Iau Manual Section B

CGIAR Centers Internal Audit
Audit Manual – Section B
SECTION B – DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF
WORK OF INTERNAL AUDIT

Through CGIAR Financial Guideline No 3 – Auditing Guidelines Manual – the
CGIAR has adopted the IIA Definition of internal auditing as set out in the IIA
Standards, as well as the principles of independence, authorities and
responsibilities in the Standards.

Overall Definition 1
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organizationʹs operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.

Definition of Assurance and Consulting Services1
Assurance services involve the internal auditorʹs objective assessment of
evidence to provide an independent opinion or conclusions regarding an entity,
an operation, a function, a process, system or other subject matter. The nature
and scope of the assurance engagement are determined by the internal auditor.
There are generally three parties involved in assurance services: (1) the person or
group directly involved with the entity, operation, function, process, system or
other subject matter ‐ the process owner, (2) the person or group making the
assessment ‐ the internal auditor, and (3) the person or group using the
assessment ‐ the user.

Consulting services are advisory in nature, and are generally performed at the
specific request of an engagement client. The nature and scope of the consulting
engagement are subject to agreement with the engagement client. Consulting
services generally involve two parties: (1) the person or group offering the
advice ‐ the internal auditor, and (2) the person or group seeking and receiving
the advice ‐ the engagement client. When performing consulting services the
internal auditor should maintain objectivity and not assume management
responsibility.

1
Extract from Introduction to the IIA Standards
Version: July 31, 2009 Page B: 1


Ref. Policy and Practice Requirements IIA Standards and
Other References
B‐1
Policy: The purpose, authority, responsibility Standard 1000 – Purpose,
and reporting lines of the internal auditing Authority and
function shall be formally defined with each Responsibility
Center, consistent with the definition of
The purpose, authority and
internal Auditing. This should be done via a
responsibility of the internal
written Internal Audit Charter for each Center
audit activity must be
agreed by management, endorsed by the
formally defined in the
Board of Trustees Audit Committee and
internal audit charter,
approved by the full Board.
consistent with the
The Internal Audit Charter shall (a) establish Standards, and approved by
the internal audit activity’s position and the board.
independence within the Center; (b) authorize
Standard 1000.A1 –
access to records, personnel and physical
Purpose, Authority and
properties relevant to the performance of
Responsibility ‐ The nature
engagements; and (c) define the scope of
of assurance services
internal audit activities.
provided to the
The Internal Audit Charter shall recognize the organization must be
adoption and mandatory nature of the IIA’s defined in the internal audit
International Professional Practices charter.
Framework (IPPF), comprising the Definition
Standard 1000.C1 –
of Internal Auditing, the Code of Ethics, and
Purpose, Authority and
the Standards in the Internal Audit Charter.
Responsibility ‐ The nature
The Head of Internal Audit for the Center of consulting services must
shall periodically review the Charter to be defined in the internal
ensure that it remains appropriate and in line audit charter.
with the IIA Standards. Amendments should
Standard 1010 –
be agreed with management, endorsed by the
Recognition of the
Board of Trustees Audit Committee and
Definition of Internal
approved by the full Board.
Auditing, the Code of
Ethics, and the Standards
in the Internal Audit
Discussion:
Charter
A standard template for a Center Internal
The mandatory nature of
Audit Charter has been prepared by the
the Definition of Internal
CGIAR IAU, and is appended to a Good
Auditing, the Code of
Practice Note on Internal Audit Charters.

This draws on existing good practice Ethics, and the Standards
within the CGIAR Centers, the IIA must be recognized in the
Standards and Practice Advisories, and also internal audit charter. The
other external guidance researched by the chief audit executive should
CGIAR IAU. discuss the Definition of
Internal Auditing, the Code
All pre‐existing Center Internal Audit
of Ethics, and the Standards
Charters, where they exist, shall be
with senior management
reviewed against this template, and where
and the board
appropriate recommendations made to the
Center for amendment to bring these Practice Advisory 1000
substantively into line with the template. Internal Audit Charter
Where Charters have not been in place, a
proposed Charter shall be submitted to the
Center for approval.
In implementing any changes associated
with the new Standard 1010 which came
into force from the beginning of 2009 with
the launch of the new IPPF , the Head of
Internal Audit should explain the IPPF
with senior management and the Audit
Committee at the time changes are
proposed.

B‐2 Policy: Assurance engagements shall be
those which are primarily undertaken to
verify or validate the status of internal
controls or other risk mitigations, to verify
financial information, or to confirm the
effective implementation of certain defined
activities or arrangements. They include
validations performed under ISO audits or as
mandated in project agreements. Internal
audit will also normally make
recommendations for improvements where
the need for this is identified in the course of
these engagements.
B‐3 Policy: Consulting (or advisory) engagements
shall be other engagements which are

primarily undertaken to:


provide advice on internal controls or
other risk mitigations during the design
phase of a new system or organization
provide advice on draft policies,
procedures or guidelines
provide probity audit services on the
acquisition and implementation of major
new systems
facilitate the identification by
management and staff of the key risks to
the organization, the assessment of those
risks and the identification and
assessment of internal controls and other
mitigations for the risks
research external practice with a view to
providing advice to management and staff
on systems of internal control or other
risk mitigation for particular aspects of
operations, where these are not yet in
place in the organization
coordinate surveys of or self‐assessments
by management or staff on various topics
relevant to the governance, accountability
and risk management of the organization
provide explanations and clarifications of
applicability of accounting, auditing,
compliance, or other standards under
various scenarios
raise awareness and train managers and
staff on such topics as risk management,
internal control, accounting or auditing
provide advice to various management
committees
B‐4
Policy: Consulting activities shall be agreed
Practice Advisory 1120‐1
with management in such a way that:
Individual Objectivity, para
a) it is clear that the internal auditor will 4
have no decision making responsibilities
regarding policies, managing Standard 2110.C1 –

organizational risks, implementing Governance ‐ Consulting
internal controls, revisions to organization engagement objectives must
structure or staffing, accounting be consistent with the
classifications or approval of transactions; overall values and goals of
and the organization.
b) the activities are carried out consistently
with the overall values and goals of the

Center.

Discussion:
Consulting activities should not be
confused with secondments to non‐audit
activities. If they are to be Internal Audit
consultancies, the principles of audit
independence need to be maintained
Consulting advice provided by internal
auditors should be fully consistent not only
with both Center internal values and goals,
and ethics policies, but also applicable laws
and reasonable expectations of
stakeholders for publicly‐funded
international organizations. Advice should
not include information on how to
circumvent these expectations, and should
promote their full adherence.
B‐5 Policy: The Center’s Internal Audit Charter Standard 1100 ‐

shall provide for the following independence Independence and
elements: Objectivity
The internal audit activity
a) the Charter and any updates are approved
must be independent, and
by the Board.
internal auditors must be
b) the Head of Internal Audit for the Center objective in performing
shall report directly to both the Director their work.
General of the Center, and also to the
Standard 1110 ‐
Board of Trustees, through the Audit
Organizational
Committee.
Independence
c) The Head of Internal Audit shall not The chief audit executive
normally have responsibilities additional must report to a level
to those relevant to internal audit activity. within the organization that

d) The Head of Internal Audit shall be free allows the internal audit
to determine the scope of and manner in activity to fulfill its
which the internal audit work shall be responsibilities.
carried out, and for the contents of
Standard 1110.A1
internal audit reports issued
Organizational
e) The Board, through the Audit Committee, Independence ‐ The
shall be the responsible body to review internal audit activity must
and approve the appointment and be free from interference in
removal of the Head of Internal Audit, the determining the scope of
overall organization and budget internal auditing,
arrangements for the internal audit performing work, and
activity, and the annual and medium term communicating results.
internal audit work plans
Organizational
Independence

Standard 1111 – Direct

Interaction With the Board
The chief audit executive
must communicate and
interact directly with the
board.
Board Interaction

B‐5:1 Practice Requirement:
Reports of all assurance and consulting
engagements shall normally be addressed to
the Director General. Alternatively, summary
reports of the results of such engagements
should be periodically made to the Director
General.
B‐5:2 Practice Requirement:
Reports of all assurance and consulting
engagements shall normally be available to
members of the Audit Committee and other
Board members. Each Center has its own
arrangements (e.g. on request, posted to Board
website)

B‐5:3
Practice Requirement:
Six monthly and/or annual activity reports,
summarizing the assurance and consulting
activities and other aspects of the operation
and performance of the internal audit function
shall be made to the Director General and the
Audit Committee, ahead of the Audit
Committee meetings. This will provide an
input into the evaluation of the internal audit
activity by the Audit Committee.

Discussion:
Whenever possible, the Head of Internal
Audit or another senior auditor in her/his
absence should physically attend Audit
Committee meetings, for all sessions except
those designated as closed sessions by the
Committee e.g. private sessions with the
external auditor, discussion of internal
audit performance.
Audit Committee agendas should at least
annually include a confidential session
with the Head of Internal Audit as a
routine item. This can be promoted
through reviews of the Audit Committee
Terms of Reference and agendas.
Summary reports presented to the Audit
Committee should be available to all Board
members, as part of the Board meeting
information package. This is normal
practice among Center Boards, wherein all
papers for standing committees are
provided to all members for their
information.
The CGIAR IAU Good Practice Note on
Audit Committee Terms of Reference
provides guidance on the terms of
reference and meeting agenda to promote
the communication between the Head of

Internal Audit and the Audit Committee.
B‐6 Policy: Internal auditors shall not be assigned Standard 1120 ‐ Individual

functions which might impair, or give the Objectivity
appearance of impairment of, their objectivity Internal auditors must have
and independence. an impartial, unbiased
attitude and avoid any
conflict of interest.
Individual Objectivity
B‐6:1 Practice Requirement: Standard 1130.A1 –

Impairment to
The Head of Internal Audit shall not assign an
Independence and
internal auditor to an assurance engagement
Objectivity ‐ Internal
where the internal auditor may have a
auditors must refrain from
potential or actual impairment of activity.
assessing specific
Such engagements may include audits in areas
operations for which they
where the internal auditor:
were previously
was recently assigned non‐audit responsible. Objectivity is
responsibilities; presumed to be impaired if
has a relative or close associate in a an internal auditor provides
managerial or other key staff positions; assurance services for an
activity for which the
may be seen as having a bias against
internal auditor had
persons in managerial or other key staff
responsibility within the
positions.
previous year.
Discussion:

Internal auditors may be assigned to
Standard 1130 ‐
provide staff support to other independent,
Impairment to
external reviewers such as external
Independence or
auditors, CCER and EPMR teams. In such
Objectivity
cases the internal auditor will be
If independence or
considered to be on secondment and will
objectivity is impaired in
work under the direction of the external
fact or appearance, the
reviewers. However in such cases the
details of the impairment
assignment will not be considered an
must be disclosed to
internal audit product, but rather a non‐
appropriate parties. The
audit support product.
nature of the disclosure will
Internal auditors will inform the Head of depend upon the
Internal Audit of any situation where there impairment.
may be a potential or actual impairment of

objectivity related to their assignment to Standard 1130.C1
particular audits. In such cases the Head of Impairment to
Internal Audit will determine if this is Independence and
significant enough to avoid any assignment Objectivity ‐ Internal
of the internal auditor to such auditors may provide
engagements, and discuss this with the consulting services relating
auditee management. If the impairment is to operations for which they
not deemed sufficient to void the had previous
assignment, this will still be discussed with responsibilities.
the audit client management
Standard 1130.C2
In some cases, with the agreement of the Impairment to
Director General, an internal auditor may Independence and
be seconded within the Center to undertake Objectivity ‐ If internal
non‐audit functions. In such cases where auditors have potential
the secondment is for longer than one impairments to
week, the internal auditor will not be independence or objectivity
assigned to undertake assurance relating to proposed
engagements related to the non‐audit consulting services,
functions in the following 12 months. disclosure must be made to
However the internal auditor may be the engagement client prior
assigned consulting assignments within to accepting the
that period as well as after. engagement.
In unusual situations, Center management
may request the Head of Internal Audit or
other internal audit staff to undertake, for
Impairment to
an extended period, non‐audit functions to
Independence or
help with a particular situation facing the
Objectivity
Center. In such cases, alternative
arrangements should be agreed for internal
audit assurance coverage of the area for at Practice Advisory 1130.A1‐
least 12 months after such secondment. 1 Assessing Operations for
This may be obtained through the CGIAR which Internal Auditors
IAU or another Center internal auditor. were Previously
Alternatively it may be agreed with the Responsible
external auditor to increase its assurance

coverage of the area as a substitute for
internal audit coverage, if the secondment Practice Advisory 1130.A2‐
relates to financial accounting functions. 1 Internal Audit’s
Responsibility for Other
o Where a staff member is recruited into
(Non‐Audit) Functions
internal audit, or is seconded to internal
audit, from a line function, they will not

be assigned to undertake assurance
engagements related to their previous
functions in the following 12 months.
o However non‐audit staff may
accompany internal auditors in the
audits of areas they supervise or have
some oversight responsibility (e.g.
Headquarters Corporate Services staff
accompanying internal auditors on
regional office audits). In such cases the
overall responsibility for the audit
scope, procedures, and reporting, must
remain with the internal auditor.
o In the case of recurrent audits, where
possible, an internal auditor should not
be assigned the same assurance
engagement more than twice, before
another internal auditor is assigned to
carry out the audit. If this is difficult to
implement, the quality assurance
review should at least be rotated.
B‐6:2 Practice Advisory 1120‐1
Individual Objectivity, para
Internal auditors may recommend standards of 4
control but should not be responsible for their

detailed design, installation, instructions or
operation.

B‐6:3 Practice Requirement: Standard 1130.A2

Impairment to
Assurance reviews of the internal audit activity
Independence or
will be carried out independently of the Head
Objectivity ‐ Assurance
of Internal Audit or audit team who are
engagements for functions
responsible for that activity. However these
over which the chief audit
reviews may be undertaken by the CGIAR IAU
executive has responsibility
or another Center Head of Internal Audit in the
must be overseen by a party
case of Center internal audit activities.
outside the internal audit
activity.


B‐7 Policy: Internal Auditors shall not accept Practice Advisory 1130‐1

personal fees, gifts or entertainment from Impairments to
auditees, partners, contractors or others that Independence or
are subject to assurance reviews, when these Objectivity, para 4
exceed those of minimal value which are
provided to all staff and visitors, or which
exceed the normal hospitality guidelines of
the Centers.

Discussion:
Internal auditors may accept normal
hospitality available to other staff or
visitors such as refreshments. A rule of
thumb for accepting other types of
hospitality is one paid‐for dinner per
engagement. Location should be
considered when determining what is
reasonable hospitality e.g. it may be usual
for all official visitors to certain regional or
project offices to be provided with lunch.
Internal auditors may accept promotional
items normally available to other staff or
visitors.
Where the internal auditor feels that the
hospitality seems over and above that
normally provided to other staff or visitors,
they should politely decline or request that
they pay for such hospitality.
Internal auditors may not accept gifts from
partners, contractors or others who may be
the subject to assurance reviews when
these are above the value of Center gift
policies. However, if declining such high
value gifts will be problematic the internal
auditor must report them to the Head of
Internal Audit and the relevant manager in
the Center for disposition in accordance
with the Center’s policies.


B‐8
Policy: The results of internal audits shall be Practice Advisory 1120‐1
reviewed by the Head of Internal Audit or Individual Objectivity,
another reviewer before the related audit para 4
report is released, to provide reasonable
assurance that the underlying audit work was
performed objectively.
B.9 Policy: The scope of the internal audit Standard 2100 – Nature of

activity shall encompass the evaluation Work
(either directly, or through review of other The internal audit activity
experts’ assessments) of the Center’s risks must evaluate and
related to: contribute to the
improvement of
Reliability and integrity of financial and
governance, risk
operational information.
management and control
Adequacy and effectiveness of processes using a
accounting, financial and operational systematic and disciplined
controls. approach.
Effectiveness and efficiency of operations.
Safeguarding of assets; and
Compliance with laws, policies,
regulations, and contracts.

B‐9:1
The overall internal audit work plan should
ensure coverage at enterprise level of these
aspects. Terms of reference of individual
assurance engagements should, where
applicable, include these elements in the audit
objectives and scope.

Discussion:
As part of the planning for all
engagements, internal auditors should
ascertain the Center’s objectives and goals
related to the area under review.
As part of the planning for all
engagements, internal auditors should

consider actual or potential changes in
internal or external conditions which may
affect the relevance or effectiveness of
existing controls in place. The auditee
should be asked about such changes as part
of the audit planning process, and this
should be reflected in the audit
engagement terms of reference.
Lack of clarity of objectives and goals may
be an important audit finding.
B‐10 Policy: The scope of internal audit activity Standard 2100 ‐ Nature of

shall encompass the evaluation of the Work
effectiveness, and facilitation for The internal audit activity
improvement, of the Center’s risk must evaluate and
management system. contribute to the
improvement of

governance, risk
processes using a
systematic and disciplined
approach.
Standard 2120 ‐ Risk
Management
must evaluate the
effectiveness and contribute
to the improvement of risk
management processes.
B‐10:1 Practice Requirement: Standard 2120.A1 – Risk

Management ‐ The internal
The annual internal audit work program for a
audit activity must evaluate
Center should include provision for evaluating
risk exposures relating to
the effectiveness of the organizationʹs risk
the organizationʹs
management system (assurance engagement).
governance, operations, and
information systems
Discussion: Standard 2120.C1 ‐ Risk
This may be supplemented by consulting Management ‐ During
engagements for the facilitation of the consulting engagements,
implementation of the system through internal auditors must
address risk consistent with

workshops and discussions with Center the engagementʹs objectives
managers and staff, and advice at operating and be alert to the
unit level on the preparation of risk existence of other
assessments. Such consultant shall not significant risks.
include responsibility for managing risks.
Standard 2120.C2 ‐ Risk
The evaluation of the risk management Management ‐ Internal
system shall cover risk identification, auditors must incorporate
assessment and the evaluation and knowledge of risks gained
validation of risk mitigations. from consulting
engagements into their
The Head of Internal Audit shall provide
evaluation of the
the Director General and the Board
organization’s risk
(through the Audit Committee and any
management processes.
other Committee established by the Board
to monitor the Center’s enterprise risks) Standard 2120.C3 Risk
with periodic reports on the results of the Management – When
internal audit evaluation. assisting management in
establishing or improving
The CGIAR IAU Good Practice Note on
risk management processes,
Enterprise Risk Management provides
internal auditors must
benchmarks for the implementation by
refrain from assuming any
Centers of enterprise risk management
management responsibility
systems. The Note also includes an
by actually managing risks.
inventory of typical enterprise risks of the
Centers which can be used to evaluate the
completeness of Center analyses.
During their evaluations, internal auditors
should draw on their knowledge of Center
risk and mitigation obtained during other
assurance and consulting engagements in
the Center, and in other Centers.
Further guidance on reviewing risk
management systems, including the use of
other experts’ assessments and evaluations,
is provided in Section H.2 of this Manual.
B‐11 Policy: The scope of the internal audit Standard 2100 ‐ Nature of

activity shall encompass the evaluation of the Work
design and effectiveness of the Center’s The internal audit activity
internal controls must evaluate and
contribute to the

improvement of
governance, risk

processes using a
approach.
Standard 2130 ‐ Control
must assist the organization
in maintaining effective
controls by evaluating their
effectiveness and efficiency
and by promoting
continuous improvement.
B‐11:1 Practice Requirement: Standard 2130.A1 ‐ Control

‐ the internal audit activity
The annual internal audit work program for a
must evaluate the adequacy
Center shall include provision for evaluating,
and effectiveness of controls
in the areas to be covered in the work program,
in responding to risks
the key controls are identified in risk
within the organizationʹs
evaluations as key risk mitigators (assurance
governance, operations, and
engagements). This should take account of
information systems….
any non‐internal audit assurance coverage,
such as by external auditors or experts in
operational areas.
Standard 2130.A2 – Control
‐ Internal auditors should
ascertain the extent to
Discussion:
which operating and
In considering internal controls, internal program goals and
auditors should consider the range of objectives have been
elements in the COSO Framework of established and conform to
Internal Control, which has been adopted those of the organization.
by the CGIAR. Assurance engagement

terms of reference should indicate, in the
scope section, the coverage based on the Standard 2130.A3 – Control
COSO Framework of Internal Control ‐ Internal auditors should
elements. review operations and
programs to ascertain the
The evaluation of internal controls will
extent to which results are
cover both the design and effective
consistent with established
implementation of the controls. In
goals and objectives to
reviewing the design of controls, the
determine whether
internal auditor should develop a
operations and programs
normative model or set of benchmarks
are being implemented or

against which the current control system performed as intended.
can be compared. In reviewing the

effective implementation of controls, the
internal auditor should conduct sufficient Standard 2210.A3 –
testing to obtain adequate assurance. Engagement Objectives ‐
Adequate criteria are
The Head of Internal Audit should provide
needed to evaluate
the Director General and the Board
controls. Internal auditors
(through the Audit Committee and any
must ascertain the extent to
other Committee established by the Board
which management has
to monitor the Center’s enterprise risks)
established adequate
with periodic reports on the results of
criteria to determine
evaluations of internal controls.
whether objectives and
The Control Environment is one of the five goals have been
essential components of an effective accomplished. If adequate,
internal control system, according to the internal auditors must use
COSO Framework of Internal Control, as it such criteria in their
establishes the foundation for the internal evaluation. If inadequate,
control system by providing fundamental internal auditors must work
discipline and structure. Control with management to
environment factors include the integrity, develop appropriate
ethical values and competence of the evaluation criteria.
Center’s staff; Center managementʹs

philosophy and operating style; the way
management assigns authority and Standard 2120.C1 – Risk
responsibility, and organizes and develops Management ‐ During
its people; and the attention and direction consulting engagements,
provided by the Board of Trustees. internal auditors must
address controls consistent
Centers policy and procedure manuals
with the engagementʹs
provide benchmarks for evaluating internal
objectives and be alert to
controls. Assessment of compliance with
the existence of any
such manuals will form an integral part of
significant control
internal audits of internal controls. Such
weaknesses.
manuals should be identified and reviewed
as part of the planning phase of audits of
internal controls. Standard 2120.C2 – Risk
Non‐compliance with Center manuals may Management ‐ Internal
indicate deficiencies in the manuals, rather auditors must incorporate
than defects in controls. knowledge of controls
gained from consulting
The CGIAR IAU produces Good Practice
engagements into their
Notes on selected topics which provide
evaluation of the

independent benchmarks for evaluating organization’s risk
internal controls in key aspects of Center management processes.
operations.

Internal auditors should draw on their

knowledge of Center internal controls
obtained during other assurance and
consulting engagements in the Center, and
in other Centers.
Internal audit might consider using
facilitated Control Self Assessment (CSA)
techniques to review with management
and staff the adequacy if internal controls.
Control Self‐Assessment (CSA) can be
defined simply as the involvement of
management and staff in assessing the
system of internal control within their work
group. There are a number of ways to
accomplish this purpose, from highly
interactive workshops based on behavioral
models at one end of the spectrum to
prepackaged self‐auditing internal control
questionnaires on the other end, and a
number of techniques in between.
Internal auditors interested in conducting
facilitated self‐assessment sessions require
the following:
(a) A thorough understanding of the
principles of CSA.
(b) The use of a control framework such
as COSO for evaluation.
(c) An explicit use of risk assessment in
the evaluation.
(d) Best practices gained from
implementation efforts of others.
(e) Teamwork, change management
and facilitation skills.
(f) An understanding of both ʺlow‐
techʺ and ʺhigh‐techʺ supports for
CSA.


Guidance on reviewing other experts’
assessments and evaluations of internal
control is provided in Section H.2 of this
Manual.
B‐12 Policy: The scope of the internal audit Standard 2100 ‐ Nature of

activity shall encompass the assessment of the Work
Center’s overall enterprise governance The internal audit activity
processes must evaluate and
contribute to the

improvement of
governance, risk
processes using a
approach.
Standard 2110 –
Governance:
must assess and make
appropriate
recommendations for
improving the governance
process ….
Standard 2110. A1 –
Governance ‐ The internal
audit activity must evaluate
the design, implementation,
and effectiveness of the
organizationʹs ethics‐related
objectives, programs and
activities.
B‐12:1
Practice Requirements:
In assessing the Center’s overall enterprise
governance processes, internal auditors should
consider the processes relating to:
Promoting appropriate ethics and values
within the Center.
Ensuring effective organizational

performance management and
accountability.
Effectively communicating risk and control
information to appropriate areas of the
Center.
Providing communication channels to staff
to raise concerns when they believe laws
and policies are not being observed by
Center management, including confidential
channels where they feel management is
not acting appropriately on such concerns
or is promoting such non‐compliance.
Effectively coordinating the activities of
and communicating information among the
Board, external and internal auditors and
management.

Discussion:
Further detailed guidance on the assessment of
governance processes is provided in section
H.1
B‐13 Standard 2110.A2 –
Policy: The scope of the internal audit
Governance ‐ The internal
activity shall encompass the assessment of the
audit activity must assess
Center’s information technology governance.
whether the information
Discussion: technology governance of
IT governance comprises the management the organization sustains
processes to direct, measure and evaluate and supports the
the use of an enterpriseʹs IT resources in organization’s strategies
support of the achievement of the and objectives.
organization’s strategic goals. Leadership,
organizational structure and processes are
used to leverage IT resources to produce
the information required and drive the
alignment, delivery of value, management
of risk, optimized use of resources,
sustainability and the management of
performance.


B‐13:1
In assessing the Center’s IT governance
processes, internal auditors should consider the
processes relating to evaluating, directing and
monitoring information technology activities.

Discussion:
ISO/IEC 38500 recommends that directors
should govern IT through 3 main tasks –
evaluating, directing and monitoring. The
ISACA COBIT and Val IT frameworks are
an authoritative source of criteria for
effective IT governance across these tasks.


Iau Manual Section B

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Iau Manual Section B

Hochgeladen von

Copyright:

Verfügbare Formate

CGIAR Centers Internal Audit

Audit Manual – Section B

Version: July 31, 2009 Page B: 1

Version: July 31, 2009 Page B: 2

Version: July 31, 2009 Page B: 3

Version: July 31, 2009 Page B: 4

B‐5 Policy: The Center’s Internal Audit Charter Standard 1100 ‐

Version: July 31, 2009 Page B: 5

Version: July 31, 2009 Page B: 6

Version: July 31, 2009 Page B: 7

B‐6 Policy: Internal auditors shall not be assigned Standard 1120 ‐ Individual

B‐6:1 Practice Requirement: Standard 1130.A1 –

Version: July 31, 2009 Page B: 8

Version: July 31, 2009 Page B: 9

B‐6:3 Practice Requirement: Standard 1130.A2

Version: July 31, 2009 Page B: 10

B‐7 Policy: Internal Auditors shall not accept Practice Advisory 1130‐1

Version: July 31, 2009 Page B: 11

B.9 Policy: The scope of the internal audit Standard 2100 – Nature of

Version: July 31, 2009 Page B: 12

B‐10 Policy: The scope of internal audit activity Standard 2100 ‐ Nature of

B‐10:1 Practice Requirement: Standard 2120.A1 – Risk

Version: July 31, 2009 Page B: 13

B‐11 Policy: The scope of the internal audit Standard 2100 ‐ Nature of

Version: July 31, 2009 Page B: 14

B‐11:1 Practice Requirement: Standard 2130.A1 ‐ Control

Version: July 31, 2009 Page B: 15

Version: July 31, 2009 Page B: 16

Version: July 31, 2009 Page B: 17

B‐12 Policy: The scope of the internal audit Standard 2100 ‐ Nature of

Version: July 31, 2009 Page B: 18

Version: July 31, 2009 Page B: 19

Version: July 31, 2009 Page B: 20

Das könnte Ihnen auch gefallen