BILL NUMBER: SB 1452 CHAPTERED 09/25/06 CHAPTER 452 FILED WITH SECRETARY OF STATE SEPTEMBER 25, 2006 APPROVED BY GOVERNOR SEPTEMBER 25, 2006 PASSED THE SENATE AUGUST 24, 2006 PASSED THE ASSEMBLY AUGUST 17, 2006 AMENDED IN ASSEMBLY JUNE 21, 2006 AMENDED IN SENATE MAY 26, 2006 AMENDED IN SENATE MAY 9, 2006 AMENDED IN SENATE APRIL 18, 2006 AMENDED IN SENATE MARCH 27, 2006 INTRODUCED BY Senator Speier FEBRUARY 23, 2006 An act to amend Sections 1236 and 1237 of, to add Section 8546.2 to, to add Article 4 (commencing with Section 8548.7) to Chapter 6.5 of Division 1 of Title 2 of, and to add Part 3.5 (commencing with Section 13885) to Division 3 of Title 2 of, the Government Code, and to amend Sections 11752.5 and 11873 of the Insurance Code, relating to state audits. LEGISLATIVE COUNSEL'S DIGEST SB 1452, Speier State audits. (1) Existing law requires that the Controller, the Director of Finance, and the respective staffs of all state agencies that have their own internal auditors or that conduct internal audits or internal audit activities, and all city, county, city and county, and district employees that conduct internal audits or internal audit activities of those respective agencies, utilize the general and specified standards of internal auditing specified in a publication of the Institute of Internal Audits. This bill would, with respect to cities, counties, cities and counties, and district employees, delete the references to internal auditors, internal audits, and internal audit activities, and instead refer to auditors, audits, and audit activities. It would require state and local entities to instead conduct their work under the general and specified standards prescribed by the Institute of Internal Auditors or the Government Auditing Standards issued by the Comptroller General of the United States, as appropriate, and except as specified. (2) Existing law sets forth the duties and authority of the State Auditor generally in conducting audit activities on behalf of the state. This bill would require the State Auditor to request that any state or local agency, or any publicly created entity, that is the subject of an audit conducted under these provisions to provide updates on its progress in implementing the recommendations made by the State Auditor, at intervals prescribed by the State Auditor. It would require state agencies to provide these updates to the State Auditor. This bill would enact the Omnibus Audit Accountability Act of 2006, to require the State Auditor to, by January 15th of each year, report to specified entities with respect to each state agency audit recommendation it has made that is more than one year old and that has not been implemented by the affected agency. It would require any state agency that is notified by the State Auditor that it has not implemented a recommendation made pursuant to this chapter more than one year prior, to provide specified information in that regard. (3) Existing law requires all state and local agencies with an aggregate spending of $50,000,000 or more annually to consider establishing an ongoing internal audit function. The bill instead would require state and local agencies with that aggregate annual spending amount to consider establishing an ongoing audit function, and would require any governing body that oversees a state agency that performs or reviews internal audits to establish an audit committee, subject to specified criteria. It would set forth the requirements for reporting audit findings and recommendations by chief internal auditors, and specifically provide that an individual reporting certain information under these provisions is protected under provisions of law protecting state employees from retaliation for reporting waste, fraud, or abuse. (4) Existing law exempts the State Compensation Insurance Fund from certain provisions of law applying to state agencies, with specified exceptions. This bill would specify that the fund is subject to the provisions of law governing audits by the State Auditor. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 1236 of the Government Code is amended to read: 1236. (a) All city, county, city and county, and district employees that conduct audits or that conduct audit activities of those respective agencies shall conduct their work under the general and specified standards prescribed by the Institute of Internal Auditors or the Government Auditing Standards issued by the Comptroller General of the United States, as appropriate. The standards generally provide as follows: (1) That auditors should be independent of the activities they audit. (2) That audits should be performed with proficiency and due professional care. (3) That the scope of the audit should encompass the examination and evaluation of the adequacy and effectiveness of the organization' s system of internal control and the quality of performance in carrying out assigned responsibilities. (4) That audit work should include planning the audit, examining and evaluating information, communicating results, and following up. (5) That the chief auditor should properly manage the auditing department. (b) Nothing in this section is intended to limit the rights or obligations of auditors to conduct audits and audit activities in accordance with other laws and regulations that may apply to a particular entity, as appropriate. SEC. 1.5. Section 1237 of the Government Code is amended to read: 1237. All state and local agencies with an aggregate spending of fifty million dollars ($50,000,000) or more annually shall consider establishing an ongoing audit function. SEC. 2. Section 8546.2 is added to the Government Code, to read: 8546.2. (a) The State Auditor shall request that any state agency, as defined in Section 11000, whether created by the California Constitution or otherwise, any local governmental agency, including any city, county, city and county, school, or special district, or any publicly created entity, that is the subject of an audit conducted pursuant to this chapter provide updates on its progress in implementing the recommendations made by the State Auditor, at intervals prescribed by the State Auditor. (b) Any state agency described in subdivision (a) shall provide the State Auditor, in the form prescribed by the State Auditor, with updates on implementation of recommendations as described in subdivision (a). SEC. 3. Article 4 (commencing with Section 8548.7) is added to Chapter 6.5 of Division 1 of Title 2 of the Government Code, to read: Article 4. Omnibus Audit Accountability Act of 2006 8548.7. This article shall be known and may be cited as the Omnibus Audit Accountability Act of 2006. 8548.9. (a) The State Auditor shall, by January 15th of each year, report to the Joint Legislative Budget Committee, the Joint Legislative Audit Committee, and the Department of Finance with respect to each state agency audit recommendation it has made that is more than one year old and that has not been implemented by the affected agency. (b) The report shall clearly identify the state agency audited, the audit that contained the recommendation, a brief description of the recommendation, the date it was issued, and the most recent explanation provided by the agency to the State Auditor on the status of the recommendation. (c) Any state agency that is notified by the State Auditor that it has not implemented a recommendation made pursuant to this chapter more than one year prior, shall do either of the following: (1) Provide a written report to the State Auditor, the respective policy committees and budget subcommittees of the Assembly and Senate with oversight of the agency, and the Department of Finance, explaining why the audit recommendation has not been implemented. (2) Notify all entities described in subdivision (a) that it will begin implementing the audit recommendation within 90 days of the notification by the State Auditor, and include the estimated date of implementation. SEC. 4. Part 3.5 (commencing with Section 13885) is added to Division 3 of Title 2 of the Government Code, to read: PART 3.5. INTERNAL AUDITS 13885. The Legislature finds and declares as follows: (a) Recent corporate scandals and federal legislation, such as the Sarbanes-Oxley Act of 2002 (P.L. 107-204), focus attention on the importance of internal audit activity to public accountability and governance. (b) Ensuring the independence of internal auditors of state agencies and that their findings are reported to the appropriate levels of government is critical to safeguarding public funds and the public trust. 13886. (a) Any governing body that oversees a state agency that performs or reviews internal audits shall establish an audit committee that generally meets the frameworks recommended by the American Institute of Certified Public Accountants, as set forth in the publication entitled "AICPA Audit Committee Toolkit: Government Organizations." (b) For purposes of this chapter, "governing body" means a board, commission, board of trustees, council, or other similar body that oversees a state agency. 13886.5. (a) The Controller, the Director of Finance, and the respective staffs thereof, and all state agencies that have their own internal auditors or that conduct internal audits or internal audit activities, shall conduct internal audit activity under the general and specified standards of internal auditing prescribed by the Institute of Internal Auditors or the Government Auditing Standards issued by the Comptroller General of the United States, as appropriate. (b) Nothing in this article is intended to limit the rights or obligations of internal auditors to conduct internal audits and audit activities in accordance with other laws and regulations that may apply to a particular entity. 13887. (a) In order to achieve independence and objectivity pursuant to Section 13886, for any state agency that does not report to a governing body, the internal auditor operations shall meet all of the following requirements: (1) The chief internal auditor shall be accountable to the head or deputy head of the state agency. (2) The chief internal auditor shall report audit findings and recommendations made under his or her jurisdiction to the head or deputy head of the state agency and to the general counsel to the state agency, if applicable. (3) The operations shall be organizationally outside the staff or line management function of the unit under audit. (b) In order to achieve independence and objectivity as required by the standards identified in Section 13886, for any state agency that is overseen by a governing body, the internal audit operations shall meet all of the following requirements: (1) The chief internal auditor shall be accountable to the audit committee of the governing body. (2) The chief internal auditor shall report audit findings and recommendations made under his or her jurisdiction to the audit committee and the general counsel to the governing body. (3) The operations shall be organizationally outside the staff or line management function of the unit under audit. 13887.5. (a) When the chief internal auditor of a state agency believes that senior management in the state agency has accepted a level of residual risk that may be unacceptable to the organization or that senior management has otherwise not taken appropriate action in response to a finding or recommendation by its internal auditors, the chief internal auditor shall discuss the matter with senior management and the general counsel to the state agency. If that decision regarding residual risk or the need for appropriate action in response to an audit finding or recommendation, or both, does not resolve the issue, the chief internal auditor and general counsel shall jointly report the matter to the next highest level of management as pertains to the state agency, including, but not limited to, the chair of the governing body overseeing the state agency, the agency secretary, the Governor's office, or the appropriate constitutional officer. (b) If the decision regarding residual risk or the need for appropriate action in response to an audit finding or recommendation that could have a significant impact on the state's fiscal operations, the performance of a significant government program, or the delivery of a significant government service, or other similar significant or critical government services, as determined by the chief internal auditor, is still not resolved after making the disclosures required pursuant to subdivision (a), the chief internal auditor shall report the matter to the Joint Legislative Audit Committee and the State Auditor. At the direction of the Joint Legislative Audit Committee, the State Auditor shall investigate a disclosure made pursuant to subdivision (b) and report the results of the investigation in accordance with Chapter 6.5 (commencing with Section 8543) of Division 1. The disclosure requirements of this subdivision shall not apply to any chief internal auditor who reports and makes disclosures to an audit committee, as described in subdivision (b) of Section 13887. (c) Any chief internal auditor who makes a disclosure pursuant to this section shall receive all protection available under the California Whistleblower Protection Act (Article 3 (commencing with Section 8547) of Chapter 6.5 of Division 1). 13888. (a) If an internal auditor employed by a state agency has a good faith belief that the agency management is interfering with the internal auditor's or auditors' ability to comply with the provisions of this part, that the internal auditor or auditors are under pressure to modify or limit findings or recommendations, or that senior management is not taking appropriate action in response to an audit finding or recommendation, the internal auditor may report the information supporting that good faith belief to the State Auditor. (b) The State Auditor may investigate any report made pursuant to subdivision (a) and if the allegations are substantiated, shall report his or her findings pursuant to Chapter 6.5 (commencing with Section 8545) of Division 1. (c) Any internal auditor making a report pursuant to this section shall receive all protection available under the California Whistleblower Protection Act (Article 3 (commencing with Section 8547) of Chapter 6.5 of Division 1). SEC. 5. Section 11752.5 of the Insurance Code is amended to read: 11752.5. (a) Subject to subdivision (b), a licensed rating organization shall make available any policy information contained in its records to the following: (1) The Department of Industrial Relations. (2) Any other governmental agency if the Insurance Commissioner, after consultation with the licensed rating organization, approves the release of the policy information requested to the agency. (b) The Department of Industrial Relations and any other governmental agency shall specify to the licensed rating organization, in writing, the information requested, that the information requested is to be used to facilitate the agency's performance of its constitutional or statutory duties, and that the information received will not be released to others, except in the discharge of a specific statutory or constitutional duty, or published without the prior written consent of the licensed rating organization. In addition, if the Insurance Commissioner's approval is required for the release of the policy information requested, a written copy of the approval shall be submitted to the licensed rating organization. (c) As used in this section, "policy information" means information which is contained in a workers' compensation policy, including, but not limited to, the identity and address of the employer, the identity of the insurer, the policy number, and the policy period. (d) Information obtained by a governmental agency pursuant to this section shall be confidential and not subject to public disclosure under any other law of this state. (e) No licensed rating organization or member thereof, or member of a committee of a licensed rating organization when acting in its capacity as a member of the committee, or officer or employee of a licensed rating organization, when acting within the scope of his or her employment, shall be liable to any person for injury, personal or otherwise, or damages caused or alleged to have been caused, either directly or indirectly, by the disclosure of information to a governmental agency pursuant to this section, or for the accuracy or completeness of the information so disclosed. (f) This section shall not be construed as implying the existence of liability in circumstances not defined in this section, nor as implying a legislative recognition that, except for enactment of this section, a liability has existed or would exist in the circumstances stated in this section. (g) This section shall not be construed as limiting any authority of a licensed rating organization to disclose information contained in its records to others. SEC. 6. Section 11873 of the Insurance Code is amended to read: 11873. (a) Except as provided by subdivision (b), the fund shall not be subject to the provisions of the Government Code made applicable to state agencies generally or collectively, unless the section specifically names the fund as an agency to which the provision applies. (b) The fund shall be subject to the provisions of Chapter 10.3 (commencing with Section 3512) of Division 4 of Title 1 of, and Chapter 6.5 (commencing with Section 8543) of Division 1 of Title 2 of, the Government Code, and Division 5 (commencing with Section 18000) of Title 2 of the Government Code, with the exception of all of the following provisions of that division: (1) Article 1 (commencing with Section 19820) and Article 2 (commencing with Section 19823) of Chapter 2 of Part 2.6 of Division 5. (2) Sections 19849.2, 19849.3, 19849.4, and 19849.5. (3) Chapter 4.5 (commencing with Section 19993.1) of Part 2.6 of Division 5. (c) Notwithstanding any provision of the Government Code or any other provision of law, the positions funded by the State Compensation Insurance Fund are exempt from any hiring freezes and staff cutbacks otherwise required by law. This subdivision is declaratory of existing law.