Beruflich Dokumente
Kultur Dokumente
SECTION B – DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF
WORK OF INTERNAL AUDIT
Through CGIAR Financial Guideline No 3 – Auditing Guidelines Manual – the
CGIAR has adopted the IIA Definition of internal auditing as set out in the IIA
Standards, as well as the principles of independence, authorities and
responsibilities in the Standards.
Overall Definition 1
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organizationʹs operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.
Definition of Assurance and Consulting Services1
Assurance services involve the internal auditorʹs objective assessment of
evidence to provide an independent opinion or conclusions regarding an entity,
an operation, a function, a process, system or other subject matter. The nature
and scope of the assurance engagement are determined by the internal auditor.
There are generally three parties involved in assurance services: (1) the person or
group directly involved with the entity, operation, function, process, system or
other subject matter ‐ the process owner, (2) the person or group making the
assessment ‐ the internal auditor, and (3) the person or group using the
assessment ‐ the user.
Consulting services are advisory in nature, and are generally performed at the
specific request of an engagement client. The nature and scope of the consulting
engagement are subject to agreement with the engagement client. Consulting
services generally involve two parties: (1) the person or group offering the
advice ‐ the internal auditor, and (2) the person or group seeking and receiving
the advice ‐ the engagement client. When performing consulting services the
internal auditor should maintain objectivity and not assume management
responsibility.
1
Extract from Introduction to the IIA Standards
Ref. Policy and Practice Requirements IIA Standards and
Other References
B‐1
Policy: The purpose, authority, responsibility Standard 1000 – Purpose,
and reporting lines of the internal auditing Authority and
function shall be formally defined with each Responsibility
Center, consistent with the definition of
The purpose, authority and
internal Auditing. This should be done via a
responsibility of the internal
written Internal Audit Charter for each Center
audit activity must be
agreed by management, endorsed by the
formally defined in the
Board of Trustees Audit Committee and
internal audit charter,
approved by the full Board.
consistent with the
The Internal Audit Charter shall (a) establish Standards, and approved by
the internal audit activity’s position and the board.
independence within the Center; (b) authorize
Standard 1000.A1 –
access to records, personnel and physical
Purpose, Authority and
properties relevant to the performance of
Responsibility ‐ The nature
engagements; and (c) define the scope of
of assurance services
internal audit activities.
provided to the
The Internal Audit Charter shall recognize the organization must be
adoption and mandatory nature of the IIA’s defined in the internal audit
International Professional Practices charter.
Framework (IPPF), comprising the Definition
Standard 1000.C1 –
of Internal Auditing, the Code of Ethics, and
Purpose, Authority and
the Standards in the Internal Audit Charter.
Responsibility ‐ The nature
The Head of Internal Audit for the Center of consulting services must
shall periodically review the Charter to be defined in the internal
ensure that it remains appropriate and in line audit charter.
with the IIA Standards. Amendments should
Standard 1010 –
be agreed with management, endorsed by the
Recognition of the
Board of Trustees Audit Committee and
Definition of Internal
approved by the full Board.
Auditing, the Code of
Ethics, and the Standards
in the Internal Audit
Discussion:
Charter
A standard template for a Center Internal
The mandatory nature of
Audit Charter has been prepared by the
the Definition of Internal
CGIAR IAU, and is appended to a Good
Auditing, the Code of
Practice Note on Internal Audit Charters.
This draws on existing good practice Ethics, and the Standards
within the CGIAR Centers, the IIA must be recognized in the
Standards and Practice Advisories, and also internal audit charter. The
other external guidance researched by the chief audit executive should
CGIAR IAU. discuss the Definition of
Internal Auditing, the Code
All pre‐existing Center Internal Audit
of Ethics, and the Standards
Charters, where they exist, shall be
with senior management
reviewed against this template, and where
and the board
appropriate recommendations made to the
Center for amendment to bring these Practice Advisory 1000
substantively into line with the template. Internal Audit Charter
Where Charters have not been in place, a
proposed Charter shall be submitted to the
Center for approval.
In implementing any changes associated
with the new Standard 1010 which came
into force from the beginning of 2009 with
the launch of the new IPPF , the Head of
Internal Audit should explain the IPPF
with senior management and the Audit
Committee at the time changes are
proposed.
B‐2 Policy: Assurance engagements shall be
those which are primarily undertaken to
verify or validate the status of internal
controls or other risk mitigations, to verify
financial information, or to confirm the
effective implementation of certain defined
activities or arrangements. They include
validations performed under ISO audits or as
mandated in project agreements. Internal
audit will also normally make
recommendations for improvements where
the need for this is identified in the course of
these engagements.
B‐3 Policy: Consulting (or advisory) engagements
shall be other engagements which are
primarily undertaken to:
provide advice on internal controls or
other risk mitigations during the design
phase of a new system or organization
provide advice on draft policies,
procedures or guidelines
provide probity audit services on the
acquisition and implementation of major
new systems
facilitate the identification by
management and staff of the key risks to
the organization, the assessment of those
risks and the identification and
assessment of internal controls and other
mitigations for the risks
research external practice with a view to
providing advice to management and staff
on systems of internal control or other
risk mitigation for particular aspects of
operations, where these are not yet in
place in the organization
coordinate surveys of or self‐assessments
by management or staff on various topics
relevant to the governance, accountability
and risk management of the organization
provide explanations and clarifications of
applicability of accounting, auditing,
compliance, or other standards under
various scenarios
raise awareness and train managers and
staff on such topics as risk management,
internal control, accounting or auditing
provide advice to various management
committees
B‐4
Policy: Consulting activities shall be agreed
Practice Advisory 1120‐1
with management in such a way that:
Individual Objectivity, para
a) it is clear that the internal auditor will 4
have no decision making responsibilities
regarding policies, managing Standard 2110.C1 –
organizational risks, implementing Governance ‐ Consulting
internal controls, revisions to organization engagement objectives must
structure or staffing, accounting be consistent with the
classifications or approval of transactions; overall values and goals of
and the organization.
b) the activities are carried out consistently
with the overall values and goals of the
Center.
Discussion:
Consulting activities should not be
confused with secondments to non‐audit
activities. If they are to be Internal Audit
consultancies, the principles of audit
independence need to be maintained
Consulting advice provided by internal
auditors should be fully consistent not only
with both Center internal values and goals,
and ethics policies, but also applicable laws
and reasonable expectations of
stakeholders for publicly‐funded
international organizations. Advice should
not include information on how to
circumvent these expectations, and should
promote their full adherence.
d) The Head of Internal Audit shall be free allows the internal audit
to determine the scope of and manner in activity to fulfill its
which the internal audit work shall be responsibilities.
carried out, and for the contents of
Standard 1110.A1
internal audit reports issued
Organizational
e) The Board, through the Audit Committee, Independence ‐ The
shall be the responsible body to review internal audit activity must
and approve the appointment and be free from interference in
removal of the Head of Internal Audit, the determining the scope of
overall organization and budget internal auditing,
arrangements for the internal audit performing work, and
activity, and the annual and medium term communicating results.
internal audit work plans
Practice Advisory 1110‐1
Organizational
Independence
Standard 1111 – Direct
Interaction With the Board
The chief audit executive
must communicate and
interact directly with the
board.
Practice Advisory 1111‐1
Board Interaction
B‐5:1 Practice Requirement:
Reports of all assurance and consulting
engagements shall normally be addressed to
the Director General. Alternatively, summary
reports of the results of such engagements
should be periodically made to the Director
General.
B‐5:2 Practice Requirement:
Reports of all assurance and consulting
engagements shall normally be available to
members of the Audit Committee and other
Board members. Each Center has its own
arrangements (e.g. on request, posted to Board
website)
B‐5:3
Practice Requirement:
Six monthly and/or annual activity reports,
summarizing the assurance and consulting
activities and other aspects of the operation
and performance of the internal audit function
shall be made to the Director General and the
Audit Committee, ahead of the Audit
Committee meetings. This will provide an
input into the evaluation of the internal audit
activity by the Audit Committee.
Discussion:
Whenever possible, the Head of Internal
Audit or another senior auditor in her/his
absence should physically attend Audit
Committee meetings, for all sessions except
those designated as closed sessions by the
Committee e.g. private sessions with the
external auditor, discussion of internal
audit performance.
Audit Committee agendas should at least
annually include a confidential session
with the Head of Internal Audit as a
routine item. This can be promoted
through reviews of the Audit Committee
Terms of Reference and agendas.
Summary reports presented to the Audit
Committee should be available to all Board
members, as part of the Board meeting
information package. This is normal
practice among Center Boards, wherein all
papers for standing committees are
provided to all members for their
information.
The CGIAR IAU Good Practice Note on
Audit Committee Terms of Reference
provides guidance on the terms of
reference and meeting agenda to promote
the communication between the Head of
Internal Audit and the Audit Committee.
objectivity related to their assignment to Standard 1130.C1
particular audits. In such cases the Head of Impairment to
Internal Audit will determine if this is Independence and
significant enough to avoid any assignment Objectivity ‐ Internal
of the internal auditor to such auditors may provide
engagements, and discuss this with the consulting services relating
auditee management. If the impairment is to operations for which they
not deemed sufficient to void the had previous
assignment, this will still be discussed with responsibilities.
the audit client management
Standard 1130.C2
In some cases, with the agreement of the Impairment to
Director General, an internal auditor may Independence and
be seconded within the Center to undertake Objectivity ‐ If internal
non‐audit functions. In such cases where auditors have potential
the secondment is for longer than one impairments to
week, the internal auditor will not be independence or objectivity
assigned to undertake assurance relating to proposed
engagements related to the non‐audit consulting services,
functions in the following 12 months. disclosure must be made to
However the internal auditor may be the engagement client prior
assigned consulting assignments within to accepting the
that period as well as after. engagement.
In unusual situations, Center management
may request the Head of Internal Audit or
Practice Advisory 1130‐1
other internal audit staff to undertake, for
Impairment to
an extended period, non‐audit functions to
Independence or
help with a particular situation facing the
Objectivity
Center. In such cases, alternative
arrangements should be agreed for internal
audit assurance coverage of the area for at Practice Advisory 1130.A1‐
least 12 months after such secondment. 1 Assessing Operations for
This may be obtained through the CGIAR which Internal Auditors
IAU or another Center internal auditor. were Previously
Alternatively it may be agreed with the Responsible
external auditor to increase its assurance
coverage of the area as a substitute for
internal audit coverage, if the secondment Practice Advisory 1130.A2‐
relates to financial accounting functions. 1 Internal Audit’s
Responsibility for Other
o Where a staff member is recruited into
(Non‐Audit) Functions
internal audit, or is seconded to internal
audit, from a line function, they will not
be assigned to undertake assurance
engagements related to their previous
functions in the following 12 months.
o However non‐audit staff may
accompany internal auditors in the
audits of areas they supervise or have
some oversight responsibility (e.g.
Headquarters Corporate Services staff
accompanying internal auditors on
regional office audits). In such cases the
overall responsibility for the audit
scope, procedures, and reporting, must
remain with the internal auditor.
o In the case of recurrent audits, where
possible, an internal auditor should not
be assigned the same assurance
engagement more than twice, before
another internal auditor is assigned to
carry out the audit. If this is difficult to
implement, the quality assurance
review should at least be rotated.
B‐6:2 Practice Advisory 1120‐1
Practice Requirement:
Individual Objectivity, para
Internal auditors may recommend standards of 4
control but should not be responsible for their
detailed design, installation, instructions or
operation.
B‐8
Policy: The results of internal audits shall be Practice Advisory 1120‐1
reviewed by the Head of Internal Audit or Individual Objectivity,
another reviewer before the related audit para 4
report is released, to provide reasonable
assurance that the underlying audit work was
performed objectively.
B‐9:1
Practice Requirement:
The overall internal audit work plan should
ensure coverage at enterprise level of these
aspects. Terms of reference of individual
assurance engagements should, where
applicable, include these elements in the audit
objectives and scope.
Discussion:
As part of the planning for all
engagements, internal auditors should
ascertain the Center’s objectives and goals
related to the area under review.
As part of the planning for all
engagements, internal auditors should
consider actual or potential changes in
internal or external conditions which may
affect the relevance or effectiveness of
existing controls in place. The auditee
should be asked about such changes as part
of the audit planning process, and this
should be reflected in the audit
engagement terms of reference.
Lack of clarity of objectives and goals may
be an important audit finding.
workshops and discussions with Center the engagementʹs objectives
managers and staff, and advice at operating and be alert to the
unit level on the preparation of risk existence of other
assessments. Such consultant shall not significant risks.
include responsibility for managing risks.
Standard 2120.C2 ‐ Risk
The evaluation of the risk management Management ‐ Internal
system shall cover risk identification, auditors must incorporate
assessment and the evaluation and knowledge of risks gained
validation of risk mitigations. from consulting
engagements into their
The Head of Internal Audit shall provide
evaluation of the
the Director General and the Board
organization’s risk
(through the Audit Committee and any
management processes.
other Committee established by the Board
to monitor the Center’s enterprise risks) Standard 2120.C3 Risk
with periodic reports on the results of the Management – When
internal audit evaluation. assisting management in
establishing or improving
The CGIAR IAU Good Practice Note on
risk management processes,
Enterprise Risk Management provides
internal auditors must
benchmarks for the implementation by
refrain from assuming any
Centers of enterprise risk management
management responsibility
systems. The Note also includes an
by actually managing risks.
inventory of typical enterprise risks of the
Centers which can be used to evaluate the
completeness of Center analyses.
During their evaluations, internal auditors
should draw on their knowledge of Center
risk and mitigation obtained during other
assurance and consulting engagements in
the Center, and in other Centers.
Further guidance on reviewing risk
management systems, including the use of
other experts’ assessments and evaluations,
is provided in Section H.2 of this Manual.
management and control
processes using a
systematic and disciplined
approach.
Standard 2130 ‐ Control
The internal audit activity
must assist the organization
in maintaining effective
controls by evaluating their
effectiveness and efficiency
and by promoting
continuous improvement.
against which the current control system performed as intended.
can be compared. In reviewing the
effective implementation of controls, the
internal auditor should conduct sufficient Standard 2210.A3 –
testing to obtain adequate assurance. Engagement Objectives ‐
Adequate criteria are
The Head of Internal Audit should provide
needed to evaluate
the Director General and the Board
controls. Internal auditors
(through the Audit Committee and any
must ascertain the extent to
other Committee established by the Board
which management has
to monitor the Center’s enterprise risks)
established adequate
with periodic reports on the results of
criteria to determine
evaluations of internal controls.
whether objectives and
The Control Environment is one of the five goals have been
essential components of an effective accomplished. If adequate,
internal control system, according to the internal auditors must use
COSO Framework of Internal Control, as it such criteria in their
establishes the foundation for the internal evaluation. If inadequate,
control system by providing fundamental internal auditors must work
discipline and structure. Control with management to
environment factors include the integrity, develop appropriate
ethical values and competence of the evaluation criteria.
Center’s staff; Center managementʹs
philosophy and operating style; the way
management assigns authority and Standard 2120.C1 – Risk
responsibility, and organizes and develops Management ‐ During
its people; and the attention and direction consulting engagements,
provided by the Board of Trustees. internal auditors must
address controls consistent
Centers policy and procedure manuals
with the engagementʹs
provide benchmarks for evaluating internal
objectives and be alert to
controls. Assessment of compliance with
the existence of any
such manuals will form an integral part of
significant control
internal audits of internal controls. Such
weaknesses.
manuals should be identified and reviewed
as part of the planning phase of audits of
internal controls. Standard 2120.C2 – Risk
Non‐compliance with Center manuals may Management ‐ Internal
indicate deficiencies in the manuals, rather auditors must incorporate
than defects in controls. knowledge of controls
gained from consulting
The CGIAR IAU produces Good Practice
engagements into their
Notes on selected topics which provide
evaluation of the
independent benchmarks for evaluating organization’s risk
internal controls in key aspects of Center management processes.
operations.
Internal auditors should draw on their
knowledge of Center internal controls
obtained during other assurance and
consulting engagements in the Center, and
in other Centers.
Internal audit might consider using
facilitated Control Self Assessment (CSA)
techniques to review with management
and staff the adequacy if internal controls.
Control Self‐Assessment (CSA) can be
defined simply as the involvement of
management and staff in assessing the
system of internal control within their work
group. There are a number of ways to
accomplish this purpose, from highly
interactive workshops based on behavioral
models at one end of the spectrum to
prepackaged self‐auditing internal control
questionnaires on the other end, and a
number of techniques in between.
Internal auditors interested in conducting
facilitated self‐assessment sessions require
the following:
(a) A thorough understanding of the
principles of CSA.
(b) The use of a control framework such
as COSO for evaluation.
(c) An explicit use of risk assessment in
the evaluation.
(d) Best practices gained from
implementation efforts of others.
(e) Teamwork, change management
and facilitation skills.
(f) An understanding of both ʺlow‐
techʺ and ʺhigh‐techʺ supports for
CSA.
Guidance on reviewing other experts’
assessments and evaluations of internal
control is provided in Section H.2 of this
Manual.
B‐12:1
Practice Requirements:
In assessing the Center’s overall enterprise
governance processes, internal auditors should
consider the processes relating to:
Promoting appropriate ethics and values
within the Center.
Ensuring effective organizational
performance management and
accountability.
Effectively communicating risk and control
information to appropriate areas of the
Center.
Providing communication channels to staff
to raise concerns when they believe laws
and policies are not being observed by
Center management, including confidential
channels where they feel management is
not acting appropriately on such concerns
or is promoting such non‐compliance.
Effectively coordinating the activities of
and communicating information among the
Board, external and internal auditors and
management.
Discussion:
Further detailed guidance on the assessment of
governance processes is provided in section
H.1
B‐13 Standard 2110.A2 –
Policy: The scope of the internal audit
Governance ‐ The internal
activity shall encompass the assessment of the
audit activity must assess
Center’s information technology governance.
whether the information
Discussion: technology governance of
IT governance comprises the management the organization sustains
processes to direct, measure and evaluate and supports the
the use of an enterpriseʹs IT resources in organization’s strategies
support of the achievement of the and objectives.
organization’s strategic goals. Leadership,
organizational structure and processes are
used to leverage IT resources to produce
the information required and drive the
alignment, delivery of value, management
of risk, optimized use of resources,
sustainability and the management of
performance.
B‐13:1
Practice Requirement:
In assessing the Center’s IT governance
processes, internal auditors should consider the
processes relating to evaluating, directing and
monitoring information technology activities.
Discussion:
ISO/IEC 38500 recommends that directors
should govern IT through 3 main tasks –
evaluating, directing and monitoring. The
ISACA COBIT and Val IT frameworks are
an authoritative source of criteria for
effective IT governance across these tasks.