§ 2932. Internal audit responsibilities. 1. The governing board of each covered authority or its designee shall determine, and periodically review the determination of, whether an internal audit function within the covered authority is required. Establishment of such function shall be based upon an evaluation of exposure to risk, costs and benefits of implementation, and any other factors that are determined to be relevant. In the event it is determined that an internal audit function is required, the governing board of each covered authority shall establish an internal audit function which operates in accordance with generally accepted professional standards for internal auditing. Any such internal audit function shall be directed by an internal audit director who shall report directly to the governing board of the authority. Internal audit director appointments shall be based on appropriate internal auditing credentials of the proposed appointee, consistent with generally accepted standards for internal auditing, including internal auditing education and experience. The internal audit function shall evaluate the authority's internal controls and operations, identify internal control weaknesses that have not been corrected and make recommendations to correct these weaknesses.

2. In the event the governing board does not establish an internal audit function pursuant to subdivision one of this section it shall nevertheless establish and maintain the program of internal control review required by section twenty-nine hundred thirty-one of this title.