Texas Internal Audit Report (SOX / TDPSA / TCHRA / Franchise Tax)
TEXAS INTERNAL AUDIT REPORT
CONFIDENTIAL – ATTORNEY-CLIENT PRIVILEGED / ATTORNEY WORK PRODUCT (IF PREPARED AT DIRECTION OF COUNSEL)
COMPANY: [________________________________]
REPORT NO.: [____________]
AUDIT PERIOD: [__/__/____] to [__/__/____]
REPORT DATE: [__/__/____]
AUDIT TYPE: ☐ Financial ☐ Operational ☐ IT / Cybersecurity ☐ Compliance ☐ Franchise Tax ☐ TDPSA Privacy ☐ Employment ☐ AML/KYC
1. EXECUTIVE SUMMARY
1.1 Audit Objective. To evaluate the design and operating effectiveness of [Company]'s internal controls over [specify: financial reporting / data privacy / employment practices / Texas franchise tax compliance / [other]] during the audit period in conformity with: (a) the IIA International Professional Practices Framework; (b) COSO 2013 Internal Control – Integrated Framework; (c) applicable Texas statutes; and (d) federal law to the extent applicable.
1.2 Scope. [Describe systems, processes, locations, entities, and transactions examined. Identify Texas operations, Texas employees, Texas-situs assets, and Texas nexus activities.]
1.3 Overall Opinion: ☐ Satisfactory ☐ Needs Improvement ☐ Unsatisfactory ☐ Critical
1.4 Key Findings:
- [________________________________]
- [________________________________]
- [________________________________]
2. TEXAS-SPECIFIC COMPLIANCE MATRIX
2.1 Texas Data Privacy and Security Act (TDPSA) – Tex. Bus. & Com. Code Ch. 541
The TDPSA (effective July 1, 2024) applies to any person that (a) conducts business in Texas or produces products/services consumed by Texas residents; (b) processes or engages in the sale of personal data; and (c) is not a "small business" under the U.S. SBA standard (with limited exceptions).
| Control Area | Requirement | Status | Finding Ref |
|---|---|---|---|
| Privacy Notice (§ 541.102) | Reasonably accessible, clear notice describing categories of data processed and shared | ☐ Compliant ☐ Gap ☐ N/A | [______] |
| Consumer Rights Response (§ 541.051) | Access, correction, deletion, portability, opt-out within 45 days | ☐ Compliant ☐ Gap ☐ N/A | [______] |
| Sensitive Data Consent (§ 541.101(b)) | Explicit opt-in for sensitive data (biometric, precise geolocation, health, racial/ethnic origin, immigration status, citizenship, genetic, children) | ☐ Compliant ☐ Gap ☐ N/A | [______] |
| Sale/Targeted Advertising Disclosure (§ 541.102(c)) | Specific "We may sell your sensitive personal data" / "We may sell your biometric personal data" notices where applicable | ☐ Compliant ☐ Gap ☐ N/A | [______] |
| Data Protection Assessments (§ 541.105) | DPAs for targeted ads, sale, profiling, and sensitive data | ☐ Compliant ☐ Gap ☐ N/A | [______] |
| Data Processing Agreements (§ 541.104) | Contracts with processors incorporating required TDPSA terms | ☐ Compliant ☐ Gap ☐ N/A | [______] |
| Cure Period Awareness | 30-day cure period from OAG notice before enforcement (§ 541.155) | ☐ Compliant ☐ Gap ☐ N/A | [______] |
2.2 Data Breach Notification – Tex. Bus. & Com. Code § 521.053
| Requirement | Status | Finding Ref |
|---|---|---|
| Notice to affected Texans without unreasonable delay, not later than 60 days after determination of breach | ☐ | [______] |
| Notice to Texas Attorney General (if 250+ Texans affected), including detailed description, number affected, measures taken, and law-enforcement involvement | ☐ | [______] |
| Credit-reporting agency notice (if 10,000+ affected) | ☐ | [______] |
| Reasonable security procedures maintained (§ 521.052) | ☐ | [______] |
2.3 Employment – Texas Commission on Human Rights Act (Tex. Lab. Code Ch. 21)
Texas applies TCHRA to employers with 15 or more employees (§ 21.002(8)) and enforces claims through the Texas Workforce Commission – Civil Rights Division. Charge-filing deadline is 180 days from alleged unlawful employment practice (§ 21.202). Pregnant Workers Fairness (federal PWFA) and Texas at-will doctrine apply.
| Control | Status |
|---|---|
| EEO/anti-harassment policy distributed to all employees | ☐ |
| Mandatory sexual harassment training (Tex. Lab. Code § 21.1065 requires prompt action within 15 days of complaint under 2021 amendments) | ☐ |
| I-9 completeness and E-Verify enrollment (mandatory for Texas state contractors/grantees under Executive Order RP-80; Tex. Gov't Code § 673.002 for certain state agencies) | ☐ |
| Texas Payday Law (Tex. Lab. Code Ch. 61) – wage payment intervals and final pay within 6 days of involuntary termination | ☐ |
| Workers' compensation subscription or non-subscriber notice to TDI-DWC (Tex. Lab. Code § 406.004) | ☐ |
| Texas Biometric Information Act (Tex. Bus. & Com. Code § 503.001) – consent for capturing employee biometric identifiers | ☐ |
2.4 Texas Franchise (Margin) Tax – Tex. Tax Code Ch. 171
| Control | Status |
|---|---|
| Annual Report and Public Information Report timely filed by May 15 (§ 171.203) | ☐ |
| Correct computation of Total Revenue, COGS or Compensation deduction (§ 171.101) | ☐ |
| No-tax-due threshold monitored ($2.47M for reports originally due in 2024, indexed) | ☐ |
| EZ computation election (if eligible, § 171.1016) | ☐ |
| Nexus analysis for combined reporting (§ 171.1014) | ☐ |
| Certificate of Account Status maintained in good standing | ☐ |
2.5 Texas Securities Act – Tex. Gov't Code Ch. 4001 et seq. (formerly Tex. Rev. Civ. Stat. art. 581)
Effective January 1, 2022, the Texas Securities Act was recodified into Government Code Chapter 4001. Key compliance points:
| Control | Status |
|---|---|
| Dealer/agent registration with Texas State Securities Board (§ 4004.051) | ☐ |
| Securities registration or valid exemption documented (§ 4003.001) | ☐ |
| Notice filings for federally covered securities (§ 4004.251) | ☐ |
| Advertising compliance with 7 TAC § 139 | ☐ |
2.6 Sarbanes-Oxley (if public company or subsidiary)
| SOX Section | Control | Status |
|---|---|---|
| § 302 | CEO/CFO certification of quarterly/annual reports | ☐ |
| § 404(a) | Management ICFR assessment | ☐ |
| § 404(b) | Auditor attestation (non-accelerated filers exempt) | ☐ |
| § 906 | Criminal certification | ☐ |
| § 301 | Whistleblower hotline and audit committee independence | ☐ |
3. DETAILED FINDINGS
Finding [F-01]: [Title]
Condition: [What the auditor observed.]
Criteria: [The Texas statute / policy / standard violated or deviated from – cite section.]
Cause: [Root cause analysis.]
Effect: [Impact: financial, regulatory, legal, reputational; quantify exposure.]
Risk Rating: ☐ Critical ☐ High ☐ Medium ☐ Low
Recommendation: [Corrective action.]
Management Response: [________________________________]
Responsible Owner: [________________________________]
Target Completion: [__/__/____]
[Repeat Findings F-02 through F-__.]
4. TEXAS WHISTLEBLOWER CONSIDERATIONS
4.1 Texas Whistleblower Act. Tex. Gov't Code Ch. 554 applies to state and local governmental employers and prohibits retaliation against a public employee who in good faith reports a violation of law to an appropriate law enforcement authority. Statute of limitations: 90 days (§ 554.005).
4.2 Private-Sector Retaliation. Texas recognizes narrow common-law Sabine Pilot cause of action for wrongful termination solely for refusing to perform an illegal act (Sabine Pilot Serv. v. Hauck, 687 S.W.2d 733 (Tex. 1985)).
4.3 SOX § 806. Federal whistleblower protection for publicly traded companies, administered by OSHA; 180-day statute of limitations for complaint.
5. MANAGEMENT ACTION PLAN
| # | Finding | Action Owner | Target Date | Status |
|---|---|---|---|---|
| 1 | [____] | [____] | [__/__/____] | ☐ Open ☐ In Progress ☐ Closed |
| 2 | [____] | [____] | [__/__/____] | ☐ Open ☐ In Progress ☐ Closed |
| 3 | [____] | [____] | [__/__/____] | ☐ Open ☐ In Progress ☐ Closed |
6. DISTRIBUTION AND CONFIDENTIALITY
This Report is distributed to:
- [Audit Committee Chair]
- [Chief Executive Officer]
- [Chief Financial Officer]
- [General Counsel]
- [External auditor – if required]
Confidentiality. This Report is confidential and, if prepared at the direction of counsel in anticipation of litigation or for the purpose of seeking legal advice, is protected by the attorney-client privilege and the attorney work-product doctrine (Tex. R. Civ. P. 192.5). Unauthorized disclosure is prohibited.
7. CERTIFICATION
The undersigned, in their capacity as [Chief Audit Executive / Internal Audit Director], certifies that this Report has been prepared in accordance with the IIA Standards and reflects the audit team's independent and objective assessment.
_______________________________________
[NAME], [CREDENTIAL: CPA / CIA / CISA]
Chief Audit Executive
Date: [__/__/____]
Sources and References
- Tex. Bus. & Com. Code Ch. 541 – TDPSA – https://statutes.capitol.texas.gov/Docs/BC/htm/BC.541.htm
- Tex. Bus. & Com. Code § 521.053 – Breach Notification
- Tex. Lab. Code Ch. 21 – TCHRA
- Tex. Tax Code Ch. 171 – Franchise Tax
- Tex. Gov't Code Ch. 4001 – Texas Securities Act
- Tex. Bus. & Com. Code § 503.001 – Biometric Information
- Sabine Pilot Serv. v. Hauck, 687 S.W.2d 733 (Tex. 1985)
- IIA International Professional Practices Framework – https://www.theiia.org/
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026