Skip Maine state header navigation

Agencies | Online Services | Help

State of Maine Seal

Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology



Internal Audit Policy 

I. Statement

In order to maintain a robust and active quality assurance and risk analysis process the Chief Information Officer (CIO) internally audit the Office of Information Technology (OIT). 

II. Purpose

Auditing the effectiveness and efficiency of information technology (IT) controls statewide ensures a robust, non-biased risk analysis is in place. The purpose of the internal audit is to review and measure the established risk management procedures and controls. Investigating documentation, management oversight, policy and corrective measures fall within the auditor’s purview.


 This policy provides guidance to OIT employees regarding OIT’s dedicated internal audit function.

III. Guidelines & Procedures

  1. Day to day direction for conducting the audit from an operational prospective will be provided by the Associate CIO in accordance with the approved audit plan. 



  1. Audit programs, procedures and content must be reviewed and accepted by the Director of Internal Audit, Associate State Controller, or State Controller.


  1. OSC will be kept informed of any other activities that impact time devoted to the audit.



  1. If the position is vacated, OSC shall be included in the hiring and selection process.


  1. Biweekly progress on audits shall be communicated to the Director of Internal Audit and the Associate CIO. Progress will be reported in the form of a written status report based upon the approved audit plan.



  1. The OIT internal auditor will use the OSC standard work paper binder, and reporting policies in conducting audits and reviews.


  1. As reviews are completed, the work paper binder and draft reports will be provided to the OSC Director of Internal Audit for a first level review.



  1. A second level of review will be conducted by the Associate State Controller.


  1. Once the second level of review is completed and signed off on, a final draft report will be prepared.  This report will be submitted to the State Controller, CIO and Associate CIO for review.



  1. A final report will be prepared.  This report will be presented to the Commissioner of the Department of Administrative and Financial Services jointly from the State Controller and the CIO, as appropriate.


  1. The CIO will respond to audit findings promptly with an appropriate corrective action plan.



  1. The OIT Internal Auditor is responsible to set a timeline for corrective action follow up and to report results of the follow up to the OSC and the CIO.


  1. Types of Engagement


    1. Internal Audit/Review Engagement 
    2. Examination/Consultation/Service
    3. Finding/issue (not from audits) follow-up
    4. Examinations of potential instances of Fraud(refer to OSC Internal Audit Division)


Internal Audit/Review Engagement

a.       The auditor will create a written planning document and audit program.

b.      The auditor will meet with the management responsible for the area being reviewed (entrance conference), present the audit program and describe the expected responsibilities of all parties during the conduct of the review.

c.       A preliminary draft report will be issued to operating management to be reviewed for errors and to solicit questions or comments to be discussed at the exit conference.

d.      An exit conference will be held to discuss questions and concerns regarding the draft report.  Changes to the report will be discussed and agreed upon at this time.

e.       A final draft will be prepared using the standard reporting format taking into account any revisions necessary as a result of the exit conference or other discussions. Management will be asked to provide written responses to the audit findings within 10 calendar days of the date of the letter.



a.       Examinations will be reported in the same manner as Internal Audit/Review Engagements described in the previous section.



Finding/issue (not from audits) follow-up

a.       Depending on the nature of the issue or follow up, results may be reported in a memo type report to the relevant managers and directors and copied to the CIO.  For some follow up work, a memo to the CIO may be sufficient.

IV. Applicability

Internal audit activities are legislatively defined. Internal control systems are to be developed according to guidelines established by the State Controller and must be clearly documented and readily available for examination. Title 5, Maine Revised Statutes, Chapter 147 §1621, Section 4 provides further detail. Specifically included in the statute is; areas of control systems must include internal control procedures, internal control accountability systems and identification of the operating cycles. Documentation of the state agency's or department's internal control systems must appear in management directives, administrative policy, procedures and manuals.

V. Responsibilities

A. OIT Management

1. Information Internal control systems of state agencies and departments are to be clearly documented and readily available for examination.

2. Qualified and continuous supervision of all transactions and significant events must be provided by state agencies or departments to ensure that internal control objectives are achieved. The duties of a supervisor in carrying out this responsibility include clearly communicating the duties, responsibilities and accountabilities assigned to each staff member, systematically reviewing each member's work to the extent necessary and approving work at critical points to ensure that work flows as intended.

3. Access to resources and records must be limited to authorized individuals as determined by the state agency or department head, except that the powers and duties of the State Auditor may not be limited by this subsection. Restrictions on access to resources depend upon the vulnerability of the resource and the perceived risk of loss, both of which must be periodically assessed. The state agency or department head is responsible for maintaining accountability for the custody and use of resources and shall assign qualified individuals for that purpose.

4. Notwithstanding any other provision of law relating to confidentiality of information, the State Controller is granted access to all information in the files of any department or agency of the State as necessary to carry out the duties of the State Controller under this subsection

B. Internal Audit

Internal Audit is responsible for establishing and maintaining a risk-based approach to planning, scheduling and conducting internal audit work under the direction of the Associate CIO. The administration of the work will conform to the standards for the professional practice of internal auditing of the Institute of Internal Auditors.

An agreed upon six month audit plan defining areas of interest and priorities is developed by the OIT Internal Auditor and is approved by Associate CIO.  The plan is available for review by anyone at any time.


VI. References

1. Title 5, Maine Revised Statutes, Chapter 147 §1621, Section 4

2. State of Maine Office of the State Controller Internal Audit Division Binder/Workpaper Policy

3. State of Maine Office of the State Controller Internal Audit Division Engagement Reporting Guidelines

4. State of Maine Office of the State Controller Internal Audit Division General Policy


VII. Document Information

1.  Document Reference Number: 36


2.  Category: General/Governance


3.  Adoption Date:  05/12/2009


4.  Effective Date:  05/12/2009


5.  Review Date: 05/12/2012


6.  Point of Contact: Benson Dana, Office of Information Technology (207) 624-8800


7. Approved By: Richard B. Thompson, Chief Information Officer


8.  Position Title(s) or Agency Responsible for Enforcement:  Associate CIO, Kathy Record.


9.  Legal Citation:  Title 5, Maine Revised Statutes, Chapter 163 §1973, Section 1, Paragraph B authorizes the CIO to “set policies and standards for the implementation and use of information and telecommunications technologies” and Title 5, Maine Revised Statutes, Chapter 147 §1621, Section 4.


10.  Waiver Process:  Waiver requests must be submitted in writing to the Associate Chief Information Officer.