviews internal audits shall establish an audit committee that generally meets the frameworks recommended by the American Institute of Certified Public Accountants, as set forth in the publication entitled "AICPA Audit Committee Toolkit: Government Organizations." (b) For purposes of this chapter, "governing body" means a board, commission, board of trustees, council, or other similar body that oversees a state agency. 13886.5. (a) The Controller, the Director of Finance, and the respective staffs thereof, and all state agencies that have their own internal auditors or that conduct internal audits or internal audit activities, shall conduct internal audit activity under the general and specified standards of internal auditing prescribed by the Institute of Internal Auditors or the Government Auditing Standards issued by the Comptroller General of the United States, as appropriate. (b) Nothing in this article is intended to limit the rights or obligations of internal auditors to conduct internal audits and audit activities in accordance with other laws and regulations that may apply to a particular entity. 13887. (a) In order to achieve independence and objectivity pursuant to Section 13886, for any state agency that does not report to a governing body, the internal auditor operations shall meet all of the following requirements: (1) The chief internal auditor shall be accountable to the head or deputy head of the state agency. (2) The chief internal auditor shall report audit findings and recommendations made under his or her jurisdiction to the head or deputy head of the state agency and to the general counsel to the state agency, if applicable. (3) The operations shall be organizationally outside the staff or line management function of the unit under audit. (b) In order to achieve independence and objectivity as required by the standards identified in Section 13886, for any state agency that is overseen by a governing body, the internal audit operations shall meet all of the following requirements: (1) The chief internal auditor shall be accountable to the audit committee of the governing body. (2) The chief internal auditor shall report audit findings and recommendations made under his or her jurisdiction to the audit committee and the general counsel to the governing body. (3) The operations shall be organizationally outside the staff or line management function of the unit under audit. 13887.5. (a) When the chief internal auditor of a state agency believes that senior management in the state agency has accepted a level of residual risk that may be unacceptable to the organization or that senior management has otherwise not taken appropriate action in response to a finding or recommendation by its internal auditors, the chief internal auditor shall discuss the matter with senior management and the general counsel to the state agency. If that decision regarding residual risk or the need for appropriate action in response to an audit finding or recommendation, or both, does not resolve the issue, the chief internal auditor and general counsel shall jointly report the matter to the next highest level of management as pertains to the state agency, including, but not limited to, the chair of the governing body overseeing the state agency, the agency secretary, the Governor's office, or the appropriate constitutional officer. (b) If the decision regarding residual risk or the need for appropriate action in response to an audit finding or recommendation that could have a significant impact on the state's fiscal operations, the performance of a significant government program, or the delivery of a significant government service, or other similar significant or critical government services, as determined by the chief internal auditor, is still not resolved after making the disclosures required pursuant to subdivision (a), the chief internal auditor shall report the matter to the Joint Legislative Audit Committee and the State Auditor. At the direction of the Joint Legislative Audit Committee, the State Auditor shall investigate a disclosure made pursuant to subdivision (b) and report the results of the investigation in accordance with Chapter 6.5 (commencing with Section 8543) of Division 1. The disclosure requirements of this subdivision shall not apply to any chief internal auditor who reports and makes disclosures to an audit committee, as described in subdivision (b) of Section 13887. (c) Any chief internal auditor who makes a disclosure pursuant to this section shall receive all protection available under the California Whistleblower Protection Act (Article 3 (commencing with Section 8547) of Chapter 6.5 of Division 1). 13888. (a) If an internal auditor employed by a state agency has a good faith belief that the agency management is interfering with the internal auditor's or auditors' ability to comply with the provisions of this part, that the internal auditor or auditors are under pressure to modify or limit findings or recommendations, or that senior management is not taking appropriate action in response to an audit finding or recommendation, the internal auditor may report the information supporting that good faith belief to the State Auditor. (b) The State Auditor may investigate any report made pursuant to subdivision (a) and if the allegations are substantiated, shall report his or her findings pursuant to Chapter 6.5 (commencing with Section 8545) of Division 1. (c) Any internal auditor making a report pursuant to this section shall receive all protection available under the California Whistleblower Protection Act (Article 3 (commencing with Section 8547) of Chapter 6.5 of Division 1).