SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT Through CGIAR Financial Guideline No 3 Auditing Guidelines Manual the CGIAR has adopted the IIA Definition of internal auditing as set out in the IIA Standards, as well as the principles of independence, authorities and responsibilities in the Standards. Overall Definition 1 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizationʹs operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Definition of Assurance and Consulting Services 1 Assurance services involve the internal auditorʹs objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, an operation, a function, a process, system or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system or other subject matter the process owner, (2) the person or group making the assessment the internal auditor, and (3) the person or group using the assessment the user. Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice the internal auditor, and (2) the person or group seeking and receiving the advice the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility. 1 Extract from Introduction to the IIA Standards Version: July 31, 2009 Page B: 1
Ref. Policy and Practice Requirements IIA Standards and Other References B 1 Policy: The purpose, authority, responsibility and reporting lines of the internal auditing function shall be formally defined with each Center, consistent with the definition of internal Auditing. This should be done via a written Internal Audit Charter for each Center agreed by management, endorsed by the Board of Trustees Audit Committee and approved by the full Board. The Internal Audit Charter shall (a) establish the internal audit activity s position and independence within the Center; (b) authorize access to records, personnel and physical properties relevant to the performance of engagements; and (c) define the scope of internal audit activities. The Internal Audit Charter shall recognize the adoption and mandatory nature of the IIA s International Professional Practices Framework (IPPF), comprising the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter. The Head of Internal Audit for the Center shall periodically review the Charter to ensure that it remains appropriate and in line with the IIA Standards. Amendments should be agreed with management, endorsed by the Board of Trustees Audit Committee and approved by the full Board. A standard template for a Center Internal Audit Charter has been prepared by the CGIAR IAU, and is appended to a Good Practice Note on Internal Audit Charters. Standard 1000 Purpose, Authority and Responsibility The purpose, authority and responsibility of the internal audit activity must be formally defined in the internal audit charter, consistent with the Standards, and approved by the board. Standard 1000.A1 Purpose, Authority and Responsibility The nature of assurance services provided to the organization must be defined in the internal audit charter. Standard 1000.C1 Purpose, Authority and Responsibility The nature of consulting services must be defined in the internal audit charter. Standard 1010 Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter The mandatory nature of the Definition of Internal Auditing, the Code of Version: July 31, 2009 Page B: 2
This draws on existing good practice within the CGIAR Centers, the IIA Standards and Practice Advisories, and also other external guidance researched by the CGIAR IAU. All pre existing Center Internal Audit Charters, where they exist, shall be reviewed against this template, and where appropriate recommendations made to the Center for amendment to bring these substantively into line with the template. Where Charters have not been in place, a proposed Charter shall be submitted to the Center for approval. In implementing any changes associated with the new Standard 1010 which came into force from the beginning of 2009 with the launch of the new IPPF, the Head of Internal Audit should explain the IPPF with senior management and the Audit Committee at the time changes are proposed. Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board Practice Advisory 1000 Internal Audit Charter B 2 Policy: Assurance engagements shall be those which are primarily undertaken to verify or validate the status of internal controls or other risk mitigations, to verify financial information, or to confirm the effective implementation of certain defined activities or arrangements. They include validations performed under ISO audits or as mandated in project agreements. Internal audit will also normally make recommendations for improvements where the need for this is identified in the course of these engagements. B 3 Policy: Consulting (or advisory) engagements shall be other engagements which are primarily undertaken to: Version: July 31, 2009 Page B: 3
provide advice on internal controls or other risk mitigations during the design phase of a new system or organization provide advice on draft policies, procedures or guidelines provide probity audit services on the acquisition and implementation of major new systems facilitate the identification by management and staff of the key risks to the organization, the assessment of those risks and the identification and assessment of internal controls and other mitigations for the risks research external practice with a view to providing advice to management and staff on systems of internal control or other risk mitigation for particular aspects of operations, where these are not yet in place in the organization coordinate surveys of or self assessments by management or staff on various topics relevant to the governance, accountability and risk management of the organization provide explanations and clarifications of applicability of accounting, auditing, compliance, or other standards under various scenarios raise awareness and train managers and staff on such topics as risk management, internal control, accounting or auditing provide advice to various management committees B 4 Policy: Consulting activities shall be agreed with management in such a way that: a) it is clear that the internal auditor will have no decision making responsibilities regarding policies, managing Practice Advisory 1120 1 Individual Objectivity, para 4 Standard 2110.C1 Version: July 31, 2009 Page B: 4
organizational risks, implementing internal controls, revisions to organization structure or staffing, accounting classifications or approval of transactions; and b) the activities are carried out consistently with the overall values and goals of the Center. Governance Consulting engagement objectives must be consistent with the overall values and goals of the organization. Consulting activities should not be confused with secondments to non audit activities. If they are to be Internal Audit consultancies, the principles of audit independence need to be maintained Consulting advice provided by internal auditors should be fully consistent not only with both Center internal values and goals, and ethics policies, but also applicable laws and reasonable expectations of stakeholders for publicly funded international organizations. Advice should not include information on how to circumvent these expectations, and should promote their full adherence. B 5 Policy: The Center s Internal Audit Charter shall provide for the following independence elements: a) the Charter and any updates are approved by the Board. b) the Head of Internal Audit for the Center shall report directly to both the Director General of the Center, and also to the Board of Trustees, through the Audit Committee. c) The Head of Internal Audit shall not normally have responsibilities additional to those relevant to internal audit activity. Standard 1100 Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. Standard 1110 Organizational Independence The chief audit executive must report to a level within the organization that Version: July 31, 2009 Page B: 5
d) The Head of Internal Audit shall be free to determine the scope of and manner in which the internal audit work shall be carried out, and for the contents of internal audit reports issued e) The Board, through the Audit Committee, shall be the responsible body to review and approve the appointment and removal of the Head of Internal Audit, the overall organization and budget arrangements for the internal audit activity, and the annual and medium term internal audit work plans allows the internal audit activity to fulfill its responsibilities. Standard 1110.A1 Organizational Independence The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. Practice Advisory 1110 1 Organizational Independence Standard 1111 Direct Interaction With the Board The chief audit executive must communicate and interact directly with the board. Practice Advisory 1111 1 Board Interaction B 5:1 B 5:2 Practice Requirement: Reports of all assurance and consulting engagements shall normally be addressed to the Director General. Alternatively, summary reports of the results of such engagements should be periodically made to the Director General. Practice Requirement: Reports of all assurance and consulting engagements shall normally be available to members of the Audit Committee and other Board members. Each Center has its own arrangements (e.g. on request, posted to Board website) Version: July 31, 2009 Page B: 6
B 5:3 Practice Requirement: Six monthly and/or annual activity reports, summarizing the assurance and consulting activities and other aspects of the operation and performance of the internal audit function shall be made to the Director General and the Audit Committee, ahead of the Audit Committee meetings. This will provide an input into the evaluation of the internal audit activity by the Audit Committee. Whenever possible, the Head of Internal Audit or another senior auditor in her/his absence should physically attend Audit Committee meetings, for all sessions except those designated as closed sessions by the Committee e.g. private sessions with the external auditor, discussion of internal audit performance. Audit Committee agendas should at least annually include a confidential session with the Head of Internal Audit as a routine item. This can be promoted through reviews of the Audit Committee Terms of Reference and agendas. Summary reports presented to the Audit Committee should be available to all Board members, as part of the Board meeting information package. This is normal practice among Center Boards, wherein all papers for standing committees are provided to all members for their information. The CGIAR IAU Good Practice Note on Audit Committee Terms of Reference provides guidance on the terms of reference and meeting agenda to promote the communication between the Head of Version: July 31, 2009 Page B: 7
Internal Audit and the Audit Committee. B 6 Policy: Internal auditors shall not be assigned functions which might impair, or give the appearance of impairment of, their objectivity and independence. Standard 1120 Individual Objectivity Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. Practice Advisory 1120 1 Individual Objectivity B 6:1 Practice Requirement: The Head of Internal Audit shall not assign an internal auditor to an assurance engagement where the internal auditor may have a potential or actual impairment of activity. Such engagements may include audits in areas where the internal auditor: was recently assigned non audit responsibilities; has a relative or close associate in a managerial or other key staff positions; may be seen as having a bias against persons in managerial or other key staff positions. Internal auditors may be assigned to provide staff support to other independent, external reviewers such as external auditors, CCER and EPMR teams. In such cases the internal auditor will be considered to be on secondment and will work under the direction of the external reviewers. However in such cases the assignment will not be considered an internal audit product, but rather a nonaudit support product. Internal auditors will inform the Head of Internal Audit of any situation where there may be a potential or actual impairment of Standard 1130.A1 Impairment to Independence and Objectivity Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. Standard 1130 Impairment to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. Version: July 31, 2009 Page B: 8
objectivity related to their assignment to particular audits. In such cases the Head of Internal Audit will determine if this is significant enough to avoid any assignment of the internal auditor to such engagements, and discuss this with the auditee management. If the impairment is not deemed sufficient to void the assignment, this will still be discussed with the audit client management In some cases, with the agreement of the Director General, an internal auditor may be seconded within the Center to undertake non audit functions. In such cases where the secondment is for longer than one week, the internal auditor will not be assigned to undertake assurance engagements related to the non audit functions in the following 12 months. However the internal auditor may be assigned consulting assignments within that period as well as after. In unusual situations, Center management may request the Head of Internal Audit or other internal audit staff to undertake, for an extended period, non audit functions to help with a particular situation facing the Center. In such cases, alternative arrangements should be agreed for internal audit assurance coverage of the area for at least 12 months after such secondment. This may be obtained through the CGIAR IAU or another Center internal auditor. Alternatively it may be agreed with the external auditor to increase its assurance coverage of the area as a substitute for internal audit coverage, if the secondment relates to financial accounting functions. o Where a staff member is recruited into internal audit, or is seconded to internal audit, from a line function, they will not Standard 1130.C1 Impairment to Independence and Objectivity Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. Standard 1130.C2 Impairment to Independence and Objectivity If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement. Practice Advisory 1130 1 Impairment to Independence or Objectivity Practice Advisory 1130.A1 1 Assessing Operations for which Internal Auditors were Previously Responsible Practice Advisory 1130.A2 1 Internal Audit s Responsibility for Other (Non Audit) Functions Version: July 31, 2009 Page B: 9
be assigned to undertake assurance engagements related to their previous functions in the following 12 months. o o However non audit staff may accompany internal auditors in the audits of areas they supervise or have some oversight responsibility (e.g. Headquarters Corporate Services staff accompanying internal auditors on regional office audits). In such cases the overall responsibility for the audit scope, procedures, and reporting, must remain with the internal auditor. In the case of recurrent audits, where possible, an internal auditor should not be assigned the same assurance engagement more than twice, before another internal auditor is assigned to carry out the audit. If this is difficult to implement, the quality assurance review should at least be rotated. B 6:2 Practice Requirement: Internal auditors may recommend standards of control but should not be responsible for their detailed design, installation, instructions or operation. Practice Advisory 1120 1 Individual Objectivity, para 4 B 6:3 Practice Requirement: Assurance reviews of the internal audit activity will be carried out independently of the Head of Internal Audit or audit team who are responsible for that activity. However these reviews may be undertaken by the CGIAR IAU or another Center Head of Internal Audit in the case of Center internal audit activities. Standard 1130.A2 Impairment to Independence or Objectivity Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity. Version: July 31, 2009 Page B: 10
B 7 Policy: Internal Auditors shall not accept personal fees, gifts or entertainment from auditees, partners, contractors or others that are subject to assurance reviews, when these exceed those of minimal value which are provided to all staff and visitors, or which exceed the normal hospitality guidelines of the Centers. Practice Advisory 1130 1 Impairments to Independence or Objectivity, para 4 Internal auditors may accept normal hospitality available to other staff or visitors such as refreshments. A rule of thumb for accepting other types of hospitality is one paid for dinner per engagement. Location should be considered when determining what is reasonable hospitality e.g. it may be usual for all official visitors to certain regional or project offices to be provided with lunch. Internal auditors may accept promotional items normally available to other staff or visitors. Where the internal auditor feels that the hospitality seems over and above that normally provided to other staff or visitors, they should politely decline or request that they pay for such hospitality. Internal auditors may not accept gifts from partners, contractors or others who may be the subject to assurance reviews when these are above the value of Center gift policies. However, if declining such high value gifts will be problematic the internal auditor must report them to the Head of Internal Audit and the relevant manager in the Center for disposition in accordance with the Center s policies. Version: July 31, 2009 Page B: 11
B 8 Policy: The results of internal audits shall be reviewed by the Head of Internal Audit or another reviewer before the related audit report is released, to provide reasonable assurance that the underlying audit work was performed objectively. Practice Advisory 1120 1 Individual Objectivity, para 4 B.9 Policy: The scope of the internal audit activity shall encompass the evaluation (either directly, or through review of other experts assessments) of the Center s risks related to: Reliability and integrity of financial and operational information. Adequacy and effectiveness of accounting, financial and operational controls. Effectiveness and efficiency of operations. Safeguarding of assets; and Compliance with laws, policies, regulations, and contracts. Standard 2100 Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach. B 9:1 Practice Requirement: The overall internal audit work plan should ensure coverage at enterprise level of these aspects. Terms of reference of individual assurance engagements should, where applicable, include these elements in the audit objectives and scope. As part of the planning for all engagements, internal auditors should ascertain the Center s objectives and goals related to the area under review. As part of the planning for all engagements, internal auditors should Version: July 31, 2009 Page B: 12
consider actual or potential changes in internal or external conditions which may affect the relevance or effectiveness of existing controls in place. The auditee should be asked about such changes as part of the audit planning process, and this should be reflected in the audit engagement terms of reference. Lack of clarity of objectives and goals may be an important audit finding. B 10 Policy: The scope of internal audit activity shall encompass the evaluation of the effectiveness, and facilitation for improvement, of the Center s risk management system. Standard 2100 Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach. Standard 2120 Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. B 10:1 Practice Requirement: The annual internal audit work program for a Center should include provision for evaluating the effectiveness of the organizationʹs risk management system (assurance engagement). This may be supplemented by consulting engagements for the facilitation of the implementation of the system through Standard 2120.A1 Risk Management The internal audit activity must evaluate risk exposures relating to the organizationʹs governance, operations, and information systems Standard 2120.C1 Risk Management During consulting engagements, internal auditors must address risk consistent with Version: July 31, 2009 Page B: 13
workshops and discussions with Center managers and staff, and advice at operating unit level on the preparation of risk assessments. Such consultant shall not include responsibility for managing risks. The evaluation of the risk management system shall cover risk identification, assessment and the evaluation and validation of risk mitigations. The Head of Internal Audit shall provide the Director General and the Board (through the Audit Committee and any other Committee established by the Board to monitor the Center s enterprise risks) with periodic reports on the results of the internal audit evaluation. The CGIAR IAU Good Practice Note on Enterprise Risk Management provides benchmarks for the implementation by Centers of enterprise risk management systems. The Note also includes an inventory of typical enterprise risks of the Centers which can be used to evaluate the completeness of Center analyses. During their evaluations, internal auditors should draw on their knowledge of Center risk and mitigation obtained during other assurance and consulting engagements in the Center, and in other Centers. Further guidance on reviewing risk management systems, including the use of other experts assessments and evaluations, is provided in Section H.2 of this Manual. B 11 Policy: The scope of the internal audit activity shall encompass the evaluation of the design and effectiveness of the Center s internal controls the engagementʹs objectives and be alert to the existence of other significant risks. Standard 2120.C2 Risk Management Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization s risk management processes. Standard 2120.C3 Risk Management When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. Standard 2100 Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk Version: July 31, 2009 Page B: 14
B 11:1 Practice Requirement: The annual internal audit work program for a Center shall include provision for evaluating, in the areas to be covered in the work program, the key controls are identified in risk evaluations as key risk mitigators (assurance engagements). This should take account of any non internal audit assurance coverage, such as by external auditors or experts in operational areas. In considering internal controls, internal auditors should consider the range of elements in the COSO Framework of Internal Control, which has been adopted by the CGIAR. Assurance engagement terms of reference should indicate, in the scope section, the coverage based on the COSO Framework of Internal Control elements. The evaluation of internal controls will cover both the design and effective implementation of the controls. In reviewing the design of controls, the internal auditor should develop a normative model or set of benchmarks management and control processes using a systematic and disciplined approach. Standard 2130 Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Standard 2130.A1 Control the internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organizationʹs governance, operations, and information systems. Standard 2130.A2 Control Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. Standard 2130.A3 Control Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or Version: July 31, 2009 Page B: 15
against which the current control system can be compared. In reviewing the effective implementation of controls, the internal auditor should conduct sufficient testing to obtain adequate assurance. The Head of Internal Audit should provide the Director General and the Board (through the Audit Committee and any other Committee established by the Board to monitor the Center s enterprise risks) with periodic reports on the results of evaluations of internal controls. The Control Environment is one of the five essential components of an effective internal control system, according to the COSO Framework of Internal Control, as it establishes the foundation for the internal control system by providing fundamental discipline and structure. Control environment factors include the integrity, ethical values and competence of the Center s staff; Center managementʹs philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the Board of Trustees. Centers policy and procedure manuals provide benchmarks for evaluating internal controls. Assessment of compliance with such manuals will form an integral part of internal audits of internal controls. Such manuals should be identified and reviewed as part of the planning phase of audits of internal controls. Non compliance with Center manuals may indicate deficiencies in the manuals, rather than defects in controls. The CGIAR IAU produces Good Practice Notes on selected topics which provide performed as intended. Standard 2210.A3 Engagement Objectives Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria. Standard 2120.C1 Risk Management During consulting engagements, internal auditors must address controls consistent with the engagementʹs objectives and be alert to the existence of any significant control weaknesses. Standard 2120.C2 Risk Management Internal auditors must incorporate knowledge of controls gained from consulting engagements into their evaluation of the Version: July 31, 2009 Page B: 16
independent benchmarks for evaluating internal controls in key aspects of Center operations. organization s risk management processes. Internal auditors should draw on their knowledge of Center internal controls obtained during other assurance and consulting engagements in the Center, and in other Centers. Internal audit might consider using facilitated Control Self Assessment (CSA) techniques to review with management and staff the adequacy if internal controls. Control Self Assessment (CSA) can be defined simply as the involvement of management and staff in assessing the system of internal control within their work group. There are a number of ways to accomplish this purpose, from highly interactive workshops based on behavioral models at one end of the spectrum to prepackaged self auditing internal control questionnaires on the other end, and a number of techniques in between. Internal auditors interested in conducting facilitated self assessment sessions require the following: (a) A thorough understanding of the principles of CSA. (b) The use of a control framework such as COSO for evaluation. (c) An explicit use of risk assessment in the evaluation. (d) Best practices gained from implementation efforts of others. (e) Teamwork, change management and facilitation skills. (f) An understanding of both ʺlowtechʺ and ʺhigh techʺ supports for CSA. Version: July 31, 2009 Page B: 17
Guidance on reviewing other experts assessments and evaluations of internal control is provided in Section H.2 of this Manual. B 12 Policy: The scope of the internal audit activity shall encompass the assessment of the Center s overall enterprise governance processes Standard 2100 Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach. Standard 2110 Governance: The internal audit activity must assess and make appropriate recommendations for improving the governance process. Standard 2110. A1 Governance The internal audit activity must evaluate the design, implementation, and effectiveness of the organizationʹs ethics related objectives, programs and activities. B 12:1 Practice Requirements: In assessing the Center s overall enterprise governance processes, internal auditors should consider the processes relating to: Promoting appropriate ethics and values within the Center. Ensuring effective organizational Version: July 31, 2009 Page B: 18
performance management and accountability. Effectively communicating risk and control information to appropriate areas of the Center. Providing communication channels to staff to raise concerns when they believe laws and policies are not being observed by Center management, including confidential channels where they feel management is not acting appropriately on such concerns or is promoting such non compliance. Effectively coordinating the activities of and communicating information among the Board, external and internal auditors and management. Further detailed guidance on the assessment of governance processes is provided in section H.1 B 13 Policy: The scope of the internal audit activity shall encompass the assessment of the Center s information technology governance. IT governance comprises the management processes to direct, measure and evaluate the use of an enterpriseʹs IT resources in support of the achievement of the organization s strategic goals. Leadership, organizational structure and processes are used to leverage IT resources to produce the information required and drive the alignment, delivery of value, management of risk, optimized use of resources, sustainability and the management of performance. Standard 2110.A2 Governance The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization s strategies and objectives. Version: July 31, 2009 Page B: 19
B 13:1 Practice Requirement: In assessing the Center s IT governance processes, internal auditors should consider the processes relating to evaluating, directing and monitoring information technology activities. ISO/IEC 38500 recommends that directors should govern IT through 3 main tasks evaluating, directing and monitoring. The ISACA COBIT and Val IT frameworks are an authoritative source of criteria for effective IT governance across these tasks. Version: July 31, 2009 Page B: 20