Internal Auditor(s) Responsibilities
The OISC performs internal audit duties for all State entities. During audit engagements, the OISC Internal Audit Program will be responsible for the following:
- Performing internal IT audits for Executive Branch agencies;
- Providing consultation and coordination services for State entities involved in an external audit;
- Assisting with delegation/assignment of audit response and follow-up activities, particularly assignments pertaining to the WVOT;
- Monitoring or coordinating follow-up activities related to audits with which the OISC has been involved or has an interest; and
- Establishing a calendar for all audit engagements in which the OISC is involved and/or in which the WVOT is a subject; or complying with externally prescribed schedules when the OISC Internal Audit Program has been involved from the outset.
The main items needed from the client for a successful audit are cooperation and communication with the auditor. The client should aim to schedule audits three (3) to six (6) months in advance. Here are some specific examples of what the client can do to help the audit process:
- Schedule personnel for audit activities such as interviews, observation, re-performance, etc.
- Provide a secure on-site work area;
- Make the pertinent data, records, and technology resources available to the auditor(s);
- Review preliminary findings and provide requested comments in specified timeframes;
- Establish and maintain required controls;
- Share any internal control concerns with the auditor;
- Unless otherwise negotiated, provide all relevant information to auditors electronically;
- Review the audit program presented for your area, and ask questions if you don't understand why certain activities have been included or excluded;
- Be proactive in monitoring and reporting the progress of the corrective actions; and
- Provide a written response in a timely manner to the issues identified in the report, along with who will be responsible for implementing the corrective actions and when they will be completed.
All WVOT IT Auditors are bound by confidentiality standards, and are required to sign the Department of Administration Confidentiality Statement annually.
All WVOT Internal Auditors will also sign-off on WVOT-PO1001, the Information Security policy.
Information collected during an audit will only be used for official purposes and not for personal gain, in a manner contrary to law, or detrimental to the legitimate interests of the audited entity or the audit organization. This includes the proper handling of sensitive or classified information or resources.
The WVOT Internal Audit Program will only release engagement findings and recommendations to additional entities under the following circumstances: by request from the audit client, for peer review, and/or under order of subpoena. Only information specific to the request will be released.
The public’s right to the transparency of government information must maintain a balance with the proper use of that information. In addition, many government programs are subject to laws and regulations dealing with the disclosure of information. To accomplish the balance, WVOT Internal Auditors will exercise discretion in the use of information acquired in the course of duties in achieving this goal. WVOT IT Auditors will not improperly disclose any such information to third parties under any circumstances.
Internal audit reports are exempt from disclosure under the West Virginia’s Freedom of Information Act (West Virginia Code §29B-1-4). Examples of exemptions include internal memoranda or letters received or prepared by any public body; records containing specific or unique vulnerability assessments or specific or unique response plans, data, or databases; computing or telecommunications and network security records, passwords, etc.; security or disaster recovery plans, risk assessments, tests or the results of those tests, etc.