Consultative Group on International Agricultural Research (CGIAR) CGIAR AUDITING GUIDELINES MANUAL FINANCIAL GUIDELINES SERIES, NO. 3 July 2001
Financial Guidelines Series No.1 CGIAR Financial Management (Revised 1999) No.2 CGIAR Accounting Policies and Reporting Practices Manual (Revised 1999) No. 3 CGIAR Auditing Guidelines Manual (Revised 1995) No. 4 CGIAR Resource Allocation: Developing and Financing the CGIAR Research Agenda (Revised 1998) No. 5 CGIAR Indirect Cost Allocation Guidelines (August 2001) No. 6 CGIAR Procurement of Goods, Works and Services (August 2001) These policy guidelines have been prepared by the CGIAR Secretariat to assist the International Agricultural Research Centers supported by the Consultative Group on International Agricultural Research. Each IARC is encouraged to draw up its own policies and procedures manuals for its internal use. Questions or suggestions about these guidelines should be sent to: CGIAR Secretariat (Attn: Ravi Tadvalkar) 1818 H. Street, N.W. Washington, D.C. 20433, USA The CGIAR Secretariat approved the Audit Guidelines for publication as an Exposure Draft on January 16, 2001. It was circulated for comments to all the 16 IARC including certain outside organizations such as the World Bank, the Asian Development Bank, the World Food Programme, and the International Fund for Agricultural Development. FG3: Auditing Guidelines Page 2 of 57 July 9, 2001
TABLE OF CONTENTS MANDATORY COMPLIANCE REQUIREMENTS 5 INTRODUCTION 6 1.0 CORPORATE GOVERNANCE 7 About CGIAR and Corporate Governance 8 Audit/Finance Committee of the Board of Trustees 8 Definition of Internal Control 10 Definition of Internal Auditing 11 Internal Audit Charter 12 2.0 EXTERNAL AUDITING 14 Introduction 15 Responsibility for Accuracy of Financial Statements 15 Scope and Objectives of an External Audit 16 Letter of Engagement 18 Audited Financial Statements 18 Unqualified Audit Opinion 19 Qualified Audit Opinion 20 Management and Board of Trustees Letter 21 Coordination with Internal Auditors 21 Appointment and Selection of External Auditors 22 Changes in the Appointment of External Auditors 22 Rotation of External Auditors 23 Professional Independence and Ethics 24 3.0 INTERNAL AUDITING 25 Internal Auditing Function 26 Internal Auditing Standards 27 Multi-Year Strategic and Annual Auditing Plan 28 Understanding the Control Environment. 30 Risk Assessment 31 Internal Auditing Process for an Assurance Services Engagement 32 Engagement Planning 33 Performing the Engagement 35 Communicating Results 35 Monitoring the Progress 36 Communication with the Audit/Finance Committee and Management 37 Consulting Engagements 37 Information Technology System Development 38 Fraud Investigations 39 Managing the Internal Auditing Activity 40 Quality Assurance and Compliance. 40 Internal Auditing Tools 42 Control Self-Assessment 42 Audit Software 43 Use of the Internet as an Auditing Tool 44 FG3: Auditing Guidelines Page 3 of 57 July 9, 2001
Electronic Commerce 44 APPENDICES APPENDIX 1: SAMPLE AUDIT/FINANCE COMMITTEE CHARTER... 45 APPENDIX 2: DETAILS OF THE FIVE COSO COMPONENTS... 47 APPENDIX 3: SAMPLE INTERNAL AUDIT CHARTER... 49 APPENDIX 4: SAMPLE LETTER OF ENGAGEMENT... 51 APPENDIX 5: SAMPLE EXTERNAL AUDITORS UNQUALIFIED AUDIT REPORT... 53 APPENDIX 6: SAMPLE INTERNAL AUDITING PROCESS... 54 APPENDIX 7: SAMPLE TERMS OF REFERENCE FOR AN AUDIT ENGAGEMENT... 55 APPENDIX 8: SAMPLE ACTION PLAN... 56 APPENDIX 9: SAMPLE CLIENT EVALUATION FORM... 57 FG3: Auditing Guidelines Page 4 of 57 July 9, 2001
MANDATORY COMPLIANCE REQUIREMENTS Centers should use the Auditing Guidelines as a reference guide on the best practices of auditing functions. However, at a minimum, Centers are expected to comply with the following mandatory compliance requirements: Chapter Paragraph Outline of Paragraph Corporate Governance 1.21 Internal Audit Charter External Auditing 2.1 GAAP and CGIAR Accounting Guidelines (FG2) 2.11 Engagement Letter 2.21 Audit/Finance Committee 2.22 Coordination with Internal Auditors 2.25 Internationally Recognized Accounting Firm 2.33 Rotation of External Auditors 2.36 & 2.38 Outsourcing to External Auditors Internal Auditing 3.6 Internal Auditing Function 3.11 IIA Standards 3.12 Risk-Based Audit Plans 3.37 Communication with the Audit/Finance Committee and Management 3.46 Quality Assurance Program FG3: Auditing Guidelines Page 5 of 57 July 9, 2001
INTRODUCTION The FG3 has been developed to provide a reference guide on the best practices of auditing functions. This paper serves as a guide for all members of Centers Boards of Trustees, Audit/Finance Committees of the Boards of Trustees, management, external auditors, and internal auditors of the CGIAR Centers. This new FG3 paper supercedes the 1995 version. Purpose of the FG3 The primary function of the FG3 is to establish a uniform auditing guideline. A uniform guideline helps to enforce the documentation of best auditing practices. Through such documentation, auditing functions could hence be carried out efficiently, thus minimizing confusion and error. Reasons for a uniform audit guideline To document the understanding between auditors and the management, including the Board of Trustees of the Center concerning the auditor s responsibilities. To provide a trail for new incumbents. FG3 becomes a uniform reference guide for auditors. Auditing is a systematic process. This ensures that every step is performed during each audit engagement to ensure consistency and objectivity. FG3 will ensure compliance with agreed auditing standards. This is important because auditing standards developed by expert practitioners are proven as optimal for external and internal auditing functions. In addition to providing uniformity, this best practice reference guide is also to reinforce the following: a) Standards -- to establish standards of auditing coverage. Such standards help ensure that the work is of the highest quality. b) Consistency -- to ensure that auditing approaches and activities are consistent throughout the CGIAR Centers. c) Information to serve as a centralized pool of auditing information. This information pool helps facilitate and expedite the auditing process. d) Training to serve as a helpful training device, especially for new members of the Board of Trustees, Audit/Finance Committee of the Board of Trustees, management, external auditors, and internal auditors. FG3: Auditing Guidelines Page 6 of 57 July 9, 2001
CHAPTER ONE: Corporate Governance Charter Responsibility & Authority Mission Function & Activities Principles & Standards Reporting FG3: Auditing Guidelines Page 7 of 57 July 9, 2001
1.0 CORPORATE GOVERNANCE About CGIAR and Corporate Governance 1.1 CGIAR is an informal association of over 50 public and private sector members supporting a network of 16 international agricultural research centers. Each Center is autonomous, operating under the authority of a legally constituted board, charged with fiduciary responsibility for the work of the Center. Hence, the effectiveness of each Center rests on the efficacy of its boards. 1.2 Corporate governance is a system by which a Center directs, manage, control, and monitor its activities. A typical corporate governance structures specifies rights and obligations 1, responsibilities and accountabilities, and decision-making among the different participants in a Center. The different participants include the Board of Trustees, Director General, management, and other stakeholders. 1.3 Good corporate governance by Center Boards is therefore, crucial to the continued success of the CGIAR system. The CGIAR Secretariat published in August 1997 a series of seven reference guides on the roles and operations of CGIAR Center Boards, which took into account new principles and practices of institutional governance. The seven guides in the series are based on National Center for Non-profit Boards (NCNB) materials and CGIAR reports on Center governance. The guides were reviewed by the Oversight Committee and the Committee of Board Chairs. Audit/Finance Committee of the Board of Trustee 1.4 The Audit/Finance Committee s role is critical in promoting good corporate governance. In addition to helping Boards be more efficient, active, and knowledgeable in the area of financial management and risk management, the Committee (typically through the Executive Committee of the Board of Trustees) could also help ensure even work distribution across all Board members. 1.5 The Audit/Finance Committee or equivalent, like the Board, focuses on strategic rather than operational issues. Its concern is to ensure that the Center has in place an ongoing appropriate system on governance and internal control. 1 For example, the US has recently signed into legislation the International Anti-Corruption and Good Governance Act. The Act has made it a primary goal of US aid to assist other countries combat corruption. Recipients of US aid are expected to comply with certain requirements such as reporting on whether they have taken steps to set up anti-corruption programs. FG3: Auditing Guidelines Page 8 of 57 July 9, 2001
1.6 Specifically, the Audit/Finance Committee has two major roles 2. First, it provides the Board oversight on the Center s audit of the annual financial statements by External Auditors. 1.7 Second, the Audit/Finance Committee is responsible for overseeing that the Center s financial integrity is maintained. To accomplish this, the Committee monitors to ensure that: The system of internal control designed by management is adequate and adhered. There is fair reporting of financial results. Operations and procedures are efficient and effective. There is compliance of management policies. 1.8 To effectively accomplish its roles, the Audit/Finance Committee must rely on the work, guidance, and judgment of the internal and external auditors. Typical areas of responsibilities of the Audit/Finance Committee include: a) Recommend appointment of External Auditors for approval by the full Board. b) Meet with External Auditors to review audited financial statements, significant audit adjustments, management judgments, accounting estimates, significant new accounting policies, and disagreements with management 3. c) Engage in a dialogue with the External Auditors with respect to any disclosed relationships or services that may impact their objectivity and independence 4. d) Review the Internal Audit Charter and the Internal Auditors plans and budgets to ensure they support the Internal Audit Unit s adequately and cost-effectively. e) Receive and review reports from External and Internal Auditors 5 on internal control. f) Monitor the organization framework of the Internal Auditing Unit, including appointment and removal of Internal Auditors, and the adequacy of staff in terms of academic and professional credentials and information technology experience. 2 The Reference Guide for CGIAR International Agricultural Research Centers and their Board of Trustees No. 4: Building Effective Board Committees, August 1997. 3 IIA, Inc. Auditing Standard, Section 380: Communication with Audit/Finance Committees. 4 Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit/Finance Committees, 1999. 5 Cadbury and Combined Code (Turnbull). FG3: Auditing Guidelines Page 9 of 57 July 9, 2001
g) Become familiar with the most significant risks that could prevent the Center from achieving its objectives, and take the necessary actions to address them. h) Promote a culture that values objective and objective analysis of management. i) Monitor adherence to the Center s policies on conflict of interest and codes of conduct. j) Report to the Board on the activities of the Audit/Finance Committee and the significant issues that have emerged from these activities as well as conveying concerns, if any, of the Committee. 1.9 Given the variability of roles and responsibilities that could be performed by the Audit/Finance Committee, it is useful, for the Audit/Finance Committee to have a written, specific statement of responsibilities (charter). This would cover all aspects from job definition and its relationships to the full Board, membership requirements, and its relationships with management and staff. See sample Audit/Finance Committee Charter on Appendix 1. Definition of Internal Control 1.10 CGIAR endorsed the definition of internal control as defined by the Internal Control Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 6. It provides a common definition by which Centers could assess their internal control systems and determine how to improve them. 1.11 Internal control is broadly defined as a process -- effected by the Center s Board of Trustees, management and other personnel -- designed to provide reasonable assurance regarding the achievement of objectives of the Center. Internal control consists of five inter-related components, which are derived from the way management runs a business, and are integrated with the management process. The five components are: Control Environment Risk Assessment Control Activities Information and Communications Monitoring Details of the five components are made available on Appendix 2. 6 More information on COSO is available from www.coso.org FG3: Auditing Guidelines Page 10 of 57 July 9, 2001
1.12 Internal control systems operate at different levels of effectiveness. It could be judged effective if the Board of Trustees and management have reasonable assurance that: a) They understand the extent to which the Center s operations objectives are being achieved. b) Published financial statements and donor reports are being prepared reliably. c) Applicable laws, regulations, and policies are being complied with. 1.13 Everyone in the Center has some responsibility for internal control, which could be an explicit or implicit part of the job description (or human resource policy or employment contract). However, the Director General is ultimately responsible and assumes ownership of the internal control system. 1.14 The Director General sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. Since management is accountable to the Board of Trustees, Board members should discuss with management the state of the entity's internal control system and provide oversight as needed. They should seek input from the internal and external auditors. 1.15 Internal auditors play an important role in evaluating the effectiveness of control systems, and contribute to ongoing effectiveness. Because of organizational position and authority in the Center, an internal auditing function often plays a significant monitoring role. 1.16 External auditors, bringing an independent and objective view, contribute directly through the financial statement audit and indirectly by providing information useful to management and the Audit/Finance Committee in carrying out their responsibilities. Definition of Internal Auditing 1.17 The Institute of Internal Auditors, Inc. has defined internal auditing to be an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 1.18 The new definition on internal auditing requires internal auditors to add value to management. It therefore aims to make internal auditing a contribution to management effectiveness through the provision of independent and objective reviews of a wide range of activities. The trend towards a broadening of both the subject matter and scope of internal auditing meant that the skills of internal FG3: Auditing Guidelines Page 11 of 57 July 9, 2001
auditors should be broadened 7. Hence, it adopts a multi-disciplinary approach in staffing the internal auditing function. This multi-disciplinary approach signals that internal auditing is now involved in financial and non-financial areas within the Centers. 1.19 Further to this goal, the contemporary approaches to internal auditing dictate the scope of the audit role are broadened to include all areas within the Center. Every part of the Center could benefit from a fresh and independent view of operation, and internal auditing could only fulfill this role if the desired skills mix is present. 1.20 In addition, the modern approach to internal auditing means that staff assigned to audit engagements would be dealing with senior management. They would be providing an internal management consultancy service. The move towards a more explicit internal business consultancy role for internal auditing is an important development. It represents a move to diagnose significant problems and develop recommendations and proposals on how best to resolve them. Centers should, therefore, allocate training resources to enhance internal auditors knowledge, skills, and competencies through continuing professional development. Internal Audit Charter 1.21 The purpose, authority, and responsibility of the internal auditing function should be formally defined, consistent with the definition of internal auditing, and approved by management and/or the Audit/Finance Committee. Internal auditors should report at a level within the Center that allows them to accomplish their responsibilities (e.g., Director General). Also, to enhance the independence of the internal auditing function, Internal Auditors should report to the Director General and have free access to the Audit/Finance Committee of the Board of Trustees. 1.22 Because each Center is independent and have varying expectations from the internal auditing function, it is essential for Internal Auditors to hold discussions with management and the Audit/Finance Committee on their expectations from internal audit. An Internal Audit Charter is one mechanism to formalize the agreement. The charter is a formal written document that defines the purpose, authority, and responsibility of the internal auditing function (see sample Internal Audit Charter on Appendix 3). The Director General and/or the Audit/Finance Committee could approve the charter. 7 The IIA has developed the Competency Framework for Internal Auditors (CFIA). The CFIA relates to the way an internal auditor uses, assess, and develop knowledge, skills, and attitudes to perform different work tasks. FG3: Auditing Guidelines Page 12 of 57 July 9, 2001
A typical charter would cover the following: Establish the internal auditing function's reporting position, accountability, and responsibilities within the Center. Authorize access to records, personnel, and physical properties relevant to the performance of audits. Define the scope of audit activities. 1.23 In addition, Internal Auditors should periodically assess the charter to determine whether the purpose, authority and responsibility defined in the charter continue to be adequate to enable the Internal Auditing Unit to accomplish its objectives. The results of this periodic assessment and any required changes are communicated to Director General and to the Audit/Finance Committee. FG3: Auditing Guidelines Page 13 of 57 July 9, 2001
CHAPTER TWO: External Auditing Responsibility & Authority Objectives Function & Activities Coordination Appointment & Selection FG3: Auditing Guidelines Page 14 of 57 July 9, 2001
2.0 EXTERNAL AUDITING Introduction 2.1 External auditors provide independent assurance to the Board of Trustees, the CGIAR Secretariat, and the CG community that the financial statements of Centers are free from material misstatement 8. Specifically, the objective of an external audit is to opine on the fairness of the financial statements and disclosures. This should be done in accordance with the Generally Accepted Accounting Principles (GAAP) and the CGIAR Financial Guidelines No. 2: Accounting Guidelines (FG2). The CGIAR Secretariat periodically updates the FG2 to ensure its consistency with the latest authoritative accounting pronouncements issued by the International Accounting Standards and the US Financial Accounting Standards Board 9. 2.2 It is well recognized that national standards on auditing published in many countries differ in form and content. The International Auditing Practices Committee of the International Federation of Accountants 10 recognizes such documents and differences. In the light of such knowledge, the body issues International Standards on Auditing (ISA), for international acceptance. A codified core set of international standards on auditing were completed and released in 1994. The release of the core set has led to a growing acceptance of the standards by national standards setters and auditors involved in global reporting and cross-border financing transactions. Centers should, therefore, ensure at the minimum the application and use of ISA by external auditors. Responsibility for Accuracy of Financial Statements 2.3 Examination of financial records by external auditors (and internal auditors) is not primarily or specifically designed, and cannot be relied upon, to disclose all errors and fraud. The responsibility for safeguarding and maintaining a Center's 8 A material misstatement includes material errors, material fraud, and certain illegal acts that have a direct and material effect on the determination of line item amounts in the financial statements. 9 At present, the FG2 is more specifically in accordance with the US Financial Accounting Standards for not-for-profit organizations for lack of available authoritative guidance by International Accounting Standards for not-for-profit organizations. The situation however, might change in the next revision of the FG2. 10 The International Federation of Accountants (IFAC) is an organization of national professional accountancy organizations. Most, if not all, of the countries that CGIAR Centers operate in are member bodies of IFAC. FG3: Auditing Guidelines Page 15 of 57 July 9, 2001
assets, its records, and the prevention and detection of errors and fraud rests with the Center. 2.4 The external auditors however, have a responsibility to plan and perform the audit to obtain reasonable assurance that the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the external auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected. 2.5 The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance on misstatements, whether caused by errors or fraud, that are not material to the financial statements. They have a reasonable expectation of detecting material misstatements in the financial statements resulting from fraud. If fraud is discovered, they must report either to the Board of Trustees or the management of the Center, as appropriate. Scope and Objectives of an External Audit 2.6 The scope of an external audit is to examine each Center s financial statements, underlying financial records, and internal control systems necessary to opine on the financial statements. External auditors report to the Board of Trustees on the financial statements presented. The extent of the matters to be considered cannot be limited, either by the Center or by the Board. Thus, no provision in the Center's incorporation legislatures could restrict the scope, duties, and rights of the external auditors 11. 2.7 The desired outcome of an external audit is to provide an assurance that the financial statements comprising the Statement of Financial Position, Statement of Activities, Statement of Cash Flows, and the accompanying notes and schedules (exhibits) to the financial statements for the current and corresponding years, present fairly the results and financial position of the Center. 11 They can, however, be extended. For example, external auditors can be asked to make a more detailed examination of certain aspects of the activities than they would normally make for the purpose of their audit, or to examine records, which do not come within the scope of their audit. FG3: Auditing Guidelines Page 16 of 57 July 9, 2001
Typical Areas of Audit Identify, test, and appraise the system of internal controls as it relates to the preparation of financial statements. Ascertain the extent of compliance with the relevant policies and procedures. Ascertain the extent to which assets are properly controlled and safeguarded from losses. Ascertain the reliability of the accounting and other records used in preparing the financial statements. Ascertain that the internal control systems are effective to prevent material misstatements and fraud. 2.8 Further, to fulfill their obligations in a mandated professional manner, Centers should recognize that external auditors are accorded certain rights to carry out their duties for the Board. The rights include: a) A right of access to the accounting records, accounts, and vouchers of the Center at all times. b) A right to acquire from the Center's officers such information and explanations as the auditors consider necessary to perform their duties. The right to require information and explanations are left to the discretion of the auditors rather than to the Center. If such information and explanations as they consider necessary for the audit are refused, they must state this in their audit report and consider qualifying their opinion as to whether the accounts show a fair view. c) A right to be heard at any Board annual meeting, which concerns them as external auditors. Further, an auditor who is removed or replaced has certain rights to make representations. d) A right to visit the Center offices at any time, without formal prior notice, to inspect the Center's accounting records or to carry out surprise checks. Normally, the auditors arrange to carry out their audit work at a time convenient to them and the Center. 2.9 At all times, the external auditors are expected to exercise due professional care in the planning and performance of the audit and the preparation of the audit report. Letter of Engagement FG3: Auditing Guidelines Page 17 of 57 July 9, 2001
2.10 A Center should have written engagement letters that outlines the mutual understanding for each audit engagement 12. This understanding reduces the risk that either the external auditor or the Center may misinterpret the needs or expectations of the other party. For example, it reduces the risk that the Center may rely on the external auditor to protect it against certain risks or to perform certain functions that are the Center s responsibility. 2.11 Such understanding should include the objectives of the engagement, management s responsibilities, the external auditor s responsibilities, and limitations of the engagement. The duties of the external auditors should be clearly stated in an engagement letter (see sample Letter of Engagement in Appendix 4). Points to cover in an engagement letter Audit scope and objectives Respective duties and responsibilities Communications protocols and confidentiality Timetable, hours, fees, and expenses Deliverables and outcomes of the audit Other work and consultations Designation of a partner responsible for the audit Audited Financial Statements 2.12 The external auditors report, including the audited financial statements, is usually presented to the Board of Trustees. The report should opine on the fairness of the financial position of the Center as shown in the Statement of Financial Position, the financial performance as shown in the Statement of Activities, the movement in cash and cash equivalents as shown in the Statement of Cash Flows, and the accompanying notes and schedules (exhibits) in support of the financial statements. 12 In addition to the financial statement audit, some donors may require Centers for an external audit of the restricted funds administered by Center to ensure that the funds have been properly applied to those purposes and, if relevant, managed in accordance with relevant regulations and procedures. FG3: Auditing Guidelines Page 18 of 57 July 9, 2001
Typical schedules that form part of the Center s audited financial statements could include: Statement of Grant Revenue Schedule of Restricted Projects Schedule of Fixed Assets Details of Operating Expenses Statement of Movement of Net Assets 2.13 To encourage compliance with the FG2, the CGIAR Secretariat commissions a public accounting firm 13 to review the Centers audited financial statements to ensure that the accounting standards promulgated in the FG2 are applied consistently by all Centers. Also, such compliance review assists the CGIAR Secretariat in keeping the FG2 up-to-date with new authoritative accounting pronouncements for non-profit organizations. Unqualified Audit Opinion 2.14 An unqualified ( clean ) opinion in the external auditors report would state the scope, standards of the audit, and the audit opinion. In deciding on their audit opinion, external auditors would take into account the materiality of the point at issue in the context of the true and fair view of the financial statements on which they are proposing to report. An unqualified audit report is one in which the external auditors are able to report the following: a) That the financial statements have been audited in accordance with the International Standards on Auditing. b) That the financial statements give a fair view of the financial position, activities, and cash flows. c) That the financial statements were prepared in accordance with generally accepted accounting principles and the FG2. d) Are satisfied that proper accounting records, including records and reports from field (outreach, country, or regional) offices, have been kept. e) All the information and explanations required have been obtained. 13 The CGIAR Secretariat initiated the compliance review in the years 1998 and 1999 using a Big-5 public accounting firm. FG3: Auditing Guidelines Page 19 of 57 July 9, 2001
2.15 The absence of any comment in the audit report with respect to these matters is equivalent to a positive affirmation by the auditors. An unqualified opinion in the audit report, therefore, would mean the external auditor could provide reasonable assurance that the financial statements represent a true and fair view of the activities of the Center, which include the absence of material misstatements. See sample External Auditors Unqualified Audit Report on Appendix 5. 2.16 However, in exceptional cases, the auditor may modify the audit report by adding an emphasis of matter paragraph to highlight a matter affecting the financial statements. This could be included in a note to the financial statements that more extensively discusses the matter. The addition of an emphasis of matter paragraph does not affect the auditor s unqualified opinion. For example, an emphasis of matter could be used to highlight ongoing concern issues whose outcome depends on future actions or events not under the direct control of the Center but that may affect the financial statements. Qualified Audit Opinion 2.17 A qualified opinion in the external auditors report would mean that the external auditor is not satisfied with one or more of the conditions for an unqualified report. A qualified report would comprise: Scope Qualification -- if the report is qualified in more than one respect, each qualification should normally be dealt with in a separate paragraph. The qualified opinion 2.18 Auditors qualify their audit opinions when they conclude the following: a) That there is a limitation on the scope of the auditor s work. b) That there is a disagreement with management regarding the acceptability of the accounting policies selected, the method of their application, or the adequacy of financial statement disclosures. 2.19 There are three categories of qualified opinions that the auditors could express: a) An except for opinion is expressed when the auditor concludes that the effect of any disagreement with management, or limitation on scope is not so material and pervasive as to require an adverse FG3: Auditing Guidelines Page 20 of 57 July 9, 2001
opinion or a disclaimer of opinion. A qualified opinion is expressed as being except for the effects of the matter to which the qualification relates. b) A disclaimer of opinion is expressed when the possible effect of a limitation on scope is so material and pervasive that the auditor has not been able to obtain sufficient appropriate audit evidence and accordingly is unable to express an opinion on the financial statements. c) An adverse opinion is expressed when the effect of a disagreement is so material and pervasive to the financial statements that the auditor concludes that a qualification of the report is not adequate to disclose the misleading or incomplete nature of the financial statements. Management and Board of Trustees Letter 2.20 After the completion of each audit, the external auditors should report promptly to the Board of Trustees and the Center any significant financial accounting and control issues arising during the audit by way of a management letter (or internal control letter). External auditors should issue the letter, with appropriate management responses, to the Audit/Finance Committee in time for the Board of Trustees annual meeting, typically no later than two months after issuing an opinion on the financial statements. Further, the management letter could be used as a communication tool to provide Centers with constructive advice on: (a) enhanced use of information technology tools and applications, (b) use of web-based and electronic tools, and (c) efficiency gains in reducing indirect costs. 2.21 Also, external auditors should be invited to attend the Audit/Finance Committee meetings to discuss the conduct and findings of the audit. External auditors may be required to discuss certain information relating to the auditor's judgments about the quality, and not just the acceptability of the accounting principles. Further, the Audit/Finance Committee could request external auditors for a memorandum for the Board of Trustees, in addition to the management letter, which summarizes or highlights major issues that came to the auditors attention during the audit as a standard output for the audit. Coordination with Internal Auditors 2.22 Centers should ensure that the external auditors work closely with the Center s internal auditors to help achieve cost efficiency. This would in effect reduce the time and effort expended in areas that are of common interest to both FG3: Auditing Guidelines Page 21 of 57 July 9, 2001
auditors (e.g., audit of field offices). Coordination between the external and internal auditors should be translated into specific areas and procedures, outlining the actions and respective responsibilities. Also, the coordination, which may include reviewing the work of internal auditors, could be incorporated in the external auditors audit planning document before the external auditors commence the audit. 2.23 Further, the external auditors should consult the internal audit reports to identify areas needing greater focus, where internal control systems are inadequate. Such consultation would help the external auditors plan the audit work more effectively. Appointment and Selection of External Auditors 2.24 At each annual meeting of the Board of Trustees, at which the Center's audited financial statements are presented, the Center should recommend the appointment of an external auditor to hold office from the conclusion of that meeting until the next annual meeting. A retiring external auditor may be reappointed at the annual meeting. 2.25 All external auditors of the Centers must be from one of the internationally recognized (e.g. Big-5) public accounting firms. 2.26 Should the external auditor position becomes vacant before the expiry of the term, the Center may, in consultation with the Audit/Finance Committee, appoint another external auditor to fill the "casual vacancy". 2.27 In selecting an external auditor, Centers may wish to consider the following selection criteria: a) The personnel size and qualifications of the firm in the host country. b) The firm s clientele. c) The firm s proven and demonstrated experience in auditing international non-profit organizations in the host country. d) The firm s audit methodology, approach, and use of information technology audit tools. Changes in the Appointment of External Auditors 2.28 The rules of professional conduct relating to the resignation and removal of external auditors are designed to protect the interest of the Board of Trustees. It is the right of the Board to appoint the external auditor of their choice. This right is FG3: Auditing Guidelines Page 22 of 57 July 9, 2001
protected by preventing the possibility of the auditor being removed without the Board's assent, or the auditor resigning. 2.29 A Center's external auditors may resign with a written notice of resignation at the Center's head office. The notice would finalize the external auditors' last day of service. The external auditors' notice of resignation would not be effective unless it contains the following: a) A statement that there are no circumstances connected with the resignation of the external auditors which they consider should be brought to the notice of the Center's creditors, donors, or the CGIAR Secretariat; or b) A statement of any circumstances connected with the resignation. 2.30 Within 14 days of receipt of a notice of resignation, the Center must send a copy of the notice to the Audit/Finance Committee and the CGIAR Secretariat. The external auditors may call the Board of Trustees or its Audit/Finance Committee to convene a meeting to receive and consider any explanation of the circumstance connected with the resignation. External auditors who have resigned are entitled to attend and to be heard at any part of the Board of Trustees meeting that concerns them as former external auditors of the Center. 2.31 Typically, the authority for the removal of external auditors rests solely with the Board of Trustees. The reasons for this are to preserve the right of the Board of Trustees to appoint the external auditors of their choice. Additionally, this would ensure the external auditors' independence of management by not permitting management, who may be in disagreement with the auditors, to dismiss them. 2.32 Where it is proposed that auditors be removed before the expiry of their term, the external auditors have the right to make representations. Any notice to the Board of Trustees resolutions to remove the external auditor must be copied to the CGIAR Secretariat within 14 days. Rotation of External Auditors 2.33 All Centers should have a formal Board-approved policy on the rotation of external auditors once in five or seven years. The rotation of auditors means changing the current external auditor to another new external auditor (see paragraph 2.25) through competitive bidding. Professional Independence and Ethics FG3: Auditing Guidelines Page 23 of 57 July 9, 2001
2.34 The purpose of this section is not to replicate all the rules on professional independence and ethics of the accounting profession. External auditors typically belong to national and international 14 accounting associations with committees that establish standards promoting professional independence and ethics for their members. 2.35 Such standards could range from and include guidelines essential to maintaining auditor s independence, such as: The official, professional and personal relationships causing the auditor to limit the extent or character of the audit. Any responsibility in the executive management at the Center. Any interest, financial or non-financial, direct or indirect, in the Center. 2.36 On the issue of internal audit outsourcing, a Center s external auditor cannot assume significant responsibilities for performing internal auditing when the auditor has to retain independence in both fact and appearance. Public interest requires that external auditors independence be protected, and situations jeopardizing that independence be reported publicly. 2.37 Similarly, the Institute of Internal Auditors, Inc. 15 (IIA) has opined that outsourcing the entire internal auditing function to a Center's external auditors impairs independence. 2.38 Therefore, Centers that do not have in-house internal auditors should avoid total outsourcing of the internal auditing function to the Center s external auditors. However, outsourcing individual audit engagements or a well-defined portion of the internal auditing function, under the management and direction of the Center s internal auditor, does not necessarily impair independence. It is well recognized that such arrangements with outside internal auditing service providers have been effective in helping internal auditing functions contribute to management s strategic objectives. 14 For example, the International Federation of Accountants (IFAC) and the American Institute of Certified Public Accountants (AICPA) have set standards dealing with auditor independence. 15 IIA, Inc., serves as the internal auditing profession's watchdog and resource on significant auditing issues around the globe. FG3: Auditing Guidelines Page 24 of 57 July 9, 2001
CHAPTER THREE: Internal Auditing Function & Activities Standards Planning Risk Assessment Fraud Investigations Managing & Monitoring Audit Software Electronic Commerce 3.0 INTERNAL AUDITING FG3: Auditing Guidelines Page 25 of 57 July 9, 2001
Internal Auditing Function 3.1 With increased attention to the governance and accountabilities of Boards and management, there have been significant developments in the role of the internal auditing function. The audit focus has changed from the verification of transactions with detection of irregularities as a major objective, to a more comprehensive consultative process. This process includes evaluation of operations based on the adequacy of the internal control systems designed by management 16. 3.2 There has been noted emphasis on expanding the role of the internal auditing function in many Centers. Center management has upgraded the internal auditing function to provide a systematic and independent review of all activities. In so doing, internal auditing could provide assessment and advice to management regarding the Center s efficiency and economy, as well as the effectiveness of the internal control system. 3.3 Further, internal auditors could assist a Center achieve its goals by reviewing programs to evaluate the following: Goals and objectives have been established and are consistent with those of the organization. Adequate performance criteria have been established to measure accomplishment. The manner in which goals and objectives are met is consistent with organizational values. Accountability has been established. 3.4 Since Center Boards are responsible for making and monitoring policies within the Center, the auditing function could provide independent assurance to the Center Board, typically through the Audit/Finance Committee. Such a role would ensure internal audit provide high-level reviews of the governance and internal control structure of Centers. 3.5 Further, an internal auditing function carried out with a professional approach could serve an important function in promoting the integrity of the activities and corporate accountability. Improved efficiency, effectiveness, and economy are also expected to accrue to the Center through this exercise. The 16 Adequate control is present if management has planned and organized (designed) in a manner, which provides reasonable assurance that the Center s objective will be achieved efficiently and economically. FG3: Auditing Guidelines Page 26 of 57 July 9, 2001
relationship between internal auditing and the Audit/Finance Committee itself could also support the desired independence and objectivity of the internal auditing function. 3.6 Center Boards should ensure that management establishes an internal auditing function. Further, Center Boards and management should retain the internal auditing function in-house or outsource the function in whole or in part, subject to the restriction in paragraph 2.38 3.7 Outsourcing is a management tool that could be used to either delegate all or part of the internal auditing function by: (a) seeking assistance from internal auditors of other CGIAR Centers, (b) co-sharing the internal audit function with other Centers, or (c) buying from third party service provider (e.g., Big-5 public accounting firm). 3.8 Reasons behind outsourcing or co-sharing include reducing and controlling indirect costs, improving institutional focus, and gaining access to world-class capabilities. Outsourcing/co-sharing the internal auditing function or a specific internal auditing activity could be a deliberate management strategy. In co-sharing a specific activity, the Center internal auditor would need to: (a) assess the resources required to achieve the Annual Auditing Plan with optimal coverage and (b) manage the co-sourcing arrangement to ensure delivery of quality internal auditing service. Internal Auditing Standards 3.9 The internal auditing profession is in a period of change. In June 2000, the Institute of Internal Auditors, Inc. (IIA) approved the issuance of a new Code of Ethics 17. Further, the IIA plans to issue a great deal of additional professional guidance in the next several years. This guidance would cover a wide range of subjects and would include major changes to the Standards for the Professional Practice of Internal Auditing ( Standards or commonly known as the Red Book ). The existing Standards were originally approved in 1978. 3.10 The new IIA Standards consist of Attribute Standards, Performance Standards, and Implementation Standards. a) The Attribute Standards address the characteristics of organizations and individuals performing internal auditing activities. 17 The Code of Ethics is available in English, French, and Spanish from the IIA s website: www.theiia.org. The Code of Ethics calls for high standards of honesty, objectivity, diligence, and loyalty. FG3: Auditing Guidelines Page 27 of 57 July 9, 2001
b) The Performance Standards describe the nature of internal auditing activities and provide quality criteria against which the performance of these services could be measured. The Attribute and Performance Standards apply to internal auditing services in general. c) The Implementation Standards apply the Attribute and Performance Standards to specific types of engagements for example, a compliance audit, a fraud investigation, or a control self-assessment project. While there would be one set of Attribute and Performance Standards, there could be multiple sets of Implementation Standards: a set for each of the major types of internal auditing activity. 3.11 Internal auditors should comply with the IIA Standards. The present standards shall apply until the newly issued standards becomes effective on 1 January 2002, however, their earlier use is encouraged. Multi-Year Strategic and Annual Auditing Plan 3.12 Preparing an auditing plan, whether a multi-year strategic or one-year annual plan, is probably one of the most important activities for internal auditors. Internal auditors should establish risk-based plans to accomplish the objectives of the internal auditing activity. This is not only consistent with the Center s goals, but also goes to ensure that the plans are driven by the Center s needs. Internal auditors could be most at-risk in the Center if such plans fail to be relevant to the needs of the Center. 3.13 The first step towards ensuring relevancy is to expand the focus on control activities to include the entire internal control system. Doing so requires internal auditors to consider all risks the Center may face. From here, the risk assessment could be used to direct the limited internal auditing resources to the critical areas identified by Center management and Audit/Finance Committee. Only when internal auditors expand their thinking from control activities to evaluation of internal control system, can true value be added to the organization. 3.14 Second, valuable internal auditing services are well suited to the Center if they are closely aligned with the Center s objectives, strategies, work processes, and circumstances. Suitability also depends largely on whether the internal auditing services cover the Center s significant functions, and the contexts and changing conditions within which the Center operates. 3.15 Further, internal auditing services could add substantive value to the Center by providing assurance that its risk exposures are understood and managed appropriately. This puts the Center in control of its risk exposures under changing conditions. Substantive internal auditing services, therefore, promote organizational understanding about and focus on risk exposures and FG3: Auditing Guidelines Page 28 of 57 July 9, 2001
their management. In addition, the services contribute to the improvement of risk management and control systems. 3.16 In preparing the auditing plan, internal auditors may wish to consider these strategies for managing the risk of irrelevance 18 : a) Consult with Center management (and Audit/Finance Committee) to determine the services required from internal auditors. This is to assure that risk exposures are understood and managed appropriately in changing contexts. b) Determine the capabilities required by the internal auditing function. Capabilities range from employed and contracted staff, tools, techniques, and infrastructure, with the understanding that those needs would develop and change over time to meet the Center s requirements. c) Recognize the dynamics of internal auditing external and organizational environments to identify the source of risk to the internal auditing function. d) Develop an appropriate risk management plan for the internal auditing function. e) Create opportunities for internal auditing by negotiating and/or constructing the contexts within which internal auditing work is conducted. 3.17 The intent of the FG3 is not to prescribe the format, content, timeline or form of the auditing plan, since it is be driven by the needs of each Center. More important, however, is the recognition that an auditing plan serves the following purposes: Auditing Plan Highlights key activities to be reviewed. Incorporates input from management to ensure that the plan. accords with the priorities of Center management. 18 As suggested Allows by comparisons the Competency Framework between for work Internal completed Auditors (CFIA). and the scheduled assignment. FG3: Auditing Provides Guidelines direction and control Page on 29 the of 57 internal auditing activities. July 9, 2001 Facilitates communication with other review activities,