CGIAR Centers Internal Audit Audit Manual – Section B SECTION B – DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT Through CGIAR Financial Guideline No 3 – Auditing Guidelines Manual – the CGIAR has adopted the IIA Definition of internal auditing as set out in the IIA Standards, as well as the principles of independence, authorities and responsibilities in the Standards. 1Overall Definition Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizationʹs operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 1Definition of Assurance and Consulting Services Assurance services involve the internal auditorʹs objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, an operation, a function, a process, system or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system or other subject matter ‐ the process owner, (2) the person or group making the assessment ‐ the internal auditor, and (3) the or group using ...
CGIAR Centers Internal Audit Audit Manual Section B SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT Through CGIAR Financial Guideline No 3 Auditing Guidelines Manual the CGIAR has adopted the IIA Definition of internal auditing as set out in the IIA Standards, as well as the principles of independence, authorities and responsibilities in the Standards. Overall Definition 1 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization ʹ s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Definition of Assurance and Consulting Services 1 Assurance services involve the internal auditor ʹ s objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, an operation, a function, a process, system or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system or other subject matter ‐ the process owner, (2) the person or group making the assessment ‐ the internal auditor, and (3) the person or group using the assessment ‐ the user. Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice ‐ the internal auditor, and (2) the person or group seeking and receiving the advice ‐ the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility. 1 Extract from Introduction to the IIA Standards
Version: July 31, 2009
Page B: 1
Ref. B ‐ 1
CGIAR Centers Internal Audit Audit Manual Section B
Policy and Practice Requirements IIA Standards and Other References Policy: The purpose, authority, responsibility Standard 1000 Purpose, and reporting lines of the internal auditing Authority and function shall be formally defined with each Responsibility iCnetenrtenr, consistent with the definition of The purpose, authority and al Auditing. This should be done via a responsibility of the internal written Internal Audit Charter for each Center audit activity must be agreed by management, endorsed by the formally defined in the Board of Trustees Audit Committee and internal audit charter, approved by the full Board. consistent with the The Internal Audit Charter shall (a) establish Standards , and approved by the internal audit activitys position and the board. independence within the Center; (b) authorize Standard 1000.A1 access to records, personnel and physical Purpose, Authority and properties relevant to the performance of onsibil e nature engagements; and (c) define the scope of Resp ity ‐ Th of assurance services internal audit activities. provided to the The Internal Audit Charter shall recognize the organization must be adoption and mandatory nature of the IIAs defined in the internal audit International Professional Practices charter. Framework (IPPF), comprising the Definition Standard 1000.C1 of Internal Auditing, the Code of Ethics, and Purpose, Authority and the Standards in the Internal Audit Charter. Responsibility ‐ The nature The Head of Internal Audit for the Center of consulting services must shall periodically review the Charter to be defined in the internal ensure that it remains appropriate and in line audit charter. with the IIA Standards. Amendments should Standard 1010 be agreed with management, endorsed by the Reco ni Board of Trustees Audit Committee and g tion of the Definition of Internal approved by the full Board. Auditing, the Code of Ethics, and the Standards Discussion: in the Internal Audit Charter A standard template for a Center Internal The mandatory n ture of Audit Charter has been prepared by the the Definition of Ianternal CGIAR IAU, and is appended to a Good Auditing, the Code of Practice Note on Internal Audit Charters.
Version: July 31, 2009
Page B: 2
B ‐ 2
B ‐ 3
CGIAR Centers Internal Audit Audit Manual Section B This draws on existing good practice Ethics, and the Standards within the CGIAR Centers, the IIA must be recognized in the Standards and Practice Advisories, and also internal audit charter. The other external guidance researched by the chief audit executive should CGIAR IAU. discuss the Definition of All pre ‐ existing Center Internal Audit Internal Auditing, the Code Charters, where they exist, shall be of Ethics, and the Standards reviewed against this template, and where with senior management appropriate recommendations made to the and the board Center for amendment to bring these Practice Advisory 1000 substantively into line with the template. Internal Audit Charter Where Charters have not been in place, a proposed Charter shall be submitted to the Center for approval. In implementing any changes associated with the new Standard 1010 which came into force from the beginning of 2009 with the launch of the new IPPF , the Head of Internal Audit should explain the IPPF with senior management and the Audit Committee at the time changes are proposed.
Policy: Assurance engagements shall be those which are primarily undertaken to verify or validate the status of internal controls or other risk mitigations, to verify financial information, or to confirm the effective implementation of certain defined activities or arrangements. They include validations performed under ISO audits or as mandated in project agreements. Internal audit will also normally make recommendations for improvements where the need for this is identified in the course of these engagements. Policy: Consulting (or advisory) engagements shall be other engagements which are primarily undertaken to:
Version: July 31, 2009
Page B: 3
B ‐ 4
CGIAR Centers Internal Audit Audit Manual Section B
provide advice on internal controls or other risk mitigations during the design phase of a new system or organization provide advice on draft policies, procedures or guidelines provide probity audit services on the acquisition and implementation of major new systems facilitate the identification by management and staff of the key risks to the organization, the assessment of those risks and the identification and assessment of internal controls and other mitigations for the risks research external practice with a view to providing advice to management and staff on systems of internal control or other risk mitigation for particular aspects of operations, where these are not yet in place in the organization coordinate surveys of or self ‐ assessments by management or staff on various topics relevant to the governance, accountability and risk management of the organization provide explanations and clarifications of applicability of accounting, auditing, compliance, or other standards under various scenarios raise awareness and train managers and staff on such topics as risk management, internal control, accounting or auditing provide advice to various management committees Policy: Consulting activities shall be agreed Practice Advisory 1120 ‐ 1 with management in such a way that: Individual Objectivity, para a) it is clear that the internal auditor will 4 have no decision making responsibilities regarding policies, managing Standard 2110.C1
Version: July 31, 2009
Page B: 4
B ‐ 5
CGIAR Centers Internal Audit Audit Manual Section B organizational risks, implementing Governance ‐ Consulting internal controls, revisions to organization engagement objectives must structure or staffing, accounting be consistent with the classifications or approval of transactions; overall values and goals of and the organization. b) the activities are carried out consistently with the overall values and goals of the Center. Discussion: Consulting activities should not be confused with secondments to non ‐ audit activities. If they are to be Internal Audit consultancies, the principles of audit independence need to be maintained Consulting advice provided by internal auditors should be fully consistent not only with both Center internal values and goals, and ethics policies, but also applicable laws and reasonable expectations of stakeholders for publicly ‐ funded international organizations. Advice should not include information on how to circumvent these expectations, and should promote their full adherence. Policy: The Centers Internal Audit Charter Standard 1100 ‐ shall provide for the following independence Independence and elements: Objectivity a) the Charter and any updates are approved The internal audit activity by the Board. imntuesrt nbael ianuddeitpoerns dmenuts,t abned b) the Head of Internal Audit for the Center objective in performing shall report directly to both the Director their work. General of the Center, and also to the Board of Trustees, through the Audit Standard 1110 ‐ Committee. Organizational Independence c) The Head of Internal Audit shall not The chief audit executive normally have responsibilities additional must report to a level to those relevant to internal audit activity. within the organization that