Maine State Government
Dept. of Administrative & Financial Services
Office of Information Technology
Internal Audit Policy
In order to maintain a robust and active quality assurance
and risk analysis process the Chief Information Officer (CIO) internally audit
the Office of Information Technology (OIT).
Auditing the effectiveness and
efficiency of information technology (IT) controls statewide ensures a robust,
non-biased risk analysis is in place. The purpose of the internal audit is to
review and measure the established risk management procedures and controls. Investigating
documentation, management oversight, policy and corrective measures fall within
the auditor’s purview.
This policy provides guidance to
OIT employees regarding OIT’s dedicated internal audit function.
III. Guidelines &
- Day to day direction for
conducting the audit from an operational prospective will be provided by
the Associate CIO in accordance with the approved audit plan.
- Audit programs, procedures and
content must be reviewed and accepted by the Director of Internal Audit,
Associate State Controller, or State Controller.
- OSC will be kept informed of
any other activities that impact time devoted to the audit.
- If the position is vacated, OSC
shall be included in the hiring and selection process.
- Biweekly progress on audits
shall be communicated to the Director of Internal Audit and the Associate
CIO. Progress will be reported in the form of a written status report
based upon the approved audit plan.
- The OIT internal auditor will
use the OSC standard work paper binder, and reporting policies in
conducting audits and reviews.
- As reviews are completed, the
work paper binder and draft reports will be provided to the OSC Director
of Internal Audit for a first level review.
- A second level of review will
be conducted by the Associate State Controller.
- Once the second level of review
is completed and signed off on, a final draft report will be prepared.
This report will be submitted to the State Controller, CIO and Associate
CIO for review.
- A final report will be
prepared. This report will be presented to the Commissioner of the
Department of Administrative and Financial Services jointly from the State
Controller and the CIO, as appropriate.
- The CIO will respond to audit
findings promptly with an appropriate corrective action plan.
- The OIT Internal Auditor is
responsible to set a timeline for corrective action follow up and to
report results of the follow up to the OSC and the CIO.
- Types of Engagement
- Internal Audit/Review
- Finding/issue (not from
- Examinations of potential
instances of Fraud(refer to OSC Internal Audit Division)
The auditor will create a written
planning document and audit program.
The auditor will meet with the
management responsible for the area being reviewed (entrance conference),
present the audit program and describe the expected responsibilities of all
parties during the conduct of the review.
A preliminary draft report will be
issued to operating management to be reviewed for errors and to solicit
questions or comments to be discussed at the exit conference.
An exit conference will be held to
discuss questions and concerns regarding the draft report. Changes to the
report will be discussed and agreed upon at this time.
A final draft will be prepared using
the standard reporting format taking into account any revisions necessary as a
result of the exit conference or other discussions. Management will be asked to
provide written responses to the audit findings within 10 calendar days of the
date of the letter.
will be reported in the same manner as Internal Audit/Review Engagements
described in the previous section.
(not from audits) follow-up
Depending on the nature of the issue or follow up, results may be
reported in a memo type report to the relevant
managers and directors and copied to the CIO. For some follow up work, a memo
to the CIO may be sufficient.
Internal audit activities are
legislatively defined. Internal control systems are to be developed according
to guidelines established by the State Controller and must be clearly
documented and readily available for examination. Title 5, Maine Revised
Statutes, Chapter 147 §1621, Section 4 provides further detail. Specifically
included in the statute is; areas of control systems must include internal
control procedures, internal control accountability systems and identification
of the operating cycles. Documentation of the state agency's or department's
internal control systems must appear in management directives, administrative
policy, procedures and manuals.
1. Information Internal
control systems of state agencies and departments are to be clearly documented
and readily available for examination.
2. Qualified and continuous
supervision of all transactions and significant events must be provided by
state agencies or departments to ensure that internal control objectives are
achieved. The duties of a supervisor in carrying out this responsibility
include clearly communicating the duties, responsibilities and accountabilities
assigned to each staff member, systematically reviewing each member's work to
the extent necessary and approving work at critical points to ensure that work
flows as intended.
3. Access to resources and records must be limited
to authorized individuals as determined by the state agency or department head,
except that the powers and duties of the State Auditor may not be limited by
this subsection. Restrictions on access to resources depend upon the
vulnerability of the resource and the perceived risk of loss, both of which
must be periodically assessed. The state agency or department head is
responsible for maintaining accountability for the custody and use of resources
and shall assign qualified individuals for that purpose.
4. Notwithstanding any other provision of law
relating to confidentiality of information, the State Controller is granted
access to all information in the files of any department or agency of the State
as necessary to carry out the duties of the State Controller under this
B. Internal Audit
Internal Audit is responsible for establishing and maintaining a risk-based
approach to planning, scheduling and conducting internal audit work under the
direction of the Associate CIO. The administration of the work will conform to
the standards for the professional practice of internal auditing of the Institute of Internal Auditors.
An agreed upon six month audit plan defining areas of interest and
priorities is developed by the OIT Internal Auditor and is approved by Associate
CIO. The plan is available for review by anyone at any time.
2. State of Maine Office of the
State Controller Internal Audit Division Binder/Workpaper Policy
3. State of Maine Office of the
State Controller Internal Audit Division Engagement Reporting Guidelines
4. State of Maine Office of the
State Controller Internal Audit Division General Policy
1. Document Reference Number: 36
2. Category: General/Governance
3. Adoption Date: 05/12/2009
4. Effective Date: 05/12/2009
5. Review Date: 05/12/2012
6. Point of Contact: Benson Dana, Office of Information
Technology (207) 624-8800
7. Approved By: Richard B.
Thompson, Chief Information Officer
8. Position Title(s) or Agency Responsible for Enforcement:
Associate CIO, Kathy Record.
9. Legal Citation: Title 5, Maine Revised Statutes,
Chapter 163 §1973, Section 1, Paragraph B authorizes the CIO to “set policies
and standards for the implementation and use of information and
telecommunications technologies” and Title 5, Maine Revised Statutes, Chapter
147 §1621, Section 4.
Process: Waiver requests must be submitted in writing to the Associate Chief