C.S.H.B. 2485 78(R) BILL ANALYSIS C.S.H.B. 2485 By: Hochberg State Affairs Committee Report (Substituted) BACKGROUND AND PURPOSE The 77th Legislature passed House Bill 609, which extended the internal audit requirement to all state agencies that receive an appropriation. Conducting these audits when the situation necessitates rather than annually will more judiciously use small state agency funds. The purpose of C.S.H.B. 2485 is to require small agencies to complete an annual written risk assessment, and to require the state auditor to evaluate the risk assessments and recommend audits for those with significant financial, managerial or compliance risk, or significant risk related to the use of information technology. RULEMAKING AUTHORITY It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency or institution. ANALYSIS C.S.H.B. 2485 amends Section 2102.004, Government Code, to redefine the criteria used to determine which state agencies are required to conduct a program of internal auditing. The requirement applies only to a state agency that has an annual operating budget that exceeds $10 million, has a staff of more than 100 full-time equivalent employees as authorized by the General Appropriations Act, or receives and processes more than $10 million in cash in a fiscal year. C.S.H.B. 2485 amends Chapter 2102 of the Government Code to require small state agencies that do not meet the thresholds described above to submit an annual written formal risk assessment consisting of an executive management review of financial, managerial and compliance risks to the state auditor's office, including risks related to the use of information technology. Section 2102.014 requires the state auditor to evaluate the risk assessments and recommend to the governor that those agencies with significant risk exposure obtain an audit. The governor is authorized to order those agencies to obtain an audit, submit reports and corrective action plans, and report the status of the agencies' implementation of audit recommendations to the state auditor. The governor is also authorized to fund the audits from any funds appropriated to the governor for that purpose. EFFECTIVE DATE Upon passage, or, if the Act does not receive the necessary vote, the Act takes effect September 1, 2003. COMPARISON OF ORIGINAL TO SUBSTITUTE C.S.H.B. 2485 modifies the original by requiring small agencies that are not required to conduct a program of internal auditing to include in their annual risk assessment information on risks related to the use of information technology. Additionally, the substitute authorizes, rather than requires, the governor to order audits for an agency. The substitute also adds language that authorizes the governor to order an agency to report to the state auditor the status of the agency's implementation of prior audit recommendations.