202 Ky. Admin. Regs. 3:040

Current through Register Vol. 51, No. 6, December 1, 2024
Section 202 KAR 3:040 - Internal Audit

RELATES TO: KRS 154A.020(1), 154A.030, 154A.050(2)(b), 154A.060(2)(a), (c)

NECESSITY, FUNCTION, AND CONFORMITY: KRS 154A.020(1) requires the Kentucky Lottery Corporation to be accountable to the Governor, the General Assembly, and the people of the Commonwealth through a system of audits, reports, and thorough financial disclosure. As a part of that system of accountability, KRS 154A.060(2)(c) requires the corporation to promulgate by administrative regulation a system of continuous internal audits. This administrative regulation establishes the system of continuous internal audits for the Kentucky Lottery Corporation.

Section 1. Definitions.
(1) "Board" means the Board of Directors of the corporation established by KRS 154A.030.
(2) "Internal audit department" means the department head of internal audit, together with other employees of the corporation who are designated by the president of the corporation and approved by the audit committee.
Section 2. Audit Committee.
(1) The audit committee shall consist of:
(a) No less than two (2), nor more than three (3), members of the board; and
(b) The chairman of the board, who shall serve as an ex-officio member.
(2) Members of the audit committee shall be appointed by the chairman of the board and serve until the earliest of:
(a) Their resignation or removal from the board;
(b) The expiration of their terms as members of the board; or
(c) Their resignation or removal from the audit committee by majority vote of the board.
(3) In appointing members to the audit committee, the chairman of the board shall give preference to members of the board who:
(a) Are certified public accountants or certified internal auditors; or
(b) Otherwise possess expert knowledge in auditing, accounting, business, or commerce.
(4) The members of the audit committee shall select a chairman from its members.
(5)
(a) Except as provided by paragraph (b) of this subsection, the chairman of the audit committee shall determine the date, time, and place of a meeting of the audit committee.
(b) More than two (2) regular meetings of the board shall not have occurred between meetings of the audit committee.
(6) At least one (1) member of the Internal Audit Department shall be present at a meeting of the audit committee.
(7) If requested by the audit committee, a member of the corporation management shall be present at all or a part of the meeting of the audit committee.
Section 3. Duties and Authority of the Audit Committee.
(1) The audit committee shall review the operations and financial reporting procedures of the corporation and shall report and make recommendations to the board. It shall:
(a) Review the adequacy of the corporation's system of internal control through review of audit reports and presentations at Audit Committee meetings;
(b) Review at least annually the corporation's system of risk identification, assessment, and management;
(c) Review the organizational structure of the Internal Audit Department of the corporation and the activities and qualifications of its staff;
(d)Review the findings made by the Internal Audit Department;
(e) Request a department head or other corporation personnel to discuss audit findings or issues with the audit committee, as may be necessary;
(f) Assist the president in the hiring, evaluation, promotion, and removal of the Chief Audit Executive;
(g) Review legal matters that could have a significant impact on the corporation's financial statements with the corporation's:
1. Legal counsel;
2. If deemed appropriate, outside counsel; and
3. Other personnel or entities as necessary;
(h) Review the findings of an examination of the corporation or its operations by a regulatory (or any other outside) agency;
(i) Review audits conducted by the Auditor of Public Accounts or an independent auditor selected by the Auditor of Public Accounts; and
(j) Perform other oversight functions at the request of the board.
(2)
(a) A member of the audit committee may meet with:
1. Corporation employees;
2. The Auditor of Public Accounts, and designees; and
3. Independent auditors.
(b) An employee of the corporation may request to meet with the chairman of the audit committee.
(c) The audit committee may hold a closed meeting pursuant to KRS 154A.030(7).
(3) The audit committee shall:
(a) Inform the board of its meetings and actions; and
(b) Discuss its reviews, reports, and recommendations with the board.
(4)
(a) The audit committee may institute a special investigation.
(b) In the conduct of a special investigation, the audit committee may:
1. Hire special outside counsel or experts; or
2. Utilize the services of corporation employees, officers, or directors.
(c) The audit committee shall submit a report of its findings and recommendations to the board for its action.
Section 4. Internal Audit Department.
(1) In order to assist the president, the audit committee and the management of the corporation, the internal audit department shall furnish objective analyses, appraisals, recommendations, and information concerning the operations of the corporation, through use of an annual audit plan, as follows:
(a) Review the operations of the corporation to assure compliance with the systems, and policies and procedures established to ensure conformity with the applicable statutes and administrative regulations of the Commonwealth and other applicable governmental entities;
(b) Review the operations of the corporation to assure compliance with the systems, and policies and procedures established by the corporation;
(c) Review the reliability and integrity of financial and operating information;
(d) Review and evaluate the means of safeguarding the assets of the corporation and, as appropriate, verify the existence and ownership of the assets by the corporation;
(e) Appraise the economy and efficiency of the corporation in the use of resources;
(f) Advise the management of the corporation and the board on the accounting, financial, and operational policies, procedures, and systems;
(g) Coordinate, supplement, and evaluate examinations of the corporation's activities by outside auditors, accountants, and other review teams; and
(h) Perform other oversight functions as requested by the audit committee or by the board.
(2) The internal audit department shall report to the president for administrative purposes but shall report the results of its work directly to the audit committee.
Section 5. The internal audit department shall use a risk-based method of developing an annual audit plan in the following manner:
(1) Prior to the end of each fiscal year, the department head of internal audit shall submit a proposed detailed internal audit plan for the next fiscal year for:
(a) Review by the president; and
(b) Review and approval by the audit committee.
(2) The audit committee shall forward its recommendations to the board.
(3) The department head shall initiate audits pursuant to the approved plan, as may be revised with the approval of the the audit committee.
(4) Internal audit work shall be performed in accordance with standards established by the Institute of Internal Auditors and shall include:
(a) Planning the audit;
(b) Identifying, analyzing, evaluating, and documenting the information;
(c) Communicating results; and
(d) Monitoring progress.
Section 6. Communicating Results. The internal audit department shall report on all its activities to the Audit Committee through written audit reports, periodic activity reports, and regular Audit Committee meetings.
(1) Written audit reports shall be completed at the end of each audit engagement and shall be distributed to the Audit Committee members. All applicable internal parties shall receive a copy.
(2) Written reports shall include any deficiencies noted during the engagement and shall include a description of the associated risk.
Section 7. Procedure on Loss of Assets.
(1) The internal audit department shall be notified if assets of the corporation have been, or are thought to have been, lost through defalcation or other breaches in the security, financial, or operating systems.
(2) Immediately upon receipt of a notification, the department head of internal audit shall:
(a) Request that the department head of security notify the proper authorities of the potential loss; and
(b) Consult with the Corporation's Security Department to coordinate an investigation.
(3) If the investigation reveals a loss, the internal audit department shall:
(a) Identify the weakness in financial or operating procedures that enabled the loss to occur; and
(b) Recommend to the president, the audit committee, and the board improvements to the procedures to correct the weakness.
Section 8. Internal Audit Department Authority and Limitations.
(1) The internal audit department shall have unrestricted access to all activities, records, properties, and personnel applicable to any area of the corporation under review.
(2) The department head of internal audit shall develop a policy to assure the confidentiality of all matters reviewed, unless disclosure is required by law or internal audit procedures established by this administrative regulation.
(3)
(a) The internal audit department and its members shall not have direct authority over, or responsibility for, any of the activities reviewed by it.
(b) The internal audit department and its members shall not develop or install procedures, prepare records, or engage in any other activity that could be reasonably construed to compromise its independence.
(c) If the internal audit department participates in an activity that might be construed as compromising its independence, the activity shall be reviewed by an independent external auditor, if deemed necessary by the board, or recommended by the audit committee and approved by the board.
(4) The internal audit department shall coordinate its efforts with those of the Auditor of Public Accounts and other external auditors who may be employed to achieve comprehensive, cost-effective audit coverage.
Section 9. Continuing Education.
(1) An auditor in the internal audit department shall annually obtain the same continuing education credits required by the Institute of Internal Auditors for certified internal auditors or any other acceptable certifying body including the American Institute of Certified Public Accountants (AICPA), or the Information Systems Audit and Control Association (ISACA).
(2) The head of the Internal Audit Department shall monitor compliance with the continuing education requirements established by this section.

202 KAR 3:040

22 Ky.R. 1395; Am. 1825; eff. 4-5-1996; 45 Ky.R. 2757; eff. 5-31-2019.

STATUTORY AUTHORITY: KRS 154A.050(1)(d), 154A.060(2)(c)