(a) Based on risk assessment and subject to the legislative audit committee’s approval of including the work described by this subsection in the audit plan under Section 321.013(c), the state auditor shall:
(1) evaluate each report submitted under Section 2102.013;
(2) identify agencies with significant financial, managerial, or compliance risk or significant risk related to the use of information technology; and
(3) recommend to the governor that the identified agencies obtain an audit to address the significant risks identified by the state auditor.
(b) The governor may order an agency identified under this section to:
(1) obtain an audit under governmental auditing standards;
(2) submit reports and corrective action plans as prescribed by Section 2102.0091; and
(3) report to the state auditor the status of the agency’s implementation of audit recommendations in the form and addressing issues as prescribed by the state auditor.
(c) The governor may provide funds to agencies as necessary to pay the costs of audits ordered under this section from any funds appropriated to the governor for this purpose.