Department of Administrative Services outlines internal-audit standards, three-lines model and recent agency compliance gains
Summary
Eli Ritchie, DAS chief internal auditor and statewide internal audit coordinator, told the House Rules Committee that internal audit functions in Oregon now show higher compliance, described statutory requirements for agency internal audits and explained how internal and external audits collaborate under different standards.
Eli Ritchie, chief audit executive for the Department of Administrative Services and the statewide internal audit coordinator, briefed the House Rules Committee Feb. 26 on the role of internal audit in state agencies, how it differs from external audits, and how the functions can work together.
Ritchie described internal audit as governed by the Institute of Internal Auditors standards (the “Red Book” for internal audit) and contrasted that with the Secretary of State’s use of GAO Yellow Book standards for external audit work. He emphasized three quality elements: independence, objectivity and documented standards for work and peer review.
Ritchie explained that Oregon statute and administrative rules require a dual reporting structure for internal auditors — administrative reporting to agency leadership at a sufficiently senior level and functional reporting to an audit committee that must include external members. He said internal auditors must maintain “operational separation” so they do not audit their own operational work and that auditors are granted “full access” to agency systems and records to perform required work.
Ritchie described differences in flexibility: internal auditors, embedded in agencies, can more nimbly address emerging risks and provide advisory work than an external constitutional auditor who must plan multi-month engagements. He said internal auditors perform annual enterprise risk assessments, develop audit plans, produce governance and risk audits at least every five years, and undergo an external assessment every five years.
Ritchie also discussed history and compliance: Oregon adopted optional guidance in 1991, made aspects mandatory in 1993, strengthened statute in 2005 and rules in 2006. He said his team’s most recent annual report finds agencies at the “highest level of compliance and performance for their internal audit functions in the history that we have for state government.”
Representative Bossard Davis and others questioned how independence is preserved in public-sector employment (hiring, discipline and compensation). Ritchie said statutory dual reporting, audit committees with external members, documented standards and periodic external assessment together create independence safeguards, but he acknowledged practical challenges and said DAS is reviewing whether additional policy guidance is needed.
Ritchie noted that ODOT’s internal audit function is a special statutory case and can sometimes produce audits that resemble external work, and that internal audit findings often inform external audit risk assessments. He described the three-lines-of-defense model (management, quality/compliance functions, and internal/external audit) as a useful framework for assigning oversight roles.
Ritchie closed by offering to provide follow-up about specific agency hiring/termination practices for chief audit executives and said DAS is positioned to provide guidance and statewide coordination rather than operational oversight of agency internal auditors.
