Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization

Transcription

1 Internal Audit Quality Assessment Presented To: World Intellectual Property Organization April 2014

2 Table of Contents List of Acronyms 3 Page Executive Summary Opinion as to Conformance to the Standards, the Code of Ethics, and the Definition of Internal Auditing Objectives / Scope / Methodology Observations Specific to the Internal Audit Section of the Internal Audit and Oversight Division IIA Standards Conformance Summary 4 Successful Internal Audit Practices Noted 9 Opportunities for Improvement Noted 11 Attachment A Conformance Rating Criteria Attachment B Required Communications with the Internal Advisory Oversight Committee Checklist Example of Documentation

3 List of Acronyms Director, IAOD EQA ERM IAOC IAOD IIA Internal Audit QAIP Standards WIPO Director, Internal Audit and Oversight Division External Quality Assessment Enterprise Risk Management Internal Advisory Oversight Committee Internal Audit and Oversight Division The Institute of Internal Auditors The Internal Audit Section of the Internal Audit and Oversight Division Quality Assurance and Improvement Program International Standards for the Professional Practice of Internal Auditing The World Intellectual Property Organization 3

4 Executive Summary Under the International Standards for the Professional Practice of Internal Auditing ( Standards ), an external quality assessment ( EQA ) of an internal audit activity must be conducted at least once every five years by a qualified assessor or assessment team from outside the organization. The qualified assessor or assessment team must demonstrate competence in both the professional practice of internal auditing and the EQA process. The World Intellectual Property Organization ( WIPO ) Internal Audit and Oversight Division ( IAOD ) selected the Institute of Internal Auditors ( IIA ) Quality Services to lead the review. The IAOD is comprised of three sections; the Internal Audit section, the Evaluation section, and the Investigations section. This EQA was conducted specific to the Internal Audit section of the IAOD ( Internal Audit ). The EQA was concluded on April 17, 2014 and provides management with information about Internal Audit as of that date. Future changes in environmental factors and actions by personnel, including actions taken to address recommendations, may have an impact upon the operation of Internal Audit in a manner that this report did not and cannot anticipate. Considerable professional judgment is involved in evaluating the findings and developing recommendations. Accordingly, it should be recognized that others could evaluate the results differently, and draw different conclusions. Opinion as to Conformance to the Standards, the Code of Ethics, and the Definition of Internal Auditing It is our overall opinion that Internal Audit generally conforms to the Standards, the Code of Ethics, and the Definition of Internal Auditing. A detailed list of conformance to individual Standards is shown on page 6 of this report. The IIA s Quality Assessment Manual suggests a scale of three ratings, generally conforms, partially conforms, and does not conform. Generally Conforms is the top rating and means the assessor has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the Standards, the Code of Ethics, or the Definition of Internal Auditing in all material respects. Detailed definitions for rating criteria associated with Generally Conforms, Partially Conforms, and Does Not Conform are described in Attachment A on page 17 of this report and are consistent with the guidance provided by the IIA in their Quality Assessment Manual. Objectives / Scope / Methodology The principal objectives of the EQA were to (1) assess Internal Audit conformance to the Standards, the Code of Ethics, and the Definition of Internal Auditing; (2) assess the effectiveness of Internal Audit in providing assurance and advisory services to the Internal Advisory Oversight Committee ( IAOC ), senior executives, and other interested parties; and (3) identify opportunities, offer recommendations for improvement, and provide counsel to the Director, IAOD and staff for improving their performance and services and promoting the image and credibility of Internal Audit. The scope of the assessment included Internal Audit, as set forth in the WIPO Internal Oversight Charter. The WIPO Internal Oversight Charter, approved by the General Assembly, defines the authority, responsibility, and accountability of the activity. Internal Audit provided the assessment team with a Fox News article dated April 4, 2014 that alleged improprieties by the Director General at WIPO. The article was considered by the assessment team during the EQA process and had no bearing upon the final determination of Internal Audit s conformance with the Standards. To accomplish the objectives, the EQA team reviewed information prepared by Internal Audit at the EQA team s request, conducted interviews with selected key stakeholders to Internal Audit, reviewed a sample of audit projects and associated work papers and reports, reviewed benchmark and survey data, and prepared diagnostic tools consistent with the methodology established for an EQA in the IIA Quality Assessment Manual. 4

5 Executive Summary Observations Specific to the Internal Audit Section of the Internal Audit and Oversight Division Internal Audit is generally in conformance with the Standards, the IIA Code of Ethics, and the Definition of Internal Auditing. They demonstrate a strong commitment to exceeding the basic requirements of the Standards and are focused on enhancing quality through continuous improvement. The functional and administrative reporting relationships are appropriate and support organizational independence and objectivity. Their annual risk assessment process focuses activities in areas of highest risk and impact consistent with the strategy and objectives of WIPO. Internal Audit has qualified staff that performs their work in a competent and high quality manner and infrastructure supports consistent performance of Internal Audit activities. They are an integral part of the governance process for WIPO and are valued by their stakeholders including the IAOC. They operate in a very dynamic environment and their ability to adapt and be responsive to change, combined with their ability to leverage insight on risks impacting the organization into focused audit plans, will continue to be critical to their success and value to the organization. Attribute Standards Internal Audit generally has the infrastructure in place to support sustainability of internal audit processes in a quality and consistent manner. Their charter is comprehensive and is foundational to all their activities, but should be modified for several technical requirements of the Standards. The functional and administrative reporting relationships are appropriate and support organizational independence and objectivity. Functional reporting is supported by direct and open access between the Director, IAOD and the chairs of the General Assembly, the Coordination Committee, the Program and Budget Committee, and the IAOC. The structure of IAOD presents an impairment in the ability of Internal Audit to independently evaluate the activities of the Evaluation and Investigation sections of IAOD. This impairment has been appropriately disclosed and is being managed effectively by the Director, IAOD. Internal Audit management and staff are qualified with appropriate credentials and experience; and work is performed with due professional care that includes an appropriate level of supervisory review and approval. Training and professional development processes are appropriate to support proficiency of Internal Audit management and staff. While the CAE has established a Quality Assurance and Improvement Program ( QAIP ) that promotes quality and continuous improvement, this program should be more formalized to enhance sustainability and consistency in execution. Performance Standards Internal Audit is managed appropriately and the annual audit plan is supported by a risk assessment process that incorporates input from Internal Audit stakeholders including the Director General, the IAOC, and the various member states when developing the audit universe, conducting risk assessment, and preparing the annual audit plan. The annual audit plan is reviewed by the IAOC, but should be formally approved by them as well. Results of the annual audit plan are communicated periodically to the IAOC and on an annual basis to the General Assembly. Internal Audit manages resources effectively and uses third party resources for specific subject matter expertise on an as needed basis. Internal Audit should continue to refine its role in Enterprise Risk Management ( ERM ) within WIPO as those processes mature to ensure that Internal Audit plans are linked to the entity-wide view of risk. Policies and procedures supporting Internal Audit infrastructure and key processes should be updated to align with current practices and the use of the electronic work paper software tool. This supports sustainability and consistency of these processes and promotes quality. Engagement level planning is supported by an engagement level risk assessment that appropriately considers fraud risk as a component. Objectives evaluate technology, operational, financial, and compliance components as appropriate for individual engagements. Individual audits are of a consistent high quality and work papers fully support reported findings. Audit reports are consistent with the underlying work product and there is a follow-up process in place that tracks audit issues through to resolution. 5

6 Executive Summary IIA Standards Conformance Summary OVERALL ATTRIBUTE STANDARDS 1000 Purpose, Authority, and Responsibility 1010 Recognition of the Definition of Internal Auditing, the Code of Ethics and the Standards in the Internal Audit Charter 1100 Independence and Objectivity 1110 Organizational Independence 1111 Direct Interaction with the Board 1120 Individual Objectivity 1130 Impairments to Independence or Objectivity 1200 Proficiency and Due Professional Care 1210 Proficiency 1220 Due Professional Care 1230 Continuing Professional Development 1300 Quality Assurance and Improvement Program 1310 Requirements of the Quality Assurance and Improvement Program 1311 Internal Assessments 1312 External Assessments 1320 Reporting on the Quality Assurance and Improvement Program 1321 Use of Conforms with the International Standards for the Professional Practice of Internal Auditing 1322 Disclosure of Nonconformance PERFORMANCE STANDARDS 2000 Managing the Internal Audit Activity 2010 Planning 2020 Communication and Approval 2030 Resource Management 2040 Policies and Procedures 2050 Coordination GC PC DNC NA 2060 Reporting to Senior Management and the Board 2070 External Service Provider and Organizational Responsibility for Internal Auditing 2100 Nature of Work 2110 Governance 2120 Risk Management 2130 Control 2200 Engagement Planning 2201 Planning Considerations 2210 Engagement Objectives 2220 Engagement Scope 2230 Engagement Resource Allocation 2240 Engagement Work Programs 2300 Performing the Engagement 2310 Identifying Information 2320 Analysis and Evaluation 2330 Documenting Information 2340 Engagement Supervision 2400 Communicating Results 2410 Criteria for Communicating 2420 Quality of Communications 2421 Errors and Omissions 2430 Use of Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing 2431 Engagement Disclosure of Nonconformance 2440 Disseminating Results GC PC DNC NA 2450 Overall Opinions 2500 Monitoring Progress 2600 Communicating the Acceptance of Risks IIA CODE OF ETHICS DEFINITION OF INTERNAL AUDITING 6

7 Executive Summary During the EQA, several areas were noted where Internal Audit is operating in a successful internal audit practice manner. In addition, some areas were noted where there are opportunities for improvement that will strengthen conformance to the Standards or will enhance efficiency and effectiveness of Internal Audit processes. Detailed observations, recommendations, and Internal Audit responses to these opportunities for improvement are included in the following section of this report. Successful Internal Audit Practices Noted Standard 1220 Standard 2010 Standard 2030 Standard 2300 The Internal Audit methodology requires the extensive use of checklists and templates embedded within their electronic work paper tool to ensure Internal Audit projects are planned and executed consistent with the defined methodology and that all required elements are considered. Internal Audit has a robust annual risk assessment process that incorporates input from stakeholders throughout the organization, including the Director General, the IAOC, and the various member states when developing the audit universe, conducting risk assessment, and preparing the annual audit plan. Internal Audit effectively uses third party resources to supplement audit staff and to provide subject matter expertise. Work papers supporting individual audit engagements are of a consistent high quality and generally exceed conformance with Standards requirements. Opportunities for Improvement Noted Standard 1000 Standard 1220 Standard 1300 Standard 1311 Standard 2000 Standard 2020 Standard 2040 Update the WIPO Internal Oversight Charter for several technical adjustments to align with the IIA Model Internal Audit Activity Charter (May 2013) which incorporates newly required elements of the Standards. Continue the IAOD strategy to enhance the use of data analytics in support of Internal Audit risk assessment, planning, and engagement execution. Document the QAIP in the Internal Audit Manual to fully describe all required elements such as objectives, scope, internal and external assessment components, and communication of results. Consider enhancing the periodic internal assessment process by using a combination of vertical and horizontal reviews of completed projects to support evaluation of conformance with the Standards and the Internal Audit methodology as well as efficiency and effectiveness of the underlying processes. Consider updating the Strategic Plan for IAOD that supports the dynamic nature of WIPO and that guides activities of Internal Audit in a proactive, thoughtful, systematic, and practical manner. Communicate the risk-based audit plan to the IAOC for both review and approval. Consider updating the Internal Audit Manual to align with the current Internal Audit methodology that incorporates the effective use of an electronic work paper software tool. 7

8 Executive Summary Opportunities for Improvement Noted (Continued) Standard 2060 Standard 2110 Standard 2120 Standard 2410 Consider adopting a Required Communications with the IAOC Checklist to ensure that all requirements are met and documented in the appropriate time frames. Consider incorporating an evaluation of the effectiveness of the organization s ethics-related objectives, programs, and activities as well as information technology governance in support of the organization s strategies and objectives into the annual audit planning process. Consider expanding the role of Internal Audit in support of the maturing and evolving ERM process within WIPO. Consider enhancing the audit reporting process by providing more clarity with regards to the relative significance of observations reported. Thank you for the opportunity to be of service to Internal Audit. We will be pleased to respond to further questions concerning this report and furnish any desired information. Basil Woller, CIA, CRMA Team Leader Team Member: Robert Riegel, CIA, CRMA, CISA, CRISC, CFSA, CFE Gina Eubanks, CIA, CRMA, CCSA, CISA Vice President Professional Services The Institute of Internal Auditors 8

9 Successful Internal Audit Practices Noted Successful Internal Audit Practice Standard 1220 The Internal Audit methodology requires the extensive use of checklists and templates embedded within their electronic work paper tool to ensure Internal Audit projects are planned and executed consistent with the defined methodology and that all required elements are considered. Standard 2010 Internal Audit has a robust annual risk assessment process that incorporates input from stakeholders throughout the organization, including the Director General, the IAOC, and the various member states when developing the audit universe, conducting risk assessment, and preparing the annual audit plan. Standard 2030 Internal Audit effectively uses third party resources to supplement audit staff and to provide subject matter expertise. Description The checklists and templates used by Internal Audit are comprehensive and updated to address specific requirements for the area under review. The use of checklists and templates to plan, execute, and administer Internal Audit projects together with required supervisory review and approval ensures (1) consistent application of the Internal Audit methodology, (2) contributes to a high level of quality within Internal Audit projects, (3) provides a mechanism to document appropriate supervisory review and approval for critical elements within the work papers, and (4) demonstrates due professional care in conducting internal audits. Internal Audit generally, and the Director, IAOD specifically, have a seat at the table within the organization to appropriately capture information related to emerging and/or changing risk profiles while maintaining their independence and objectivity. This seat at the table is primarily ensured by formal interaction with the senior leadership team and open and direct access to senior stakeholders throughout the organization. The audit plan is the result of a risk assessment process that uses defined risk factors and rating criteria that in combination derive residual levels of risk for prioritization of areas for review. The plan is consistent with the entity-wide view of risk, and audits are focused to evaluate specific objectives related to mitigation of risk. There is an appropriate balance between financial reporting, compliance, and operational risk objectives in the annual audit plan. Internal Audit uses third party resources primarily for technical skills associated with IT audit requirements. This is especially appropriate given the rapidly changing technical requirements needed to effectively audit technology risk. One of the challenges for a smaller internal audit activity is ensuring that the appropriate skill sets are in place to perform audit from a proficiency perspective. This effective and necessary use of third party resources is a successful internal audit practice for a smaller internal audit activity. 9

10 Successful Internal Audit Practices Noted Successful Internal Audit Practice Standard 2300 Work papers supporting individual audit engagements are of a consistent high quality and generally exceed conformance with Standards requirements. Description This is especially noteworthy given the relative small size of Internal Audit. Observations communicated to senior management, the IAOC, and the external auditor were fully supported and linked to the underlying work papers. Documentation of information within the work papers including planning, work programs, use of checklists, and supervisory review and approval was maintained consistently across the projects reviewed and in strict conformance with the defined methodology. Opening and closing meeting materials were thorough and included the scope and results of engagements. Significant client communications were routinely included and there was appropriate evidence for supervisory review and approval of all work performed. The electronic work paper software tool was used in a very effective manner to integrate annual risk assessment with engagement level audit processes and tracking of results. 1 0

11 Opportunities for Improvement Noted Opportunity for Improvement Standard 1000 Update the WIPO Internal Oversight Charter for several technical adjustments to align with the IIA Model Internal Audit Activity Charter (May 2013) which incorporates newly required elements of the Standards. Include language in Section E: Duties and Modalities of Work, Paragraph 14 that describes the nature of consulting services provided by IAOD. Consider language such as Perform consulting and advisory services related to governance, risk management, and controls as appropriate for the organization. Describing the nature of consulting services in the WIPO Internal Oversight Charter is a requirement of Standard 1000 C1. Include language in the WIPO Internal Audit Oversight Charter that recognizes the mandatory nature of the Definition of Internal Auditing, the IIA Code of Ethics, and the Standards. The WIPO Internal Oversight Charter is generally consistent with the Definition of Internal Auditing, the IIA Code of Ethics, and the Standards, but does not include specific language that recognizes their mandatory nature as required by Standard Standard 1220 Continue the IAOD strategy to enhance the use of data analytics in support of Internal Audit risk assessment, planning, and engagement execution. For individual engagements, data analytics can effectively identify observations and support rootcause analysis for those observations reported to management. Expanding data analytics capability is consistent with successful internal audit practice and provides the opportunity to (1) enhance the audit process so it is faster and more efficient and effective, (2) shorten the audit cycle time to provide more timely risk and control assurance, (3) achieve greater audit coverage without the need to expand Internal Audit resource requirements, (4) be able to conduct selected audits on a periodic basis, (5) audit 100% of data populations rather than a sample, (6) improve the quality of assurance through the use of data and transactional analysis, and (7) enhance the value to audit clients and the organization as a whole. The use of data analytics is a successful internal audit practice that is becoming more commonplace as technology and data analytics become more embedded within the skill sets of internal auditors. Internal Audit Response Comment and Action Plan: IAOD agrees with the recommendation and will make the necessary proposals to the Independent Advisory Oversight Committee (IAOC) for amendments to be considered to the Internal Oversight Charter. Responsible staff: T. Rajaobelina with the IAOC Deadline: WIPO General Assembly 2015 Comment and Action Plan: IAOD agrees with the recommendation. IAOD already uses data analytics in all audits, to the extent possible. IAOD has already acquired ACL licenses and went through training on ACL as well as PeopleSoft. IAOD will further develop its use of data analytics to effectively implement its continuous auditing approach. The objective will be for IAOD not only to systematically use data analytics in each engagement but also to develop IAOD reports on exceptions, anomalies, patterns and trends that will be produced based on analysis of information within WIPO systems. Responsible staff: Tuncay Efendioglu - Sashidhar Boriah Deadline: December 31,

12 Opportunities for Improvement Noted Opportunity for Improvement Standard 1300 Document the QAIP in the Internal Audit Manual to fully describe all required elements such as objectives, scope, internal and external assessment components, and communication of results. While required elements of the QAIP are in place and functioning, documentation does not currently support their sustainability and consistent execution. The IIA Practice Guide Quality Assurance and Improvement Program (March 2012) provides strongly recommended guidance on the topic of a QAIP. The scope of the QAIP should be the operation of Internal Audit as described in the WIPO Internal Oversight Charter. Objectives for the QAIP should be consistent with those described in Practice Advisory and include: (1) conformance with the Definition of Internal Auditing, the Standards, and the IIA Code of Ethics; (2) adequacy of the WIPO Internal Oversight Charter, goals, objectives, policies, and procedures; (3) contribution to the organization s governance, risk management, and control processes; (4) compliance with applicable laws, regulations, and government or industry standards; (5) effectiveness of continuous improvement activities and adoption of best practices; and (6) the extent to which Internal Audit adds value and improves the organization s operations. The processes used to support on-going monitoring of Internal Audit performance, internal periodic assessment, external assessment, and communication of internal and external assessment results should be documented in sufficient detail to consistently guide their execution. Internal Audit Response Comment and action plan: IAOD agrees with the recommendation. As recognized in the EQA, required elements of the Quality Assurance and Improvement Program (QAIP) are in place and functioning and what needs to be done is to formalize it. IAOD will prepare a formal QAIP document to gather all the necessary elements to ensure sustainability and consistency Responsible staff: Tuncay Efendioglu Deadline: July 15,

13 Opportunities for Improvement Noted Opportunity for Improvement Standard 1311 Consider enhancing the periodic internal assessment process by using a combination of vertical and horizontal reviews of completed projects to support evaluation of conformance with the Standards and the Internal Audit methodology as well as efficiency and effectiveness of the underlying processes. Vertical and horizontal reviews are the two generally accepted methods to perform quality reviews of completed audit projects. A vertical review provides an evaluation of conformance with the Standards and examines a specific project from a top-down approach (e.g., an assessment of individual audit steps performed for a specific project work plan, e.g., planning steps, fieldwork steps and reporting steps). A horizontal review allows for an evaluation across all project engagements (e.g., use of the risk assessment matrix, supervisory review and approval process, or consistency in applying report ratings) from an efficiency and effectiveness perspective. A combination of these two methods is consistent with successful internal audit practice and contributes to continuous improvement of internal audit processes. Standard 2000 Consider updating the Strategic Plan for IAOD that supports the dynamic nature of WIPO and that guides activities of Internal Audit in a proactive, thoughtful, systematic, and practical manner. Ensure strategies in the multi-year plan support (1) the robust risk assessment and annual planning process to focus on emerging high risk areas to WIPO including coverage of technology, strategic, and business risks; (2) alignment and coordination between Internal Audit as a third line of defense and other assurance activities associated with the second line of defense including ERM, (3) alignment of Internal Audit resources with the annual plan requirements from an organizational, staffing and on-boarding, and professional development perspective; and (4) the deployment of technology within Internal Audit to support the expanded use of data analytics for engagement planning and execution, and the implementation of continuous auditing protocols. Strategy statements should be supported by specific actions to execute the defined strategy. The IIA Practice Guide Developing the Internal Audit Strategic Plan (July 2012) might be considered as a resource when developing this plan. Internal Audit Response Comment and action plan: IAOD agrees with the recommendation. IAOD will prepare annual reports on the outcome of vertical and horizontal assessments. Responsible staff: Tuncay Efendioglu Deadline: August 31, 2014 Comment and action plan: IAOD agrees with the recommendation. IAOD will prepare a revised Internal Audit Strategy/Policy in accordance with its Internal Oversight Charter (paragraph 13). Responsible staff: Thierry Rajaobelina in coordination with Member States and the IAOC. Deadline: June 30,

14 Opportunities for Improvement Noted Opportunity for Improvement Standard 2020 Communicate the risk-based audit plan to the IAOC for both review and approval. While the risk-based audit plan and associated resource requirements including significant interim changes is communicated to the IAOC for review, the risk-based audit plan is not formally approved as required by Standard 2020 Communication and Approval. Formal approval of the risk-based plan and the associated resource plan is a successful internal audit practice that demonstrates independent functional reporting and supports organizational independence and objectivity of Internal Audit. Standard 2040 Consider updating the Internal Audit Manual to align with the current Internal Audit methodology that incorporates the effective use of an electronic work paper software tool. The manual was last updated in 2011 and does not currently include procedures that document the Internal Audit methodology in place and operating through the electronic work paper software tool. Procedures should be updated for (1) the annual risk assessment and planning process, (2) the engagement planning process, including work program development, (3) the engagement fieldwork process, (4) the engagement reporting process, and (5) the monitoring of reported observations process. In addition, as described in Standard 1300 Quality Assurance and Improvement Program, the QAIP should be more fully documented to include objectives, scope, and procedures to implement internal and external assessment requirements and communication of results. Reviewing and updating the manual as a component of the periodic internal assessment process is a means to ensure the manual is current with professional guidance. Internal Audit Response Comment and action plan: IAOD takes note of the recommendation. The issue was discussed with the IAOC at its March 2014 session and it was decided that the IAOC would review the draft of the plan before its issuance. This new practice will begin at the end of To have the IAOC approve the plan will need a revision of the Internal Oversight Charter, on which IAOD can work with the IAOC. Responsible staff: T. Rajaobelina with the IAOC. Deadline: WIPO General Assembly 2015 Comment and action plan: IAOD agrees with the recommendation. IAOD will prepare a revision of its audit manual and will submit it to the IAOC for its review in accordance with paragraph 13 of the Internal Oversight Charter. Responsible staff: Tuncay Efendioglu and Alain Garba Deadline: December 31,

15 Opportunities for Improvement Noted Opportunity for Improvement Standard 2060 Consider adopting a Required Communications with the IAOC Checklist to ensure that all requirements are met and documented in the appropriate time frames. This checklist should be integrated into the IAOC agenda as appropriate and should be updated as changes to Standards become effective. This checklist, when combined with IAOC minutes, provides documentation that all required communications are considered and take place in the appropriate time frames. An example of this checklist in included as Attachment B to this report. Standard 2110 Consider incorporating an evaluation of the effectiveness of the organization s ethics-related objectives, programs, and activities as well as information technology governance in support of the organization s strategies and objectives into the annual audit planning process. Implementation Standards 2110.A1 and 2110.A2 adopted in 2009 require that the ethics and compliance program and information technology governance be evaluated as part of the evaluation of governance activities required by the nature of work Standards. Each of these items should be included in the audit universe, evaluated as part of the annual risk assessment, and incorporated into the annual audit plan as appropriate. Internal Audit Response Comment and action plan: IAOD agrees with the recommendation. IAOD will discuss the checklist with the IAOC and prepare any required list for the IAOC s consideration. Responsible staff: Thierry Rajaobelina Deadline: December 31, 2014 Comment and action plan: IAOD agrees with the recommendation. IAOD notes that audits of the organizations ethics-related objectives and of information technology governance were done in recent years (2010 in one case and from 2011 to 2013 for the second). In addition as regards ethics, IAOD also notes that the organization s framework is continuously reviewed through investigations conducted by IAOD. IAOD will nevertheless specifically incorporate the ethics and compliance program and information technology governance in its oversight universe, risk assessment and annual plan as appropriate. Responsible staff: Tuncay Efendioglu - Sashidhar Boriah Deadline: 2015 annual plan exercise 15

16 Opportunities for Improvement Noted Opportunity for Improvement Standard 2120 Consider expanding the role of Internal Audit in support of the maturing and evolving ERM process within WIPO. Consider the IIA Position Paper The Role of Internal Auditing in Enterprise-Wide Risk Assessment as guidance for the ongoing role. As the ERM process within WIPO continues to evolve, Internal Audit can provide assurance into how the organization identifies risks, assigns ownership of those risks, documents risk mitigation strategies and results, and monitors the residual levels of risk. Internal Audit should appropriately link the entity-level view of risk into their annual risk assessment process consistent with Standards requirements. Standard 2410 Consider enhancing the audit reporting process by providing more clarity with regards to the relative significance of observations reported. The current process describes the impact of observations but does not necessarily provide input into significance of the issue. Several key stakeholders suggested this would help them focus on those areas most critical to their operation while still being kept informed of other important issues. Categorizing exceptions using pre-defined criteria can provide a consistent view of significance across the organization and can provide insight into prioritization for management response and action. Rating criteria should be developed in consultation with key stakeholders consistent with the requirement of Standard 2410 A1. Internal Audit Response Comment and action plan: IAOD takes note of the recommendation. IAOD will continue advising the organization on the implementation of its ERM process. IAOD will also continue taking into account the entitylevel view of risk when conducting its annual riskassessment process. Responsible staff: Thierry Rajaobelina Deadline: on-going Comment and action plan: IAOD agrees with the recommendation. IAOD will continue working on the clarity of its audit reports. IAOD will continue to prioritize its observations and recommendations. Efforts will be put in enhancing the process. Auditors have already been registered on report writing courses and collectively IAOD will organize a follow-up training in January 2015 on report writing. Responsible staff: Tuncay Efendioglu - Alain Garba - Sashidhar Boriah Deadline: next audit report 16

17 Attachment A Conformance Rating Criteria GC Generally Conforms means the assessor has concluded the following: For individual standards, that the internal audit activity conforms to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or elements of the Code of Ethics (both Principles and Rules of Conduct) in all material respects. For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity achieves general conformity to a majority of the individual standards and/or elements of the Code of Ethics, and at least partial conformity to others, within the section/category. For the internal audit activity overall, there may be opportunities for improvement, but these should not represent situations where the internal audit activity has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives. PC Partially Conforms means the assessor has concluded the following: For individual standards, the internal audit activity is making good faith efforts to conform to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or element of the Code of Ethics (both Principles and Rules of Conduct) but falls short of achieving some major objectives. For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity partially achieves conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics For the internal audit activity overall, there will be significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the internal audit activity and may result in recommendations to senior management or the board of the organization. DNC Does Not Conform means the assessor has concluded the following: For individual standards, the internal audit activity is not aware of, is not making good faith efforts to conform to, or is failing to achieve many/all of the objectives of the standard (e.g., 1000, 1010, 2000, 2010, etc.) and/or elements of the Code of Ethics (both Principles and Rules of Conduct) For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity does not achieve conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics For the internal audit activity overall, there will be deficiencies that will usually have a significant negative impact on the internal audit activity s effectiveness and its potential to add value to the organization. These may also represent significant opportunities for improvement, including actions by senior management or the board. 17

18 Attachment B Required Communications with the Internal Advisory Oversight Committee Checklist Example of Documentation Standard Communication Requirement Annual Communication Documentation 1000 The CAE must periodically review the Internal Audit Department Charter and present it to Senior Management and the Audit Committee for review and Audit Committee approval The CAE should discuss the Definition of Internal Auditing, the Code of Ethics, and the IIA Standards with Senior Management and the Audit Committee The CAE must confirm to the Audit Committee, at least annually, the organizational independence of the internal auditing activity. The Internal Audit charter was amended and presented to senior management and the Audit Committee for review and approval at the January, 20, Audit Committee Meeting. The Definition of Internal Auditing, the Code of Ethics, and the Standards were discussed with senior management and the Audit Committee in conjunction with the Internal Audit charter review at the January, 20, Audit Committee meeting. As the CAE, I hereby confirm the organizational independence of the internal audit activity as of May, The CAE must communicate and interact directly with the Audit Committee. As the CAE, I confirm that an appropriate level of communication and interaction has taken place between me and the Audit Committee The chief audit executive must discuss with the Audit Committee the form and frequency of external assessment as well as the qualifications and independence of the external assessor or assessment team, including any potential conflicts of interest The CAE must communicate the results of the quality assurance and improvement program to senior management and the Audit Committee. The results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the reviewer s or review team s assessment with respect to the degree of conformance The CAE must communicate the internal audit activity s plans and resource requirements, including significant interim changes, to senior management and the Audit Committee for review and approval. The CAE must also communicate the impact of resource limitations The CAE must report periodically to senior management and the Audit Committee on the internal audit activity s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Audit Committee. Discussions were held at the November, 20, Audit Committee Meeting related to the need for and the frequency of the periodic external assessments, the form of the external assessment, and the qualification and independence of the external assessor. Results of the Continuous Monitoring and Annual Internal Quality Assessment Review of Internal Audit was communicated to Executive Management on January, 20, and to the Audit Committee on January, 20. The results of the external quality assessment performed by was communicated to Executive Management and the Audit Committee on February, 20. Communication of status of internal audit plans and resource requirements was reported on at least a quarterly basis to the Audit Committee. At the November, 20, Audit Committee Meeting, Internal Audit reported that there were no audits below the resource cut line on the Proposed 20 Audit Plan that Internal Audit believed were necessary to be performed in 20. Accordingly, there were no material impacts associated with resource limitations. Communication of Internal Audit s purpose, authority, and responsibility was reported to the Audit Committee on January, 20. On a periodic basis, the CAE also reports significant risk exposures and control issues, including fraud risks, governance issues, and other matters at the request of the Audit Committee. 18