SECTION I.1 AUDIT ENGAGEMENT PLANNING

Transcription

1 Audit Manual Sectin I.1 SECTION I.1 AUDIT ENGAGEMENT PLANNING Ref. Plicy and Practice Requirements IIA Standards references I.1 1 Plicy: The Head f Internal Audit shall ensure that persns assigned t each assurance r cnsulting engagement cllectively pssess the necessary knwledge, skills, and ther cmpetencies t cnduct the engagement apprpriately Prficiency and Due Prfessinal Care Engagements must be perfrmed with prficiency and due prfessinal care. I.1 2 I.1 3 Plicy: Internal Auditrs shall apply due prfessinal care thrugh adequate planning cnducted prir t assurance and cnsulting assignments Discussin: The fllwing plicies and practice requirements are designed t guide the Internal Auditrs as t the apprpriate planning prcesses t ensure they apply due prfessinal care. ASSURANCE ENGAGEMENTS Plicy: The planning recrds fr each assurance audit engagement shall cmprise: (a) preliminary survey, which recrds the results f pre audit infrmatin gathering t assist with the planning f the audit; (b) terms f reference, agreed with Center management, which sets ut the audit bjectives, scpe, perid f cverage, Practice Advisry : Prficiency and Due Prfessinal Care Standard 1220 Due Prfessinal Care Internal auditrs must apply the care and skill expected f a reasnably prudent and cmpetent internal auditr. Due prfessinal care des nt imply infallibility. Standard 2200 Engagement Planning Internal auditrs must develp and dcument a plan fr each engagement, including the scpe, bjectives, timing and resurce allcatins. Standard 2210 Audit Versin: August 15, 2009 Page I.1: 1

2 Audit Manual Sectin I.1 internal audit resurce allcatin, timing (including thse fr audit visits fr site wrk), and the audit reprting prcess; (c) audit prgrams, which recrd the tests and ther prcedures t be carried ut t meet the audit bjectives and scpe. Objectives Objectives must be established fr each engagement. I.1 3:1 Fr mst types f assurance engagements, Internal Auditrs shuld cmplete a preliminary survey t btain and analyze infrmatin t assist with the planning f the engagement, well ahead f the planned start f the engagement. Discussin: The preliminary survey may be made, r at least started, during the preparatin f the medium term and annual internal audit wrk plans, but shuld be updated r cmpleted near the time the audit is expected t start, and prir t the develpment f the prpsed audit terms f reference A preliminary survey fr an assurance engagement shuld nrmally gather infrmatin n: Cntrl envirnment the vlume f activity, bjectives, rganizatin, lcatins and prcesses t be reviewed, fr the perid t be cvered by the planned audit; plicies, plans, prcedures, laws, regulatins, and cntracts, which culd have a significant impact n peratins and reprts. Other cntrl envirnment aspects such as managerial tne and perating style, Standard 2210.A1 Audit Objectives Internal auditrs must cnduct a preliminary assessment f the risks relevant t the activity under review. Engagement bjectives must reflect the results f this assessment Standard 2201 Planning Cnsideratins In planning the engagement, internal auditrs must cnsider: The bjectives f the activity being reviewed and the means by which the activity cntrls its perfrmance; The significant risks t the activity, its bjectives, resurces, and peratins and the means by which the ptential impact f risk is kept t an acceptable level; The adequacy and effectiveness f the activityʹs risk management and cntrl prcesses cmpared t a Versin: August 15, 2009 Page I.1: 2

3 Audit Manual Sectin I.1 and assignments f respnsibility Risk assessment the risks which are being managed by the unit, lcatin r prcess and the results f any recent risk and cntrl self assessments the risk appetite f management, i.e. the accepted trade ff between cntrl and risk expsure. Cntrl activities the verall system f internal cntrls gverning the unit, lcatin r prcess (thugh nt at a detailed level, this will be examined during the audit) Mnitring the results f past internal and external audits, EPMRs, CCERs r internal reviews carried ut. Internal auditrs shuld recncile this infrmatin with that btained frm risk and cntrl selfassessments; the results (current, recent trends) f perfrmance indicatrs where available fr the unit, lcatin r prcess, r particular prblems r events which indicate vulnerabilities in the plicies, prcesses r systems t be audited. Internal auditrs shuld recncile this infrmatin with that btained frm risk and cntrl self assessments; Infrmatin and cmmunicatins the infrmatin systems being used t supprt the unit, lcatin r prcess and whether it wuld be apprpriate t include the use f cmputer assisted audit tls and ther data analysis techniques relevant cntrl framewrk r mdel; and The pprtunities fr making significant imprvements t the activityʹs risk management and cntrl prcesses. Practice Advisry : Engagement Planning Practice Advisry 2210.A1 1: Risk Assessment in Engagement Planning Standard 1220.A1 Due Prfessinal Care The internal auditr must exercise due prfessinal care by cnsidering the: Extent f wrk needed t achieve the engagementʹs bjectives. Relative cmplexity, materiality, r significance f matters t which assurance prcedures are applied. Adequacy and effectiveness f gvernance, risk management and cntrl prcesses. Prbability f significant errrs, fraud, r nncmpliance. Versin: August 15, 2009 Page I.1: 3

4 Audit Manual Sectin I.1 reprts and cmmunicatin n the unit, lcatin r prcess t be audited Others aspects which Center r unit/lcatin/prcess managers wish t see included in the audit; infrmatin n planned r pssible changes in the unit, lcatin r prcess which may influence the bjectives and scpe f the audit, r whether t prceed with the audit at all n cst benefit grunds. the Center and CGIAR plicies, and external benchmarks which will be used in the audit. Fr system implementatin audits, these may be general IT industry as well as specific (vendr r ther) system standards and benchmarks t be used in the audit assessment The preliminary survey may include walk thrughs f prcedures t gain a full understanding f the prcess and cntrls t be audited Where the assurance engagement is t audit the peratins f a reginal, cuntry r ther utreach ffice r experimental statin, the preliminary survey shuld identify the lcatin f riginal vuchers supprting the expenditures f these ffices/statins. Sme Centers require all riginal vuchers t be kept at HQ, thers allw dcument retentin. Nrmally, vucher audits shuld be cnducted n riginals nt n phtcpies kept in the ffices. Where the vuchers are sent t HQ, the audit visits may have t be planned in tw stages, ne at HQ fr vucher testing, and the ther at the ffice t cmplete ther parts f the audit. As part f the preliminary survey, the Cst f assurance in relatin t ptential benefits Standard 1220.A2 Due Prfessinal Care In exercising due prfessinal care the internal auditr must cnsider the use f technlgy based audit and ther data analysis techniques. Standard 1220.A3 Due Prfessinal Care The internal auditr must be alert t the significant risks that might affect bjectives, peratins, r resurces. Hwever, assurance prcedures alne, even when perfrmed with due prfessinal care, d nt guarantee that all significant risks will be identified. Versin: August 15, 2009 Page I.1: 4

5 Audit Manual Sectin I.1 Internal Auditr shuld hld meetings r (if the auditr is remte) cmmunicate electrnically with management respnsible fr the activity being examined. A summary f matters discussed and any cnclusins reached shuld be prepared, distributed t individuals, as apprpriate, and retained in the engagement wrking papers. These may be in the frm f electrnic mail messages. Tpics f discussin may include: Planned engagement bjectives and scpe f wrk. The timing f engagement wrk. Internal auditrs assigned t the engagement. The prcess f cmmunicating thrughut the engagement, including the methds, time frames, and individuals wh will be respnsible. Business cnditins and peratins f the activity being reviewed, including recent changes in management r majr systems. Cncerns r any requests f management. Matters f particular interest r cncern t the internal auditr. Descriptin f the internal auditing activity s reprting prcedures and fllw up prcess. Evaluating the types f risks helps Internal Auditrs decide the scpe f the audit. The internal auditr shuld cnsider management s assessment f risks relevant t the activity under review. The internal auditr will want t take int accunt: Management s wn assessment f cntrls related t risks. The reliability f management s Versin: August 15, 2009 Page I.1: 5

6 Audit Manual Sectin I.1 assessment f risk. Management s mnitring and reprting f risk issues. Management reprts f events that have exceeded the agreed limits fr risk tleratin. Whether there are risks identified by management elsewhere in the rganizatin in related activities r supprting systems that may be relevant t the activity under review. Knwing the Center management s risk appetite with regard t the unit, lcatin r prcess t be audited helps the Internal Auditr evaluate the adequacy f the cntrls in place. It may nt always be csteffective t cntrl risks t a level where residual risk is very lw, and recmmendatins which are incnsistent with this principle will likely nt add value. In determining the perid f cverage f the planned audit, the Internal Auditr shuld cnsider adpting: A perid since the last independent audit r review f the unit, lcatin r prcess; A perid which will efficiently prvide sufficient cverage t prvide a clear result in terms f the audit bjectives, fr the purpse f management making decisins n the unit, lcatin r prcess ging frward. Smetimes assurance audit engagements may be requested at shrt ntice by Center management. In these cases there may be less time t cnduct a preliminary survey but sufficient infrmatin shuld be gathered t enable a sundly based terms f reference fr the engagement t be prepared. Versin: August 15, 2009 Page I.1: 6

7 Audit Manual Sectin I.1 Where the assurance audit engagement is a standard, repetitive item in the Center s annual internal audit wrk plans (e.g. cmpliance audits f payrll, inventry cntrl and bank recnciliatins; annual internal attest audits f prject financial statements; rutine analysis f financial system transactins using audit sftware) and is carried ut either nce per year r in stages thrughut the year, the preliminary survey shuld be cnducted during the preparatin f the annual internal audit wrk plan, and can be limited t updating a standard set f planning infrmatin fr these types f audit engagements. The preliminary survey may indicate the need t cancel r pstpne the prpsed audit engagement. In such cases the Head f Internal Audit shall discuss and agree a decisin n this with Center management. The CGIAR Internal Auditing Unit is preparing standard preliminary survey questinnaires fr assurance audits f units, lcatins r prcesses which are cmmnly audited. These are intended t help Internal Auditrs efficiently carry ut the surveys, but shuld be custmized as necessary fr the particular planned engagement. The current versins f the available questinnaires are made available t all Internal Auditrs via the CGIAR IA website :2 Preliminary surveys shuld include assessment f the significance t the unit, lcatin r tpic f errrs, fraud and nn cmpliance with Center plicies, and where these are a significant factr, the engagement bjectives shuld be develped s that cntrls ver these risks are adequately cvered. Standard 2210.A2 Engagement Objectives Internal auditrs must cnsider the prbability f significant errrs, fraud, nncmpliance, and ther expsures when develping the engagement bjectives. Versin: August 15, 2009 Page I.1: 7

8 Audit Manual Sectin I.1 Discussin: Nt all audit tpics will include financial management r accunting, and s financial reprting errrs r financial fraud will nt be relevant risks fr all audits. Hwever they shuld always be relevant fr audits f financial management r accunting tpics, and audits f lcatins with these as elements. Fr many audits, cmpliance with Center r CGIAR plicies and reliability f peratinal reprting will be relevant cnsideratins. In sme cases cmpliance with hst cuntry laws, regulatins and standards will be relevant and this shuld be identified in the preliminary survey :3 When relying n audit evidence btained in a prir audit, the Internal Auditr shall perfrm audit prcedures t establish that it was crrectly interpreted, cntinues t be relevant and can be accepted fr the current audit. I.1 3:4 The Internal Auditr shall prepare a summary f results frm the preliminary survey. Practice Advisry 2210.A1 1: Risk Assessment in Engagement Planning Discussin: The summary shuld identify: Significant engagement issues and reasns fr pursuing them in mre depth. Pertinent infrmatin acquired frm all surces. Engagement bjectives, engagement prcedures, and special appraches such as cmputer assisted audit techniques. Ptential critical cntrl pints, cntrl Versin: August 15, 2009 Page I.1: 8

9 Audit Manual Sectin I.1 deficiencies, and/r excess cntrls. Whether the audit cverage will prvide reasnable r nly limited assurance Preliminary estimates f time and resurce requirements. Revised dates fr reprting phases and cmpleting the engagement. When applicable, reasns fr nt cntinuing the engagement, e.g. the cst f assurance wuld be disprprtinate t the ptential benefits, in view f the size f the activity t be audited r imminent changes which may limit r fully ffset the value t be btained frm the audit. I.1 3:5 Fllwing apprpriate internal quality review (within the Internal Audit team fr the Center), draft terms f reference fr assurance engagements, taking int accunt the results f the preliminary survey, shall be sent t the Center and direct audit client management as far ahead as pssible, s that they can cmment and make suggestins n the prpsed engagement. Discussin: The draft terms f reference shuld be issued fr cmment t audit client management by the Auditr in Charge All thse in management wh need t knw abut the engagement shuld be sent a cpy f the draft terms f reference. The CGIAR Internal Auditing Unit is preparing standard assurance audit terms f reference fr units, lcatins r prcesses which are cmmnly audited. These are intended t help Internal Auditrs efficiently prepare these dcuments, but Versin: August 15, 2009 Page I.1: 9

10 Audit Manual Sectin I.1 shuld be custmized as necessary fr the particular planned engagement. The current versins f the available standard audit terms f reference are made available t all Internal Auditrs via the CGIAR IA website. Where the assurance audit engagement is a standard, repetitive item in the Center s annual internal audit wrk plans (e.g. cmpliance audits f payrll, inventry cntrl and bank recnciliatins; annual internal attest audits f prject financial statements; rutine analysis f financial system transactins using audit sftware) and is carried ut either nce per year r in stages thrughut the year, a blanket terms f reference may be develped. If already reviewed in previus years by current audit client management and there is n requirement t change them due t system, prcess r rganizatinal changes, the terms f reference d nt need t be reissued each year as draft and final versins, but may be referred t in the annual audit wrk plan and in planning cmmunicatins with the audit client. I.1 3:6 Final terms f reference fr assurance engagements, taking int accunt cmments and suggestins received n the draft, shall be issued by the Head f Internal Audit t the Directr General (r ther designated managers where a different prtcl is agreed with the Center) ahead f the start f the audit. Discussin: The final terms f reference serve as the recrd f the agreed bjectives (including whether reasnable r limited assurance is t be prvided), scpe, resurce allcatin, Versin: August 15, 2009 Page I.1: 10

11 Audit Manual Sectin I.1 timing, details f audit visits, and reprting prcess. They als serve as the basis fr develping the audit prgrams. I.1 3:7 I.1 3:8 Internal Auditrs shall make apprpriate linkage, during the audit planning, between the assurance engagement bjectives and the risks relevant t the unit, lcatin r prcess t be audited Discussin: Engagement bjectives are brad statements develped by internal auditrs and define what the engagement is intended t accmplish. Engagement bjectives and prcedures shuld address the risks assciated with the activity under review. The risk assessments carried ut by the unit r the Center as part its enterprise risk management system shuld be cnsulted during the preliminary survey. The audit scpe, as presented in the assurance engagement terms f reference, shall be structured accrding t the COSO Integrated Cntrl Framewrk, which has been adpted by the CGIAR (see FG3). Practice Advisry 2210.A1 1: Risk Assessment in Engagement Planning Practice Advisry : Engagement Objectives Standard 2220 Engagement Scpe The established scpe must be sufficient t satisfy the bjectives f the engagement. Discussin: Nrmally, all assurance engagements shuld cver all the 5 elements f the COSO framewrk i.e. cntrl envirnment, risk analysis, cntrl activities, mnitring and infrmatin and cmmunicatins. Hwever in sme cases ne r mre elements may nt be relevant. Versin: August 15, 2009 Page I.1: 11

12 Audit Manual Sectin I.1 I.1 3:9 I.1 3:10 The audit scpe, as presented in the assurance engagement terms f reference, shall indicate the relevant systems, recrds, rganizatinal units and lcatins t be cvered in the audit, and whether the audit will invlve examinatins f such aspects in third parties wh are prviding related services t the Center. Internal auditrs shall determine apprpriate and sufficient resurces t achieve engagement bjectives. Staffing shall be based n an evaluatin f the nature and cmplexity f each engagement, time cnstraints, and available resurces. If an apprpriate match r availability f staffing t the assignment is nt pssible frm within the Internal Audit team, the Head f Internal Audit shall discuss this with Center management and agree n an alternative curse f actin (hire f an external expert, reduce scpe, defer the assignment). Standard 2220.A1 Engagement Scpe The scpe f the engagement must include cnsideratin f relevant systems, recrds, persnnel, and physical prperties, including thse under the cntrl f third parties. Standard 2230 Engagement Resurce Allcatin Internal auditrs must determine apprpriate and sufficient resurces t achieve engagement bjectives, based n an evaluatin f the nature and cmplexity f each engagement, time cnstraints, and available resurces. Discussin: In determining the resurces necessary t perfrm the engagement, evaluatin f the fllwing is imprtant: The number and experience level f the internal auditing staff required shuld be based n an evaluatin f the nature and cmplexity f the engagement assignment, time cnstraints, and available resurces. Knwledge, skills, and ther cmpetencies f the internal audit staff shuld be cnsidered in selecting internal auditrs fr the engagement. Practice Advisry : Engagement Resurce Allcatin Versin: August 15, 2009 Page I.1: 12

13 Audit Manual Sectin I.1 Training needs f internal auditrs shuld be cnsidered, since each engagement assignment serves as a basis fr meeting develpmental needs f the internal auditing activity. Cnsideratin f the use f external resurces in instances where additinal knwledge, skills, and ther cmpetencies are needed. I.1 3:11 I.1 3:12 The terms f reference shall indicate hw, when, and t whm the engagement results will be cmmunicated. Draft and final terms f reference fr assurance engagements shall include a statement that the bjectives and scpe may be mdified during the curse f the audit, in cnsultatin with Center management. Practice Advisry : Engagement Planning I.1 3:13 Discussin: The terms f reference may need t be amended during the audit, based n the results f testing, new infrmatin cming t light that was nt available during the preliminary survey phase, r agreed reductins in the audit bjectives and scpe fr ther reasns. Having this statement in the terms f reference ensures that Center and audit client management are aware f this pssibility and helps avid disputes ver the prcess. Changes t assurance audit bjectives and scpe during the curse f the audit shuld be adequately cmmunicated t management and dcumented in the audit wrking papers Versin: August 15, 2009 Page I.1: 13

14 Audit Manual Sectin I.1 I.1 3:14 Audit prgrams shall be prepared, subject t internal quality review (within the Center internal audit team) and updated during the curse f assurance audit as necessary, t guide the audit effrt and ensure adequate cverage f the agreed bjectives and scpe. The prgrams establish the prcedures fr identifying, analyzing, evaluating, and recrding infrmatin during the engagement. The prgrams shall be structured arund: the audit bjectives; the ptential risks related t the audit bjectives; and the cntrl criteria identified t measure the adequacy f preventive and detective internal cntrls and ther activities in place t mitigate the risks. Discussin: Audit planning at this level is a cntinual and iterative prcess thrughut the engagement. As a result f unexpected events, changes in cnditins, r the audit evidence btained frm the results f the audit prcedures, the Internal Auditr may need t mdify the plan. Mdificatins shuld be subject t the same internal quality cntrl as the riginal plan. Except fr sensitive engagements where cnfidentiality f the audit prcedures is desirable, assurance audit prgrams can be shared with audit clients and suggestins encuraged The CGIAR Internal Auditing Unit is preparing standard assurance audit prgrams fr units, lcatins r prcesses which are cmmnly audited. These are intended t help Internal Auditrs efficiently carry ut the audits, but shuld Standard 2240 Engagement Wrk Prgram Internal auditrs must develp and dcument wrk prgrams that achieve the engagement bjectives. Standard 2240.A1 Engagement Wrk Prgram Wrk prgrams must include the prcedures fr identifying, analyzing, evaluating, and dcumenting infrmatin during the engagement. The wrk prgram must be apprved prir t its implementatin, and any adjustments apprved prmptly. Standard 2210.A3 Cntrl Adequate criteria are needed t evaluate cntrls. Internal auditrs must ascertain the extent t which management has established adequate criteria t determine whether bjectives and gals have been accmplished. If adequate, internal auditrs must use such criteria in their evaluatin. If inadequate, internal auditrs must Versin: August 15, 2009 Page I.1: 14

15 Audit Manual Sectin I.1 be custmized as necessary fr the particular planned engagement. The current versins f the available standard audit prgrams are available t all Internal Auditrs via the CGIAR IA website. The Gd Practice Ntes prepared by the CGIAR Internal Audit Unit prvide guidance n the audit criteria t be used in the audit prgrams, based n cmmn risks assciated with the units, prcesses r lcatins that are the subject f the Ntes. The current versins f the available Gd Practice Ntes are available t all Internal Auditrs via the CGIAR IA website. wrk with management t develp apprpriate evaluatin criteria. Practice Advisry : Engagement Planning Practice Advisry : Engagement Wrk Prgram I.1 3:15 The cntrl criteria may be already well established via Center plicies and manuals. Hwever the adequacy f these fr use in the audit shall be assessed in discussin with management and evaluated against external gd practice where this is available. These external benchmarks shall be shared with and discussed with audit clients t gain their acceptance. Discussin: In sme cases the Center s plicies and manuals may nt adequately cver all risks identified in the preliminary survey, r may be ut f date. In such cases they shuld nly be used as audit criteria where suitably supplemented r updated, in discussin with audit clients. While the inputs f audit clients is imprtant, the Internal Auditr must have the final wrd n the cntrl criteria t be used in the assurance engagement, therwise there are risks f audit scpe limitatin. In the unusual situatin where Versin: August 15, 2009 Page I.1: 15

16 Audit Manual Sectin I.1 there are significant disagreements with audit clients n the cntrl criteria, these shuld be clearly identified, and the reasns fr disagreement discussed with Center management. I.1 3:16 I.1 3:17 I.1 3:18 The cntrl criteria used in the audit shall take int accunt management s risk appetite as identified in the preliminary survey. Assurance engagement prgrams shall incrprate, when relevant, audit prcedures that will test the cntrls arund the related financial accunting and reprting. Discussin: This may include, fr testing f transactins and events, the testing f financial reprting assertins fr ccurrence, cmpleteness, cutff (including treatment f accruals), accuracy and presentatin/disclsure. This may include, fr testing f balances at the end f a perid, the testing f financial reprting assertins fr existence, cmpleteness, valuatin and allcatin, and rights and bligatins Typical audits where this may be relevant are the audits f management f liquid assets, tangible assets, accunts payable and receivable, disbursements and financial system cntrls. This apprach may assist the external auditr t rely n internal audit wrk and thereby reduce their wn effrts and related cst. The assurance engagement prgram shall dcument the prcedures t be fllwed fr Versin: August 15, 2009 Page I.1: 16

17 Audit Manual Sectin I.1 cllecting, analyzing, interpreting, and dcumenting infrmatin during the engagement. This shuld include the nature and degree f testing required t achieve the engagement bjectives in each phase f the engagement. Discussin: Typical audit prcedures are: Inspectin Observatin Enquiry Cnfirmatin Recalculatin Re perfrmance Analytical prcedures I.1 4 Plicy: Assurance engagement audit prgrams shall include quality assurance plans fr the engagement I.1 5 I.1 6 CONSULTING ENGAGEMENTS Plicy: In discussins with Center management n cnsulting engagements t be included in the Center s annual internal audit wrk plans, the Head f Internal Audit shall include such engagements nly where there is internal capacity r available and affrdable utsurced assistance t cst effectively carry them ut. Plicy: The planning recrds fr each cnsulting engagement shall cmprise: (a) preliminary survey, which recrds the results f pre audit infrmatin gathering t assist with the planning f the cnsultancy; Standard 1210.C1 The chief audit executive must decline the cnsulting engagement r btain cmpetent advice and assistance if the internal auditrs lack the knwledge, skills, r ther cmpetencies needed t perfrm all r part f the engagement. Standard 2201.C1 Planning Cnsideratins Internal auditrs must establish an understanding with Versin: August 15, 2009 Page I.1: 17

18 Audit Manual Sectin I.1 (b) terms f reference, agreed with Center management, which sets ut the cnsultancy bjectives, scpe, internal audit resurce allcatin, timing (including thse fr audit visits fr site wrk), and the audit reprting prcess; (c) engagement prgrams, which recrd the prcedures t be carried ut t meet the cnsultancy bjectives and scpe. cnsulting engagement clients abut bjectives, scpe, respective respnsibilities, and ther client expectatins. Fr significant engagements, this understanding must be dcumented. Standard 2210.C1 Engagement Objectives Cnsulting engagement bjectives must address gvernance, risk management and cntrl prcesses t the extent agreed upn with the client. Standard 2220 Engagement Scpe The established scpe must be sufficient t satisfy the bjectives f the engagement. Standard 2220.A2 Engagement Scpe If significant cnsulting pprtunities arise during an assurance engagement, a specific written understanding as t the bjectives, scpe, respective respnsibilities and ther expectatins shuld be reached and the results f the cnsulting engagement cmmunicated in accrdance with cnsulting standards. Standard 2220.C1 Engagement Scpe In Versin: August 15, 2009 Page I.1: 18

19 Audit Manual Sectin I.1 I.1 6:1 Fr mst types f cnsulting engagements, Internal Auditrs shall cmplete a preliminary survey t btain and analyze infrmatin t assist with the planning f the engagement, well ahead f the start f the engagement Discussin: A preliminary survey fr a cnsulting engagement shuld nrmally gather infrmatin n: the prpsed bjectives, scpe and timing f the engagement as envisaged by the audit client the relevant Center r CGIAR plicies which will gvern the prpsed rganizatins r prcesses fr which advice will be given risk management (cntrls and ther mitigating actins) benchmarks which can be used t assess prpsed rganizatinal mdels r prcesses fr which advice will be given the cmplexity f the assignment and perfrming cnsulting engagements, internal auditrs must ensure that the scpe f the engagement is sufficient t address the agreedupn bjectives. If internal auditrs develp reservatins abut the scpe during the engagement, these reservatins must be discussed with the client t determine whether t cntinue with the engagement. Standard 1220.C1 Due Prfessinal Care The internal auditr must exercise due prfessinal care during a cnsulting engagement by cnsidering the: Needs and expectatins f clients, including the nature, timing, and cmmunicatin f engagement results; Relative cmplexity and extent f wrk needed t achieve the engagementʹs bjectives; and Cst f the cnsulting engagement in relatin t ptential benefits. Versin: August 15, 2009 Page I.1: 19

20 Audit Manual Sectin I.1 extent f wrk needed whether the cnsulting engagement is viable n cst benefit grunds Smetimes cnsulting engagements may be requested at shrt ntice by Center management. In these cases there may be less time t cnduct a preliminary survey but sufficient infrmatin shuld be gathered t enable a sundly based terms f reference fr the engagement t be prepared. I.1 6:2 I.1 6:3 The Internal Auditr shall prepare a summary f results frm the preliminary survey. Discussin: Similar items may be cvered in the summary as thse described in the discussin f practice requirement I.1 2:3 abve. Fllwing apprpriate internal quality review (within the Internal Audit team fr the Center), draft terms f reference fr cnsulting engagements, taking int accunt the results f the preliminary survey, shall be sent t the Center and direct audit client management as far ahead as pssible, s that they can cmment and make suggestins n the prpsed engagement. Discussin: The draft terms f reference shuld be issued fr cmment t audit client management by the Auditr in Charge All thse in management wh need t knw abut the engagement shuld be sent a cpy f the draft terms f reference. Versin: August 15, 2009 Page I.1: 20

21 Audit Manual Sectin I.1 I.1 6:4 Final terms f reference fr cnsulting engagements, taking int accunt cmments and suggestins received n the draft, shall be issued by the Head f Internal Audit t the Directr General (r ther designated managers where a different prtcl is agreed with the Center) ahead f the start f the engagement. Discussin: The final terms f reference serve as the recrd f the agreed bjectives, scpe, resurce allcatin, timing, details f audit visits, and reprting prcess fr the cnsulting assignment. They als serve as the basis fr develping the engagement prgrams. I.1 6:5 I.1 6:6 I.1 6:7 Cnsulting engagement bjectives shall address risks, cntrls, and gvernance prcesses t the extent agreed upn with the client. The audit scpe, as presented in the cnsulting engagement terms f reference, shall indicate the relevant systems, recrds, rganizatinal units and lcatins t be cvered in the audit, and whether the audit will invlve examinatins f such aspects in third parties wh are prviding related services t the Center. Internal auditrs shall determine apprpriate resurces t achieve cnsulting engagement bjectives. Staffing shuld be based n an evaluatin f the nature and cmplexity f each Standard 2220.A1 Engagement Scpe The scpe f the engagement must include cnsideratin f relevant systems, recrds, persnnel, and physical prperties, including thse under the cntrl f third parties. Standard 2230 Engagement Resurce Allcatin Internal auditrs must determine apprpriate and sufficient resurces t Versin: August 15, 2009 Page I.1: 21

22 Audit Manual Sectin I.1 I.1 6:8 I.1 6:9 I.1 6:10 I.1 6:11 engagement, time cnstraints, and available resurces. The terms f reference shall indicate hw, when, and t whm the engagement results will be cmmunicated. Draft and final terms f reference fr cnsulting engagements shall include a statement that the bjectives and scpe may be mdified during the curse f the engagement, in cnsultatin with Center management. Changes t cnsulting engagement bjectives and scpe during the curse f the audit shall be adequately cmmunicated t management and dcumented in the audit wrking papers Cnsulting engagement wrk prgrams shall be prepared, subject t internal quality review (within the Center internal audit team) and updated during the curse f assurance audit as necessary, t guide the engagement effrt and ensure adequate cverage f the agreed bjectives and scpe. Discussin: As cnsulting engagements are usually advisry in nature, where testing is less achieve engagement bjectives, based n an evaluatin f the nature and cmplexity f each engagement, time cnstraints, and available resurces. Practice Advisry : Engagement Resurce Allcatin Practice Advisry : Engagement Planning Standard 2240.C1 Wrk prgrams fr cnsulting engagements may vary in frm and cntent depending upn the nature f the engagement. Versin: August 15, 2009 Page I.1: 22

23 Audit Manual Sectin I.1 imprtant than analysis f prpsed rganizatinal mdels, draft plicies and prcedures, and prpsed prject management arrangement, the engagement prgrams will usually fcus mre n defining the steps fr the activities r cmpnents f the cnsultancy, rather than the cntrl criteria r audit tests. I.1 7 Plicy: Cnsulting engagement audit prgrams shall include quality assurance plans fr the engagement Versin: August 15, 2009 Page I.1: 23

24 Audit Manual Sectin I.1 Appendix 1 Sectin I.1 SAMPLE OF AUDIT TERMS OF REFERENCE REVIEW OF MANAGEMENT OF LIQUID ASSETS Terms f Reference Intrductin 1. The audit f management f liquid assets is scheduled as part f the apprved 2007 Internal Audit wrk plan fr <Center>. Liquid assets are thse cash and equivalent financial assets f the Center, which principally derive frm grants received by the Center frm dnrs, but als t a small extent frm ther incme such as interest incme earned n investments. The assets include: Mney held in bank accunts fr day t day peratinal needs <Center> headquarters currently manages xx bank accunts; and a further xx bank accunts are managed by reginal and ther utreach ffices in ther cuntries; Mney held in bank accunts r ther financial instruments t earn incme while nt required fr peratinal needs <Center> headquarters currently manages xx investment accunts; and Mney held in petty cash flats 2. The management f liquid assets relates t hw decisins n cash and equivalent financial assets f the Center are made, the plicies and prcedures arund such decisin making, the accunting and reprting f such decisins, and the physical safeguard f cash and accuntable dcuments such as check bks and receipt bks which are used in the prcess. 3. The audit will fcus n the management f liquid assets at <Center> Headquarters. The audit will hwever include the plicies and prcedures fr Headquarters versight f hw its reginal and ther utreach ffices manage liquid assets under their cntrl. Versin: August 15, 2009 Page I.1: 24

25 Audit Manual Sectin I.1 Audit Objectives 4. Review the adequacy f internal cntrl systems perating in respect f <Center> s liquid assets management t ensure that the Center fulfills its respnsibilities fr the fllwing categries: managing funds effectively and efficiently prtecting and safeguarding funds and related infrmatin ensuring timeliness and reliability f the accunting infrmatin related t the management f funds cmplying with CGIAR accunting plicies (Financial Guideline N. 2) and <Center> plicies and prcedures cncerning the management f funds, including Bard f Trustee s apprved investment and brrwing plicies Audit Scpe 5. The audit scpe is set ut belw in terms f the COSO Framewrk cntrl categries, and unless indicated belw cmpliance testing will fcus n the situatin as at the time f the audit: (a) cntrl envirnment clarity and cmmunicatin f the plicies and perfrmance measures related t the management f funds clarity f staff rles and respnsibilities adequacy f staff training in relatin t funds management (b) risk assessment extent f assessment by <Center> Finance staff f current and emerging risks affecting the management f funds (c) cntrl activities pening and clsing f accunts with financial institutins (HQ and regins) des <Center> have adequate prcedures t cntrl this? Are the dcuments related t the pening and clsing f bank accunts by headquarters r by reginal/ther ffices readily available n file at CIP headquarters? Testing f cmpliance regarding pening f accunts will be dne n a sample f currently active bank accunts. Versin: August 15, 2009 Page I.1: 25

26 Audit Manual Sectin I.1 cntrls ver bank accunt signatries (thse apprved t sign checks r funds transfer requests) and ver internet access t bank accunts, including cntrls ver electrnic instructins t the bank t make payments. reginal ffice imprest versight frm HQ (nte that imprest accunting will be reviewed in detail as part f reginal ffice audits) des <Center> Finance at Headquarters have adequate prcedures t cntrl this? Testing f cmpliance will fcus n the perid since January 1, 200X bank recnciliatins (HQ recnciliatins and mnitring f bank accunt recnciliatins carried ut in reginal ffices) are bank recnciliatins being effectively dne and recnciliatin items investigated and reslved in a timely manner? Testing f cmpliance will fcus n the mst recent bank recnciliatins. cash flw management is this being adequately handled by <Center> headquarters t ensure funds are available when needed t make payments r funds transfers at the right time management f freign currency transactins and related accunting investments (purchases and sales) and related accunting cntrl f petty cash flats des <Center> have adequate prcedures t cntrl these? Testing f cmpliance will cmprise f unscheduled (surprise) cash cunts fr petty cash flats perating in <Center> Headquarters. delegatins f authrity with regards t funds management (d) Mnitring/Infrmatin accessibility by staff t infrmatin they need t perfrm their funds management functins availability and use f infrmatin n status f cash n hand and in financial institutins, cash flw, liquidity, and investment activity. management reprts and reprts t the Audit Cmmittee/Bard n cash flw, liquidity and investment activity. Audit Methdlgy 6. In accrdance with the plicies and practice requirements f Sectin I.1 f the CGIAR IA Manual, the audit will be carried ut in 2 phases a preliminary survey phase which invlves infrmatin gathering and remte analysis fr the purpse f sharpening the audit planning; and a field wrk phase, mainly Versin: August 15, 2009 Page I.1: 26

27 Audit Manual Sectin I.1 spent n site, which invlves discussins, bservatin, testing and analysis f cntrls. Preliminary survey: btain infrmatin frm <Center> n number and types f bank accunts, ther investment accunts and cash flats; purpses f these; histrical infrmatin n amunts held and (fr imprests and cash flats) the maintained balances btain plicy and prcedural dcumentatin relating t the cntrl f funds, including Bard plicies n investments and brrwings btain cpies f recent Bard and senir management reprts n funds management review recent external audit reprts fr any bservatins n funds management and btain infrmatin frm <Center> n the status f any recmmendatins prepare r a preliminary risk inventry, and identify thse risks n which the audit culd mst efficiently fcus discuss audit scpe and pririty with <Center> management cmplete audit terms f reference Field Wrk: interview managers and staff individually t discuss strengths, weaknesses, pprtunities and threats cncerning funds management analyze the Bard and management reprting frmats t identify any imprvement pprtunities based n external gd practice review and test the prcedures fr pening and clsing bank accunts and advising check signatries review cntrls ver cheque, wire transfer and internet banking (if used) disbursement and accunt transfer transactins t ensure adequate segregatin f duties and adherence t apprved delegatins f authrity test check bank recnciliatins fr accuracy, cmpleteness and apprpriate mnitring f recnciling items review suspense, miscellaneus charges r similar accunts in the <Center> general ledger t ensure these are prperly mnitred and suspense items prmptly cleared (t validate the integrity f the bank recnciliatins) review the investment activities fr cmpliance with Bard apprved plicies Versin: August 15, 2009 Page I.1: 27

28 Audit Manual Sectin I.1 review cash flw management review strategies fr reserve management (build up, prtectin f earmarked funds apprved by the Bard fr special purpses) review management f freign exchange, including accunting treatment and strategies adpted fr hedging against adverse exchange mvements, and benefiting frm natural hedges which d nt vilate plicies against currency speculatin. review treatment f interest earned n restricted dnr funding btained in advance f need, t ensure cmpliance with dnr agreements based n results f testing and interviews with staff, assess whether staff need any training r prfessinal updating in their areas f respnsibility Audit Administratin 7. The audit will be carried ut fr the CGIAR Internal Auditing Unit (IAU) by <auditr name(s)>. Quality assurance will be prvided by <auditr name>. 8. Wrking papers will be prepared in cnfrmity with the plicies and practice requirements set ut in Sectin I.3 f the CGIAR Internal Audit Manual. 9. The wrking papers may be kept in English r <Spanish/French>. 10. The timetable and estimated resurce allcatin fr the audit is as fllws: Audit Phase Cmments Timing Resurces Planning This includes cmpletin f a preliminary survey, n which the final terms f reference and audit wrk plans will be based. The preliminary survey instrument and audit TR will be prepared by the <AiC> and discussed with <Center> August/early September 200X <AiC> x days <auditr> x days (preliminary survey) <QA reviewer> x days Versin: August 15, 2009 Page I.1: 28

29 Audit Manual Sectin I.1 Field Wrk On site and desk wrk t cmplete the field audit wrk plan. Week f September X, 200X <auditr> x days Reprting preparatin f draft reprt This includes preparatin f findings and recmmendatins and quality assurance review Week f September X, 200X <AiC> x days <auditr> x days <QA reviewer> x days Reprting final reprt This includes prcessing f cmments by <Center> n circulated 1 st draft reprt, issue f 2 nd draft reprt t DG and finalizatin f the reprt September/ Octber 200X <AiC> x days <auditr> x days <QA reviewer> x days Audit Reprting 11. The reprt shall cmprise: a transmittal memrandum a reprt cmprising an Intrductin, Overall Cnclusins and Details f Findings and Recmmendatins; and annexes as apprpriate. 12. The 1 st draft reprt will be circulated t the xxxxxx fr initial cmments and prpsed actins/timing t address any recmmendatins. 13. The 2 nd draft reprt, incrprating inputs frm the 1 st draft, will be frmally circulated t xxxxxx fr cmment / cnfirmatin f cmments and actins. 14. The final reprt, incrprating inputs frm the 2 nd draft, will be issued in signed frm by the <Head f Internal Audit> and <AiC if different> t the Directr General. Versin: August 15, 2009 Page I.1: 29

30 Audit Manual Sectin I Audit reprting will cnfrm t the plicies and practice requirements as set ut in Sectin I.4 f the CGIAR IA Manual. 16. Results f the audit will be summarized in the status reprt by the <Head f Internal Audit> t the <Center> Audit Cmmittee next due after the issue f the final versin f the audit reprt. Versin: August 15, 2009 Page I.1: 30