Internal Audit Report (California)

INTERNAL AUDIT REPORT — CALIFORNIA ENTITY

California Practice Notes

1. Director Duty of Care (Cal. Corp. Code § 309). California corporate directors must perform duties in good faith, in a manner they believe to be in the best interests of the corporation and its shareholders, and with such care as an ordinarily prudent person in a like position would use under similar circumstances. Reliance on information, reports, and financial statements prepared by officers, employees, board committees, or independent accountants is permitted if the director acts in good faith and after reasonable inquiry when indicated.

2. California Nonprofit Integrity Act (SB 1262, 2004). Codified at Cal. Gov. Code §§ 12585–12588, the Nonprofit Integrity Act requires:
   - Nonprofit corporations with gross revenues of $2 million or more (excluding government grants) to prepare annual financial statements audited by an independent CPA (§ 12586(e)(1));
   - An Audit Committee appointed by the board (§ 12586(e)(2));
   - CEO/CFO executive compensation to be reviewed and approved by the board or authorized committee for reasonableness (§ 12586(g)).

3. Quasi-Foreign Corporations (§§ 2115, 2115.5). Corporations not formed under California law but meeting the § 2115 tests (majority of property, payroll, sales in California and majority of voting shares held by California residents) are subject to many provisions of California General Corporation Law.

4. Whistleblower Protection (Cal. Lab. Code §§ 1102.5, 1102.6). The audit process must protect reporters of suspected unlawful conduct. As amended in 2021, § 1102.6 shifts the burden to the employer in retaliation cases: once the employee shows protected activity was a contributing factor, the employer must prove by clear and convincing evidence it would have taken the same action anyway.

5. CCPA / CPRA Data Audits (Cal. Civ. Code § 1798.100 et seq.). Businesses covered by the California Consumer Privacy Act, as amended by the California Privacy Rights Act, must conduct cybersecurity audits and risk assessments for high-risk processing. Regulations from the California Privacy Protection Agency apply.

6. Attorney-Client Privilege / Work Product. To preserve privilege, internal audit reports prepared at the direction of legal counsel should be marked "PRIVILEGED AND CONFIDENTIAL — ATTORNEY-CLIENT COMMUNICATION / ATTORNEY WORK PRODUCT." California recognizes a broader privilege than federal courts in certain respects; see Costco Wholesale Corp. v. Superior Court, 47 Cal. 4th 725 (2009). Absolute privilege under Cal. Evid. Code § 954 attaches to communications; Cal. Code Civ. Proc. § 2018.030 protects absolute and qualified work product.

7. Shareholder Inspection Rights (Cal. Corp. Code § 1601). A shareholder may inspect and copy the accounting books and records upon written demand. Audit working papers and internal reports may be discoverable in shareholder litigation unless privilege is preserved.

PRIVILEGED AND CONFIDENTIAL
ATTORNEY-CLIENT COMMUNICATION / ATTORNEY WORK PRODUCT
PREPARED AT THE DIRECTION OF [GENERAL COUNSEL / OUTSIDE COUNSEL]

INTERNAL AUDIT REPORT

Entity: [LEGAL ENTITY NAME], a [California corporation / California LLC / [OTHER STATE] corporation qualified to do business in California under Cal. Corp. Code § 2105]

California Secretary of State Entity No.: [____________________]
Principal Office: [STREET, CITY, CALIFORNIA, ZIP]
Employer ID (EIN): [____________________]

Report Period: [__/__/____] through [__/__/____]

Report Date: [__/__/____]

Audit Sponsor: [BOARD AUDIT COMMITTEE / CEO / GC]

Prepared By:

• [LEAD INTERNAL AUDITOR NAME AND CERTIFICATIONS — CPA, CIA, CFE]
• [SUPPORTING TEAM]

Reviewed By: [GENERAL COUNSEL / OUTSIDE CALIFORNIA COUNSEL, CA BAR NO. ____]

1. Executive Summary

1.1 Purpose. This Internal Audit Report documents an examination of [DESCRIBE SCOPE] conducted in accordance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing, the Entity's audit charter, and applicable California law.

1.2 Key Findings.

• ☐ Finding 1: [CATEGORY — e.g., Segregation of Duties]
• ☐ Finding 2: [CATEGORY]
• ☐ Finding 3: [CATEGORY]

1.3 Overall Control Rating: ☐ Effective ☐ Needs Improvement ☐ Unsatisfactory

1.4 Reportable Matters. [Identify any matters requiring disclosure to the Audit Committee, to external auditors, to the California Attorney General's Registry of Charitable Trusts (for nonprofits), or to regulators.]

2. Scope and Methodology

2.1 In-Scope Areas.
☐ Financial reporting and general ledger controls
☐ Revenue recognition
☐ Cash disbursements and accounts payable
☐ Payroll and wage compliance (Cal. Lab. Code §§ 200–2810)
☐ Executive compensation (Cal. Gov. Code § 12586(g) for nonprofits)
☐ Procurement and vendor management
☐ IT general controls and cybersecurity
☐ Consumer data privacy (Cal. Civ. Code § 1798.100 et seq.)
☐ Related-party transactions (Cal. Corp. Code § 310)
☐ Conflict-of-interest policy compliance
☐ Record retention and destruction
☐ Sales and use tax (Cal. Rev. & Tax. Code §§ 6001 et seq.)
☐ Whistleblower hotline effectiveness (Cal. Lab. Code § 1102.5)
☐ Other: [________________________________]

2.2 Out-of-Scope. [Describe any excluded areas and rationale.]

2.3 Methodology. Procedures included document review, walkthroughs, transactional testing (sample size [____]), interviews with [____] personnel, IT systems examination, and analytical procedures. Working papers are retained under attorney-client privilege per Section 12 below.

3. Control Environment

3.1 Governance Structure. [Describe board composition, Audit Committee per Cal. Gov. Code § 12586(e)(2) if a nonprofit, Audit Committee charter.]

3.2 Tone at the Top. [Assessment of management's communication of ethical values.]

3.3 Delegation of Authority. [Review of delegation matrix and execution of authority within § 309 duty-of-care framework.]

3.4 Policies Reviewed: ☐ Code of Conduct ☐ Conflicts of Interest ☐ Anti-Bribery ☐ Whistleblower ☐ Data Privacy ☐ Document Retention

4. Findings

Finding 4.1 — [Title]

• Condition: [What was observed]
• Criteria: [Policy, law, or standard violated — cite the specific California statute, e.g., "Cal. Lab. Code § 226(a) requires itemized wage statements with [nine required elements]"]
• Cause: [Why the deficiency exists]
• Effect: [Impact and potential California liability exposure, including PAGA exposure under Cal. Lab. Code § 2698 if wage-related]
• Risk Rating: ☐ High ☐ Medium ☐ Low
• Recommendation: [Corrective action]
• Management Response: [________________________________]
• Owner / Target Date: [NAME] / [__/__/____]

Finding 4.2 — [Title]

[Repeat format above]

Finding 4.3 — [Title]

[Repeat format above]

5. California Wage & Hour Compliance Review (If Applicable)

5.1 Itemized Wage Statements (Cal. Lab. Code § 226). Sampled [____] wage statements. ☐ Compliant ☐ Non-compliant. Identified deficiencies expose Entity to statutory penalties of $50 for the first violation and $100 for each subsequent violation per employee per pay period, up to $4,000, plus costs and attorney fees, plus PAGA civil penalties.

5.2 Meal and Rest Periods (Cal. Lab. Code §§ 226.7, 512; Wage Orders). ☐ Compliant ☐ Non-compliant. Missed meal/rest periods require one hour of premium pay per day (Donohue v. AMN Services, LLC, 11 Cal. 5th 58 (2021); Naranjo v. Spectrum Security Services, 13 Cal. 5th 93 (2022) — premium pay itself counts as wages).

5.3 Final Pay (Cal. Lab. Code §§ 201–203). ☐ Compliant. Waiting-time penalties of up to 30 days' wages for willful failure.

5.4 Independent Contractor Classification (Cal. Lab. Code § 2775 — ABC test under Dynamex and AB 5). ☐ Compliant ☐ Non-compliant.

5.5 Expense Reimbursement (Cal. Lab. Code § 2802). ☐ Compliant.

6. California Data Privacy Review (If Applicable)

6.1 CCPA / CPRA Applicability. Entity meets threshold of $26,625,000 gross revenue / 100,000+ consumers / 50%+ revenue from sale of personal information: ☐ Yes ☐ No

6.2 Consumer Rights Request Handling. ☐ Right to Know ☐ Right to Delete ☐ Right to Correct ☐ Right to Limit Use of Sensitive PI ☐ Right to Opt-Out of Sale/Share. Response rate: [____] %.

6.3 Service Provider / Contractor Agreements. Contain required CCPA § 1798.140 clauses: ☐ Yes ☐ No

6.4 Cybersecurity Audit (CPRA-Mandated for High-Risk Processing). ☐ Complete ☐ Pending

6.5 Data Breach Response. Compliance with Cal. Civ. Code § 1798.82 breach notification: ☐ Policy in place ☐ Tested

7. Whistleblower / Hotline Review

7.1 Hotline availability meets Cal. Lab. Code § 1102.5 standards (anonymous, multilingual): ☐ Yes ☐ No

7.2 Reports received during period: [____]

7.3 Investigation protocol tested for independence and retaliation protection under Cal. Lab. Code § 1102.6 (employer burden: clear and convincing evidence): ☐ Satisfactory

7.4 Whistleblower poster posted per Cal. Lab. Code § 1102.8: ☐ Yes

8. Related-Party Transactions (Cal. Corp. Code § 310 / Cal. Corp. Code § 5233 for nonprofits)

8.1 Related-party transactions identified: [____]

8.2 All approvals compliant with § 310 (disclosure to disinterested directors or shareholders, fairness): ☐ Yes ☐ No

8.3 Nonprofit "self-dealing transactions" under Cal. Corp. Code § 5233 approved by disinterested directors with finding of fairness and absence of more advantageous alternative: ☐ Yes ☐ N/A

9. Executive Compensation Review (Nonprofit — Cal. Gov. Code § 12586(g))

☐ CEO / CFO compensation reviewed and approved by the Board or authorized committee.
☐ Comparability data obtained and documented (intermediate sanctions analog).
☐ Contemporaneous written documentation retained.

10. Recommendations and Action Plan

11. Management Representation

The undersigned officer of the Entity hereby represents that (a) all material information requested in connection with this audit has been provided; (b) no fraud or suspected fraud by management or employees involving material internal controls has been concealed; and (c) there are no known violations of California law that have not been disclosed to internal audit and counsel.

Signature: [________________________________]
Name: [____________________]
Title: [____________________]
Date: [__/__/____]

12. Privilege and Confidentiality

This Report is a privileged communication prepared at the direction of counsel in reasonable anticipation of litigation and for the purpose of providing legal advice. It is protected by:

• The attorney-client privilege (Cal. Evid. Code §§ 952, 954; Costco Wholesale Corp. v. Superior Court, 47 Cal. 4th 725 (2009));
• The absolute work-product doctrine (Cal. Code Civ. Proc. § 2018.030(a));
• The qualified work-product doctrine (Cal. Code Civ. Proc. § 2018.030(b));
• Trade-secret privilege (Cal. Evid. Code § 1060) as to proprietary methodology and data;
• The self-critical analysis protection recognized in certain contexts under California law.

Distribution is limited to the Audit Committee, General Counsel, outside California counsel, and such officers as explicitly listed on the distribution page. Reproduction or further distribution requires written approval of the General Counsel. Shareholders asserting inspection rights under Cal. Corp. Code § 1601 should be directed to counsel before any production.

13. Distribution List

14. Signatures

Prepared by:

[________________________________]
[LEAD AUDITOR NAME, CPA/CIA]
Date: [__/__/____]

Reviewed by:

[________________________________]
[GENERAL COUNSEL / OUTSIDE COUNSEL NAME]
California State Bar No. [____________________]
Date: [__/__/____]

Sources and References

• Cal. Corp. Code §§ 309, 310, 1502, 1601, 2105, 2115, 2115.5, 5233, 5235
• Cal. Gov. Code §§ 12585–12588 (Nonprofit Integrity Act)
• Cal. Lab. Code §§ 200–2810, 226, 226.7, 512, 1102.5, 1102.6, 1102.8, 2775, 2802, 2698 (PAGA)
• Cal. Civ. Code §§ 1798.82, 1798.100 et seq. (CCPA/CPRA)
• Cal. Rev. & Tax. Code §§ 6001 et seq.
• Cal. Bus. & Prof. Code § 17200
• Cal. Evid. Code §§ 952, 954, 1060
• Cal. Code Civ. Proc. § 2018.030
• Costco Wholesale Corp. v. Superior Court, 47 Cal. 4th 725 (2009)
• Dynamex Operations West, Inc. v. Superior Court, 4 Cal. 5th 903 (2018)
• Donohue v. AMN Services, LLC, 11 Cal. 5th 58 (2021)
• Naranjo v. Spectrum Security Services, 13 Cal. 5th 93 (2022)
• California Attorney General's Guide for Charities; Registry of Charitable Trusts
• IIA International Standards for the Professional Practice of Internal Auditing