13885-13888

GOVERNMENT CODE
SECTION 13885-13888




13885.  The Legislature finds and declares as follows:
   (a) Recent corporate scandals and federal legislation, such as the
Sarbanes-Oxley Act of 2002 (P.L. 107-204), focus attention on the
importance of internal audit activity to public accountability and
governance.
   (b) Ensuring the independence of internal auditors of state
agencies and that their findings are reported to the appropriate
levels of government is critical to safeguarding public funds and the
public trust.



13886.  (a)  Any governing body that oversees a state agency that
performs or reviews internal audits shall establish an audit
committee that generally meets the frameworks recommended by the
American Institute of Certified Public Accountants, as set forth in
the publication entitled "AICPA Audit Committee Toolkit: Government
Organizations."
   (b) For purposes of this chapter, "governing body" means a board,
commission, board of trustees, council, or other similar body that
oversees a state agency.



13886.5.  (a) The Controller, the Director of Finance, and the
respective staffs thereof, and all state agencies that have their own
internal auditors or that conduct internal audits or internal audit
activities, shall conduct internal audit activity under the general
and specified standards of internal auditing prescribed by the
Institute of Internal Auditors or the Government Auditing Standards
issued by the Comptroller General of the United States, as
appropriate.
   (b) Nothing in this article is intended to limit the rights or
obligations of internal auditors to conduct internal audits and audit
activities in accordance with other laws and regulations that may
apply to a particular entity.


13887.  (a) In order to achieve independence and objectivity
pursuant to Section 13886, for any state agency that does not report
to a governing body, the internal auditor operations shall meet all
of the following requirements:
   (1) The chief internal auditor shall be accountable to the head or
deputy head of the state agency.
   (2) The chief internal auditor shall report audit findings and
recommendations made under his or her jurisdiction to the head or
deputy head of the state agency and to the general counsel to the
state agency, if applicable.
   (3) The operations shall be organizationally outside the staff or
line management function of the unit under audit.
   (b) In order to achieve independence and objectivity as required
by the standards identified in Section 13886, for any state agency
that is overseen by a governing body, the internal audit operations
shall meet all of the following requirements:
   (1) The chief internal auditor shall be accountable to the audit
committee of the governing body.
   (2) The chief internal auditor shall report audit findings and
recommendations made under his or her jurisdiction to the audit
committee and the general counsel to the governing body.
   (3) The operations shall be organizationally outside the staff or
line management function of the unit under audit.



13887.5.  (a) When the chief internal auditor of a state agency
believes that senior management in the state agency has accepted a
level of residual risk that may be unacceptable to the organization
or that senior management has otherwise not taken appropriate action
in response to a finding or recommendation by its internal auditors,
the chief internal auditor shall discuss the matter with senior
management and the general counsel to the state agency. If that
decision regarding residual risk or the need for appropriate action
in response to an audit finding or recommendation, or both, does not
resolve the issue, the chief internal auditor and general counsel
shall jointly report the matter to the next highest level of
management as pertains to the state agency, including, but not
limited to, the chair of the governing body overseeing the state
agency, the agency secretary, the Governor's office, or the
appropriate constitutional officer.
   (b) If the decision regarding residual risk or the need for
appropriate action in response to an audit finding or recommendation
that could have a significant impact on the state's fiscal
operations, the performance of a significant government program, or
the delivery of a significant government service, or other similar
significant or critical government services, as determined by the
chief internal auditor, is still not resolved after making the
disclosures required pursuant to subdivision (a), the chief internal
auditor shall report the matter to the Joint Legislative Audit
Committee and the State Auditor. At the direction of the Joint
Legislative Audit Committee, the State Auditor shall investigate a
disclosure made pursuant to subdivision (b) and report the results of
the investigation in accordance with Chapter 6.5 (commencing with
Section 8543) of Division 1. The disclosure requirements of this
subdivision shall not apply to any chief internal auditor who reports
and makes disclosures to an audit committee, as described in
subdivision (b) of Section 13887.
   (c) Any chief internal auditor who makes a disclosure pursuant to
this section shall receive all protection available under the
California Whistleblower Protection Act (Article 3 (commencing with
Section 8547) of Chapter 6.5 of Division 1).



13888.  (a) If an internal auditor employed by a state agency has a
good faith belief that the agency management is interfering with the
internal auditor's or auditors' ability to comply with the provisions
of this part, that the internal auditor or auditors are under
pressure to modify or limit findings or recommendations, or that
senior management is not taking appropriate action in response to an
audit finding or recommendation, the internal auditor may report the
information supporting that good faith belief to the State Auditor.
   (b) The State Auditor may investigate any report made pursuant to
subdivision (a) and if the allegations are substantiated, shall
report his or her findings pursuant to Chapter 6.5 (commencing with
Section 8545) of Division 1.
   (c) Any internal auditor making a report pursuant to this section
shall receive all protection available under the California
Whistleblower Protection Act (Article 3 (commencing with Section
8547) of Chapter 6.5 of Division 1).