PRINTER'S NO. 1364
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
1254
Session of
2023
INTRODUCED BY GROVE, GREINER, STAATS, JOZWIAK, ZIMMERMAN,
KEEFER, PICKETT, MOUL, ROWE AND GILLEN, MAY 24, 2023
REFERRED TO COMMITTEE ON STATE GOVERNMENT, MAY 24, 2023
AN ACT
Amending the act of April 9, 1929 (P.L.177, No.175), entitled
"An act providing for and reorganizing the conduct of the
executive and administrative work of the Commonwealth by the
Executive Department thereof and the administrative
departments, boards, commissions, and officers thereof,
including the boards of trustees of State Normal Schools, or
Teachers Colleges; abolishing, creating, reorganizing or
authorizing the reorganization of certain administrative
departments, boards, and commissions; defining the powers and
duties of the Governor and other executive and administrative
officers, and of the several administrative departments,
boards, commissions, and officers; fixing the salaries of the
Governor, Lieutenant Governor, and certain other executive
and administrative officers; providing for the appointment of
certain administrative officers, and of all deputies and
other assistants and employes in certain departments, boards,
and commissions; providing for judicial administration; and
prescribing the manner in which the number and compensation
of the deputies and all other assistants and employes of
certain departments, boards and commissions shall be
determined," providing for internal auditing; and imposing
duties on the Auditor General.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The act of April 9, 1929 (P.L.177, No.175), known
as The Administrative Code of 1929, is amended by adding an
article to read:
ARTICLE XXVIII-J
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERNAL AUDITING
Section 2801-J. Scope of article.
This article relates to internal auditing to assist
Commonwealth agencies.
Section 2802-J. Purpose.
The purpose of this article is to establish guidelines for a
program of internal auditing to assist each Commonwealth agency
by furnishing independent analyses, appraisals and
recommendations about the adequacy and effectiveness of the
Commonwealth agency's system of internal control policies and
procedures and the quality of performance in carrying out
assigned responsibilities.
Section 2803-J. Definitions.
The following words and phrases when used in this article
shall have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Administrator." The executive head or governing board or
authority of a Commonwealth agency.
"Assurance services." As follows:
(1) Activities that are designed to help accomplish
objectives by bringing a systematic and disciplined approach
to evaluate and improve risk management, control or
governance processes.
(2) The term includes an audit.
"Audit." Any of the following:
(1) A financial audit.
(2) A compliance audit.
(3) An operational audit.
(4) An effectiveness audit.
(5) An investigation.
20230HB1254PN1364 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
"Commonwealth agency." Any of the following:
(1) A department, agency, office, bureau, commission,
board, division or other entity or officer of the executive
branch of the Commonwealth. The term includes any of the
following:
(i) The Office of the Governor.
(ii) The Office of the Lieutenant Governor.
(iii) The Office of Attorney General.
(iv) The Department of the Auditor General.
(v) The Treasury Department.
(vi) An independent agency, as defined in section
102 of the act of February 14, 2008 (P.L.6, No.3), known
as the Right-to-Know Law.
(vii) An organization established by the
Constitution of Pennsylvania, a statute or an executive
order that performs or is intended to perform an
essential governmental function.
(2) A judicial agency, as defined in section 102 of the
Right-to-Know Law.
(3) A legislative agency, as defined in section 102 of
the Right-to-Know Law.
"Compliance audit." An audit to determine if:
(1) The audited entity has obligated, expended, received
and used State money in accordance with the purpose for which
that money has been appropriated or otherwise authorized by
law.
(2) The audited entity has obligated, expended, received
and used State money in accordance with any limitations,
restrictions, conditions or mandatory directions imposed by
law on those obligations, expenditures, receipts or uses.
20230HB1254PN1364 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(3) The records, books and accounts of the audited
entity fairly and accurately reflect its financial and fiscal
operations relating to the obligation, receipt, expenditure
and use of State money or money represented as being
collected for a State purpose.
(4) The collections of State revenues and receipts by
the audited entity are in accordance with applicable laws and
regulations.
(5) Money or negotiable securities or similar assets
handled by the audited entity on behalf of the State or
received from the State and held in trust by the audited
entity have been properly and legally administered.
"Consulting services." As follows:
(1) Advisory and related client service activities, the
nature and scope of which are agreed upon with the client and
are designed to add value and improve operations.
(2) The term includes counsel, advice, facilitation and
training.
"Effectiveness audit." An audit to determine, according to
established or designated program objectives, responsibilities
or duties, statutes and regulations, program performance
criteria or program evaluation standards, if:
(1) The objectives and intended benefits are being
achieved efficiently and effectively.
(2) The program duplicates, overlaps or conflicts with
another State program.
"Financial audit." An audit to determine if:
(1) The records, books and accounts of the audited
entity accurately reflect its financial and fiscal
operations.
20230HB1254PN1364 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(2) The audited entity is maintaining effective
accounting control over revenues, obligations, expenditures,
assets and liabilities.
(3) The accounting and recordkeeping of collections of
State revenues and receipts by the audited entity are fair,
accurate and in accordance with law.
(4) The accounting and recordkeeping of money or
negotiable securities or similar assets handled by the
audited entity and held in trust by the audited entity are
proper, accurate and in accordance with law.
(5) Financial, program and statistical reports of the
audited entity are fairly presented.
"Internal auditing." An independent and objective analysis
of business practices and activities through assurance services
or consulting services, or both.
"Internal auditor." An individual appointed to conduct a
program of internal auditing under this article.
"Investigation." An inquiry into:
(1) specified acts or allegations of impropriety,
malfeasance or nonfeasance in the obligation, expenditure,
receipt or use of State money; or
(2) specified financial transactions or practices that
may involve impropriety, malfeasance or nonfeasance in the
obligation, expenditure, receipt or use of State money.
"Operational audit." An audit to determine:
(1) If the audited entity is managing or utilizing
resources, including State funds, personnel, property,
equipment and space, in an economical and efficient manner.
(2) Causes of inefficiencies or uneconomical practices,
including inadequacies in management information systems,
20230HB1254PN1364 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
internal and administrative procedures, organizational
structure, use of resources, allocation of personnel,
purchasing, policies and equipment.
(3) If financial, program and statistical reports of the
audited entity contain useful data and are fairly presented.
Section 2804-J. Internal auditing.
(a) Requirement.--A Commonwealth agency shall conduct a
program of internal auditing that includes:
(1) An annual audit plan that is prepared using risk
assessment techniques and that identifies the individual
audits to be conducted during the year.
(2) Periodic audits of the agency's major systems and
controls, including:
(i) Accounting systems and controls.
(ii) Administrative systems and controls.
(iii) Electronic data processing systems and
controls.
(b) Consideration.--In conducting the program of internal
auditing under subsection (a), the Commonwealth agency shall
consider methods for ensuring compliance with contract processes
and controls and for monitoring contracts.
(c) Internal auditor.--
(1) The administrator of a Commonwealth agency shall
appoint an internal auditor to conduct the program of
internal auditing under this article.
(2) An internal auditor must:
(i) Be a certified public accountant, certified
internal auditor, certified management accountant,
certified global management accountant or certified fraud
examiner.
20230HB1254PN1364 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(ii) Have at least three years of auditing
experience.
(iii) Be currently licensed or certified and be in
good standing with the respective licensing board during
the period in which the individual is engaged in auditing
as an internal auditor.
(d) Additional staff.--A Commonwealth agency shall employ
additional professional and support staff that the administrator
of the Commonwealth agency determines necessary to implement an
effective program of internal auditing.
(e) Resources.--The administrator of a Commonwealth agency
shall periodically review the resources dedicated to the program
of internal auditing and determine if adequate resources exist
to ensure that risks identified in the annual risk assessment
are adequately covered within a reasonable time frame.
Section 2805-J. Duties of internal auditor.
(a) Specific duties.--An internal auditor of a Commonwealth
agency shall:
(1) Report directly to the administrator of the
Commonwealth agency.
(2) Develop an annual audit plan for the Commonwealth
agency.
(3) Conduct audits as specified in the audit plan and
document deviations.
(4) Prepare audit reports.
(5) As follows:
(i) Conduct quality assurance reviews in accordance
with:
(A) The standards for the professional practice
of internal auditing in effect upon the effective
20230HB1254PN1364 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
date of this section.
(B) The Code of Ethics contained in the
Professional Practices Framework as promulgated by
the Institute of Internal Auditors in effect upon the
effective date of this section.
(C) Generally accepted government auditing
standards.
(ii) Periodically take part in a comprehensive
external peer review.
(6) Conduct operational audits and other audits as
directed by the administrator of the Commonwealth agency.
(b) Administration.--A program of internal auditing
conducted by a Commonwealth agency must provide for the internal
auditor of the Commonwealth agency to:
(1) Have access to the administrator of the Commonwealth
agency.
(2) Be free of all operational and management
responsibilities that would impair the internal auditor's
ability to review independently all aspects of the operations
of the Commonwealth agency.
Section 2806-J. Audit plans and audit reports.
(a) Audit plan.--The annual audit plan developed by an
internal auditor of a Commonwealth agency must be approved by
the administrator of the Commonwealth agency.
(b) Audit report.--An audit report for a Commonwealth agency
must be reviewed by the administrator of the Commonwealth
agency.
Section 2807-J. Annual reports.
(a) Requirement.--No later than each November 1, an internal
auditor of a Commonwealth agency shall prepare an annual report
20230HB1254PN1364 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
on the program of internal auditing of the Commonwealth agency.
(b) Form.--The Auditor General shall prescribe the proposed
form of the annual reports.
(c) Submittal.--Each report under this section shall be
submitted to:
(1) The Governor.
(2) The Auditor General.
(3) The administrator of the Commonwealth agency.
(4) The members of the General Assembly.
Section 2808-J. Periodic audits, action plans and responses.
(a) Requirement.--A Commonwealth agency shall submit a copy
of the following to the entities specified in section 2807-J(c)
(1), (2) and (4):
(1) A periodic audit performed by the internal auditor
of the Commonwealth agency, no later than 30 days after the
date that the internal auditor submits the periodic audit to
the administrator of the Commonwealth agency.
(2) An action plan or other response issued by the
administrator of the Commonwealth agency in response to a
report from the internal auditor of the Commonwealth agency,
no later than 30 days after the action plan or other response
is prepared.
(b) Compelling information.--If the Commonwealth agency
fails to submit the information specified in this section, an
entity specified under section 2807-J(c)(1), (2) and (4) may
take appropriate action to compel the submittal of the
information.
Section 2809-J. Consultations.
An internal auditor of a Commonwealth agency may consult the
administrator of the Commonwealth agency, the Office of the
20230HB1254PN1364 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Governor, the Auditor General or any other Commonwealth agency
about matters affecting duties or responsibilities under this
article.
Section 2810-J. Professional development.
(a) Assistance.--The Auditor General may make available and
coordinate a program of training and technical assistance to:
(1) Ensure that internal auditors have access to current
information about internal audit techniques, policies and
procedures.
(2) Provide general technical and audit assistance to
internal auditors upon request.
(b) Reimbursement.--The Auditor General shall be entitled to
reimbursement for the costs associated with providing the
services under this section under the terms of interagency
cooperation contracts negotiated between the Auditor General and
each Commonwealth agency.
Section 2811-J. Risk assessment.
(a) Applicability.--In lieu of the procedures specified in
sections 2804-J, 2805-J, 2806-J, 2807-J, 2808-J, 2809-J and
2810-J, a Commonwealth agency may opt instead to comply with
this section if the Commonwealth agency:
(1) has an annual operating budget that is less than
$10,000,000;
(2) has fewer than 100 full-time equivalent employees;
or
(3) receives and processes less than $10,000,000 in cash
in a fiscal year.
(b) Requirement.--Each year, a Commonwealth agency shall
conduct a formal risk assessment consisting of an executive
management review of functions, activities and processes of the
20230HB1254PN1364 - 10 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Commonwealth agency.
(c) Conditions.--A risk assessment under this section must:
(1) Evaluate the probability of occurrence and the
likely effect of financial, managerial and compliance risks
and of risks related to the use of information technology.
(2) Rank risks according to the probability of
occurrence and likely effect of the risks evaluated.
(d) Submittal.--The Commonwealth agency shall submit a
report on the risk assessment to the Auditor General in the form
and at the time prescribed by the Auditor General.
(e) Evaluation.--Based on risk assessment, the Auditor
General shall:
(1) Evaluate each report submitted under this section.
(2) Identify Commonwealth agencies under this section
with significant financial, managerial or compliance risk or
significant risk related to the use of information
technology.
(3) Recommend to the administrator of a Commonwealth
agency identified under paragraph (2) that the Commonwealth
agency obtain an audit to address the significant risks
identified by the Auditor General.
(f) Duties of administrator.--The administrator of a
Commonwealth agency identified under subsection (e)(2) may order
the Commonwealth agency to:
(1) Obtain an audit under governmental auditing
standards.
(2) Submit reports and action plans as prescribed by
section 2808-J.
(3) Report to the Auditor General on the status of the
Commonwealth agency's implementation of audit recommendations
20230HB1254PN1364 - 11 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
in the form and addressing issues as prescribed by the
Auditor General.
Section 2812-J. Publication.
(a) Requirement.--Consistent with the act of February 14,
2008 (P.L.6, No.3), known as the Right-to-Know Law, a
Commonwealth agency shall post on the publicly accessible
Internet website of the Commonwealth agency:
(1) The Commonwealth agency's audit plan under section
2806-J.
(2) The Commonwealth agency's annual reports under
section 2807-J.
(b) Updates.--A Commonwealth agency shall update the posting
required under this section to include:
(1) A detailed summary of the weaknesses, deficiencies,
wrongdoings or other concerns, if any, raised by the audit
plan or annual report of the Commonwealth agency.
(2) A summary of the action taken by the Commonwealth
agency to address the concerns, if any, that are raised by
the audit plan or annual report of the Commonwealth agency.
Section 2. This act shall take effect in 60 days.
20230HB1254PN1364 - 12 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20