internal audit quality assessment presented to: world ... · internal audit quality assessment...

www.theiia.org

Internal Audit Quality Assessment

Presented To:

World Intellectual Property Organization

April 2014

www.theiia.org

Table of Contents

2

Page

List of Acronyms 3

Executive Summary• Opinion as to Conformance to the Standards, the Code of Ethics, and the

Definition of Internal Auditing• Objectives / Scope / Methodology• Observations Specific to the Internal Audit Section of the Internal Audit and

Oversight Division• IIA Standards Conformance Summary

4

Successful Internal Audit Practices Noted 9

Opportunities for Improvement Noted 11

Attachment A• Conformance Rating Criteria

17

Attachment B• Required Communications with the Internal Advisory Oversight Committee

Checklist – Example of Documentation

18

www.theiia.org

List of Acronyms

3

Director, IAOD Director, Internal Audit and Oversight Division

EQA External Quality Assessment

ERM Enterprise Risk Management

IAOC Internal Advisory Oversight Committee

IAOD Internal Audit and Oversight Division

IIA The Institute of Internal Auditors

Internal Audit The Internal Audit Section of the Internal Audit and Oversight Division

QAIP Quality Assurance and Improvement Program

Standards International Standards for the Professional Practice of Internal Auditing

WIPO The World Intellectual Property Organization

www.theiia.org

Executive SummaryUnder the International Standards for the Professional Practice of Internal Auditing (“Standards”), an external quality assessment (“EQA”) of an internal audit activity must be conducted at least once every five years by a qualified assessor or assessment team from outside the organization. The qualified assessor or assessment team must demonstrate competence in both the professional practice of internal auditing and the EQA process. The World Intellectual Property Organization (“WIPO”) Internal Audit and Oversight Division (“IAOD”) selected the Institute of Internal Auditors (“IIA”) Quality Services to lead the review. The IAOD is comprised of three sections; the Internal Audit section, the Evaluation section, and the Investigations section. This EQA was conducted specific to the Internal Audit section of the IAOD (“Internal Audit”). The EQA was concluded on April 17, 2014 and provides management with information about Internal Audit as of that date. Future changes in environmental factors and actions by personnel, including actions taken to address recommendations, may have an impact upon the operation of Internal Audit in a manner that this report did not and cannot anticipate. Considerable professional judgment is involved in evaluating the findings and developing recommendations. Accordingly, it should be recognized that others could evaluate the results differently, and draw different conclusions.

Opinion as to Conformance to the Standards, the Code of Ethics, and the Definition of Internal Auditing

It is our overall opinion that Internal Audit generally conforms to the Standards, the Code of Ethics, and the Definition of Internal Auditing. A detailed list of conformance to individual Standards is shown on page 6 of this report.

The IIA’s Quality Assessment Manual suggests a scale of three ratings, “generally conforms,” “partially conforms,” and “does not conform.” “Generally Conforms” is the top rating and means the assessor has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the Standards, the Code of Ethics, or the Definition of Internal Auditing in all material respects. Detailed definitions for rating criteria associated with “Generally Conforms”, “Partially Conforms”, and “Does Not Conform” are described in Attachment A on page 17 of this report and are consistent with the guidance provided by the IIA in their Quality Assessment Manual.

Objectives / Scope / Methodology

• The principal objectives of the EQA were to (1) assess Internal Audit conformance to the Standards, the Code of Ethics, and the Definition of Internal Auditing; (2) assess the effectiveness of Internal Audit in providing assurance and advisory services to the Internal Advisory Oversight Committee (“IAOC”), senior executives, and other interested parties; and (3) identify opportunities, offer recommendations for improvement, and provide counsel to the Director, IAOD and staff for improving their performance and services and promoting the image and credibility of Internal Audit.

• The scope of the assessment included Internal Audit, as set forth in the WIPO Internal Oversight Charter. The WIPO Internal Oversight Charter, approved by the General Assembly, defines the authority, responsibility, and accountability of the activity. Internal Audit provided the assessment team with a Fox News article dated April 4, 2014 that alleged improprieties by the Director General at WIPO. The article was considered by the assessment team during the EQA process and had no bearing upon the final determination of Internal Audit’s conformance with the Standards.

• To accomplish the objectives, the EQA team reviewed information prepared by Internal Audit at the EQA team’s request, conducted interviews with selected key stakeholders to Internal Audit, reviewed a sample of audit projects and associated work papers and reports, reviewed benchmark and survey data, and prepared diagnostic tools consistent with the methodology established for an EQA in the IIA Quality Assessment Manual.

4

www.theiia.org

Executive SummaryObservations Specific to the Internal Audit Section of the Internal Audit and Oversight Division

Internal Audit is generally in conformance with the Standards, the IIA Code of Ethics, and the Definition of Internal Auditing. They demonstrate a strong commitment to exceeding the basic requirements of the Standards and are focused on enhancing quality through continuous improvement. The functional and administrative reporting relationships are appropriate and support organizational independence and objectivity. Their annual risk assessment process focuses activities in areas of highest risk and impact consistent with the strategy and objectives of WIPO. Internal Audit has qualified staff that performs their work in a competent and high quality manner and infrastructure supports consistent performance of Internal Audit activities. They are an integral part of the governance process for WIPO and are valued by their stakeholders including the IAOC. They operate in a very dynamic environment and their ability to adapt and be responsive to change, combined with their ability to leverage insight on risks impacting the organization into focused audit plans, will continue to be critical to their success and value to the organization.

Attribute Standards

Internal Audit generally has the infrastructure in place to support sustainability of internal audit processes in a quality and consistent manner. Their charter is comprehensive and is foundational to all their activities, but should be modified for several technical requirements of the Standards. The functional and administrative reporting relationships are appropriate and support organizational independence and objectivity. Functional reporting is supported by direct and open access between the Director, IAOD and the chairs of the General Assembly, the Coordination Committee, the Program and Budget Committee, and the IAOC. The structure of IAOD presents an impairment in the ability of Internal Audit to independently evaluate the activities of the Evaluation and Investigation sections of IAOD. This impairment has been appropriately disclosed and is being managed effectively by the Director, IAOD. Internal Audit management and staff are qualified with appropriate credentials and experience; and work is performed with due professional care that includes an appropriate level of supervisory review and approval. Training and professional development processes are appropriate to support proficiency of Internal Audit management and staff. While the CAE has established a Quality Assurance and Improvement Program (“QAIP”) that promotes quality and continuous improvement, this program should be more formalized to enhance sustainability and consistency in execution.

Performance Standards

Internal Audit is managed appropriately and the annual audit plan is supported by a risk assessment process that incorporates input from Internal Audit stakeholders including the Director General, the IAOC, and the various member states when developing the audit universe, conducting risk assessment, and preparing the annual audit plan. The annual audit plan is reviewed by the IAOC, but should be formally approved by them as well. Results of the annual audit plan are communicated periodically to the IAOC and on an annual basis to the General Assembly. Internal Audit manages resources effectively and uses third party resources for specific subject matter expertise on an as needed basis. Internal Audit should continue to refine its role in Enterprise Risk Management (“ERM”) within WIPO as those processes mature to ensure that Internal Audit plans are linked to the entity-wide view of risk. Policies and procedures supporting Internal Audit infrastructure and key processes should be updated to align with current practices and the use of the electronic work paper software tool. This supports sustainability and consistency of these processes and promotes quality. Engagement level planning is supported by an engagement level risk assessment that appropriately considers fraud risk as a component. Objectives evaluate technology, operational, financial, and compliance components as appropriate for individual engagements. Individual audits are of a consistent high quality and work papers fully support reported findings. Audit reports are consistent with the underlying work product and there is a follow-up process in place that tracks audit issues through to resolution. 5

www.theiia.org

Executive SummaryIIA Standards Conformance Summary

GC PC DNC NA

OVERALL X

ATTRIBUTE STANDARDS X

1000 Purpose, Authority, and Responsibility X

1010Recognition of the Definition of Internal Auditing, the Code of Ethics and the Standards in the Internal Audit Charter

X

1100 Independence and Objectivity X

1110 Organizational Independence X

1111 Direct Interaction with the Board X

1120 Individual Objectivity X

1130 Impairments to Independence or Objectivity X

1200 Proficiency and Due Professional Care X

1210 Proficiency X

1220 Due Professional Care X

1230 Continuing Professional Development X

1300 Quality Assurance and Improvement Program X

1310Requirements of the Quality Assurance and Improvement Program

X

1311 Internal Assessments X

1312 External Assessments X

1320 Reporting on the Quality Assurance and Improvement Program X

1321Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”

X

1322 Disclosure of Nonconformance X

PERFORMANCE STANDARDS X

2000 Managing the Internal Audit Activity X

2010 Planning X

2020 Communication and Approval X

2030 Resource Management X

2040 Policies and Procedures X

2050 Coordination X

GC PC DNC NA

2060 Reporting to Senior Management and the Board X

2070External Service Provider and Organizational Responsibility for Internal Auditing

X

2100 Nature of Work X

2110 Governance X

2120 Risk Management X

2130 Control X

2200 Engagement Planning X

2201 Planning Considerations X

2210 Engagement Objectives X

2220 Engagement Scope X

2230 Engagement Resource Allocation X

2240 Engagement Work Programs X

2300 Performing the Engagement X

2310 Identifying Information X

2320 Analysis and Evaluation X

2330 Documenting Information X

2340 Engagement Supervision X

2400 Communicating Results X

2410 Criteria for Communicating X

2420 Quality of Communications X

2421 Errors and Omissions X

2430Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”

X

2431 Engagement Disclosure of Nonconformance X

2440 Disseminating Results X

2450 Overall Opinions X

2500 Monitoring Progress X

2600 Communicating the Acceptance of Risks X

IIA CODE OF ETHICS X

DEFINITION OF INTERNAL AUDITING X

6

www.theiia.org

Executive SummaryDuring the EQA, several areas were noted where Internal Audit is operating in a successful internal audit practice manner. In addition, some areas were noted where there are opportunities for improvement that will strengthen conformance to the Standards or will enhance efficiency and effectiveness of Internal Audit processes. Detailed observations, recommendations, and Internal Audit responses to these opportunities for improvement are included in the following section of this report.

Successful Internal Audit Practices Noted

Standard 1220 The Internal Audit methodology requires the extensive use of checklists and templates embedded within their electronic work paper tool to ensure Internal Audit projects are planned and executed consistent with the defined methodology and that all required elements are considered.

Standard 2010 Internal Audit has a robust annual risk assessment process that incorporates input from stakeholders throughout the organization, including the Director General, the IAOC, and the various member states when developing the audit universe, conducting risk assessment, and preparing the annual audit plan.

Standard 2030 Internal Audit effectively uses third party resources to supplement audit staff and to provide subject matter expertise.

Standard 2300 Work papers supporting individual audit engagements are of a consistent high quality and generally exceed conformance with Standards requirements.

Opportunities for Improvement Noted

Standard 1000 Update the WIPO Internal Oversight Charter for several technical adjustments to align with the IIA Model Internal Audit Activity Charter (May 2013) which incorporates newly required elements of the Standards.

Standard 1220 Continue the IAOD strategy to enhance the use of data analytics in support of Internal Audit risk assessment, planning, and engagement execution.

Standard 1300 Document the QAIP in the Internal Audit Manual to fully describe all required elements such as objectives, scope, internal and external assessment components, and communication of results.

Standard 1311 Consider enhancing the periodic internal assessment process by using a combination of vertical and horizontal reviews of completed projects to support evaluation of conformance with the Standards and the Internal Audit methodology as well as efficiency and effectiveness of the underlying processes.

Standard 2000 Consider updating the 2012-2015 Strategic Plan for IAOD that supports the dynamic nature of WIPO and that guides activities of Internal Audit in a proactive, thoughtful, systematic, and practical manner.

Standard 2020 Communicate the risk-based audit plan to the IAOC for both review and approval.

Standard 2040 Consider updating the Internal Audit Manual to align with the current Internal Audit methodology that incorporates the effective use of an electronic work paper software tool.

7

www.theiia.org

Executive Summary

8

Opportunities for Improvement Noted (Continued)

Standard 2060 Consider adopting a Required Communications with the IAOC Checklist to ensure that all requirements are met and documented in the appropriate time frames.

Standard 2110 Consider incorporating an evaluation of the effectiveness of the organization’s ethics-related objectives, programs, and activities as well as information technology governance in support of the organization’s strategies and objectives into the annual audit planning process.

Standard 2120 Consider expanding the role of Internal Audit in support of the maturing and evolving ERM process within WIPO.

Standard 2410 Consider enhancing the audit reporting process by providing more clarity with regards to the relative significance of observations reported.

Thank you for the opportunity to be of service to Internal Audit. We will be pleased to respond to further questions concerning this report and furnish any desired information.

Basil Woller, CIA, CRMA Gina Eubanks, CIA, CRMA, CCSA, CISATeam Leader Vice President Professional Services

The Institute of Internal AuditorsTeam Member:Robert Riegel, CIA, CRMA, CISA, CRISC, CFSA, CFE

www.theiia.org

Successful Internal Audit Practices NotedSuccessful Internal Audit Practice Description

Standard 1220 – The Internal Audit methodology requires the extensive use of checklists and templates embedded within their electronic work paper tool to ensure Internal Audit projects are planned and executed consistent with the defined methodology and that all required elements are considered.

The checklists and templates used by Internal Audit are comprehensive and updated to address specific requirements for the area under review. The use of checklists and templates to plan, execute, and administer Internal Audit projects together with required supervisory review and approval ensures (1) consistent application of the Internal Audit methodology, (2) contributes to a high level of quality within Internal Audit projects, (3) provides a mechanism to document appropriate supervisory review and approval for critical elements within the work papers, and (4) demonstrates due professional care in conducting internal audits.

Standard 2010 – Internal Audit has a robust annual risk assessment process that incorporates input from stakeholders throughout the organization, including the Director General, the IAOC, and the various member states when developing the audit universe, conducting risk assessment, and preparing the annual audit plan.

Internal Audit generally, and the Director, IAOD specifically, have a “seat at the table” within the organization to appropriately capture information related to emerging and/or changing risk profiles while maintaining their independence and objectivity. This “seat at the table” is primarily ensured by formal interaction with the senior leadership team and open and direct access to senior stakeholders throughout the organization. The audit plan is the result of a risk assessment process that uses defined risk factors and rating criteria that in combination derive residual levels of risk for prioritization of areas for review. The plan is consistent with the entity-wide view of risk, and audits are focused to evaluate specific objectives related to mitigation of risk. There is an appropriate balance between financial reporting, compliance, and operational risk objectives in the annual audit plan.

Standard 2030 – Internal Audit effectively uses third party resources to supplement audit staff and to provide subject matter expertise.

Internal Audit uses third party resources primarily for technical skills associated with IT audit requirements. This is especially appropriate given the rapidly changing technical requirements needed to effectively audit technology risk. One of the challenges for a smaller internal audit activity is ensuring that the appropriate skill sets are in place to perform audit from a proficiency perspective. This effective and necessary use of third party resources is a successful internal audit practice for a smaller internal audit activity.

9

www.theiia.org

Successful Internal Audit Practices NotedSuccessful Internal Audit Practice Description

Standard 2300 – Work papers supporting individual audit engagements are of a consistent high quality and generally exceed conformance with Standards requirements.

This is especially noteworthy given the relative small size of Internal Audit. Observations communicated to senior management, the IAOC, and the external auditor were fully supported and linked to the underlying work papers. Documentation of information within the work papers –including planning, work programs, use of checklists, and supervisory review and approval – was maintained consistently across the projects reviewed and in strict conformance with the defined methodology. Opening and closing meeting materials were thorough and included the scope and results of engagements. Significant client communications were routinely included and there was appropriate evidence for supervisory review and approval of all work performed. The electronic work paper software tool was used in a very effective manner to integrate annual risk assessment with engagement level audit processes and tracking of results.

10

www.theiia.org


Opportunity for Improvement Internal Audit Response

Standard 1000 – Update the WIPO Internal Oversight Charter for several technical adjustments to align with the IIA Model Internal Audit Activity Charter (May 2013) which incorporates newly required elements of the Standards.

• Include language in Section E: Duties and Modalities of Work, Paragraph 14 that describes the nature of consulting services provided by IAOD. Consider language such as “Perform consulting and advisory services related to governance, risk management, and controls as appropriate for the organization.” Describing the nature of consulting services in the WIPO Internal Oversight Charter is a requirement of Standard 1000 C1.

• Include language in the WIPO Internal Audit Oversight Charter that recognizes the mandatory nature of the Definition of Internal Auditing, the IIA Code of Ethics, and the Standards. The WIPO Internal Oversight Charter is generally consistent with the Definition of Internal Auditing, the IIA Code of Ethics, and the Standards, but does not include specific language that recognizes their mandatory nature as required by Standard 1010.

Comment and Action Plan: IAOD agrees with the recommendation and will make the necessary proposals to the Independent Advisory Oversight Committee (IAOC) for amendments to be considered to the Internal Oversight Charter.

Responsible staff: T. Rajaobelina with the IAOC

Deadline: WIPO General Assembly 2015

Standard 1220 – Continue the IAOD strategy to enhance the use of data analytics in support of Internal Audit risk assessment, planning, and engagement execution.

For individual engagements, data analytics can effectively identify observations and support root-cause analysis for those observations reported to management. Expanding data analytics capability is consistent with successful internal audit practice and provides the opportunity to (1) enhance the audit process so it is faster and more efficient and effective, (2) shorten the audit cycle time to provide more timely risk and control assurance, (3) achieve greater audit coverage without the need to expand Internal Audit resource requirements, (4) be able to conduct selected audits on a periodic basis, (5) audit 100% of data populations rather than a sample, (6) improve the quality of assurance through the use of data and transactional analysis, and (7) enhance the value to audit clients and the organization as a whole. The use of data analytics is a successful internal audit practice that is becoming more commonplace as technology and data analytics become more embedded within the skill sets of internal auditors.

Comment and Action Plan: IAOD agrees with the recommendation. IAOD already uses data analytics in all audits, to the extent possible. IAOD has already acquired ACL licenses and went through training on ACL as well as PeopleSoft. IAOD will further develop its use of data analytics to effectively implement its continuous auditing approach. The objective will be for IAOD not only to systematically use data analytics in each engagement but also to develop IAOD reports on exceptions, anomalies, patterns and trends that will be produced based on analysis of information within WIPO systems.

Responsible staff: Tuncay Efendioglu - Sashidhar Boriah

Deadline: December 31, 2014

11

www.theiia.org



Standard 1300 – Document the QAIP in the Internal Audit Manual to fully describe all required elements such as objectives, scope, internal and external assessment components, and communication of results.

While required elements of the QAIP are in place and functioning, documentation does not currently support their sustainability and consistent execution. The IIA Practice Guide “Quality Assurance and Improvement Program” (March 2012) provides strongly recommended guidance on the topic of a QAIP. The scope of the QAIP should be the operation of Internal Audit as described in the WIPO Internal Oversight Charter. Objectives for the QAIP should be consistent with those described in Practice Advisory 1310-1 and include: (1) conformance with the Definition of Internal Auditing, the Standards, and the IIA Code of Ethics; (2) adequacy of the WIPO Internal Oversight Charter, goals, objectives, policies, and procedures; (3) contribution to the organization’s governance, risk management, and control processes; (4) compliance with applicable laws, regulations, and government or industry standards; (5) effectiveness of continuous improvement activities and adoption of best practices; and (6) the extent to which Internal Audit adds value and improves the organization’s operations. The processes used to support on-going monitoring of Internal Audit performance, internal periodic assessment, external assessment, and communication of internal and external assessment results should be documented in sufficient detail to consistently guide their execution.

Comment and action plan: IAOD agrees with the recommendation. As recognized in the EQA, required elements of the Quality Assurance and Improvement Program (QAIP) are in place and functioning and what needs to be done is to formalize it. IAOD will prepare a formal QAIP document to gather all the necessary elements to ensure sustainability and consistency

Responsible staff: Tuncay Efendioglu

Deadline: July 15, 2014

12

www.theiia.org



Standard 1311 – Consider enhancing the periodic internal assessment process by using a combination of vertical and horizontal reviews of completed projects to support evaluation of conformance with the Standards and the Internal Audit methodology as well as efficiency and effectiveness of the underlying processes.

Vertical and horizontal reviews are the two generally accepted methods to perform quality reviews of completed audit projects. A vertical review provides an evaluation of conformance with the Standards and examines a specific project from a top-down approach (e.g., an assessment of individual audit steps performed for a specific project work plan, e.g., planning steps, fieldwork steps and reporting steps). A horizontal review allows for an evaluation across all project engagements (e.g., use of the risk assessment matrix, supervisory review and approval process, or consistency in applying report ratings) from an efficiency and effectiveness perspective. A combination of these two methods is consistent with successful internal audit practice and contributes to continuous improvement of internal audit processes.

Comment and action plan: IAOD agrees with the recommendation. IAOD will prepare annual reports on the outcome of vertical and horizontal assessments.

Responsible staff: Tuncay Efendioglu

Deadline: August 31, 2014

Standard 2000 – Consider updating the 2012-2015 Strategic Plan for IAOD that supports the dynamic nature of WIPO and that guides activities of Internal Audit in a proactive, thoughtful, systematic, and practical manner.

Ensure strategies in the multi-year plan support (1) the robust risk assessment and annual planning process to focus on emerging high risk areas to WIPO including coverage of technology, strategic, and business risks; (2) alignment and coordination between Internal Audit as a third line of defense and other assurance activities associated with the second line of defense including ERM, (3) alignment of Internal Audit resources with the annual plan requirements from an organizational, staffing and on-boarding, and professional development perspective; and (4) the deployment of technology within Internal Audit to support the expanded use of data analytics for engagement planning and execution, and the implementation of continuous auditing protocols. Strategy statements should be supported by specific actions to execute the defined strategy. The IIA Practice Guide “Developing the Internal Audit Strategic Plan” (July 2012) might be considered as a resource when developing this plan.

Comment and action plan: IAOD agrees with the recommendation. IAOD will prepare a revised Internal Audit Strategy/Policy in accordance with its Internal Oversight Charter (paragraph 13).

Responsible staff: Thierry Rajaobelina in coordination with Member States and the IAOC.

Deadline: June 30, 2015

13

www.theiia.org



Standard 2020 – Communicate the risk-based audit plan to the IAOC for both review and approval.

While the risk-based audit plan and associated resource requirements including significant interim changes is communicated to the IAOC for review, the risk-based audit plan is not formally approved as required by Standard 2020 – Communication and Approval. Formal approval of the risk-based plan and the associated resource plan is a successful internal audit practice that demonstrates independent functional reporting and supports organizational independence and objectivity of Internal Audit.

Comment and action plan: IAOD takes note of the recommendation. The issue was discussed with the IAOC at its March 2014 session and it was decided that the IAOC would review the draft of the plan before its issuance. This new practice will begin at the end of 2014. To have the IAOC approve the plan will need a revision of the Internal Oversight Charter, on which IAOD can work with the IAOC.

Responsible staff: T. Rajaobelina with the IAOC.

Deadline: WIPO General Assembly 2015

Standard 2040 – Consider updating the Internal Audit Manual to align with the current Internal Audit methodology that incorporates the effective use of an electronic work paper software tool.

The manual was last updated in 2011 and does not currently include procedures that document the Internal Audit methodology in place and operating through the electronic work paper software tool. Procedures should be updated for (1) the annual risk assessment and planning process, (2) the engagement planning process, including work program development, (3) the engagement fieldwork process, (4) the engagement reporting process, and (5) the monitoring of reported observations process. In addition, as described in Standard 1300 – Quality Assurance and Improvement Program, the QAIP should be more fully documented to include objectives, scope, and procedures to implement internal and external assessment requirements and communication of results. Reviewing and updating the manual as a component of the periodic internal assessment process is a means to ensure the manual is current with professional guidance.

Comment and action plan: IAOD agrees with the recommendation. IAOD will prepare a revision of its audit manual and will submit it to the IAOC for its review in accordance with paragraph 13 of the Internal Oversight Charter.

Responsible staff: Tuncay Efendioglu and Alain Garba


14

www.theiia.org



Standard 2060 – Consider adopting a Required Communications with the IAOC Checklist to ensure that all requirements are met and documented in the appropriate time frames.

This checklist should be integrated into the IAOC agenda as appropriate and should be updated as changes to Standards become effective. This checklist, when combined with IAOC minutes, provides documentation that all required communications are considered and take place in the appropriate time frames. An example of this checklist in included as Attachment B to this report.

Comment and action plan: IAOD agrees with the recommendation. IAOD will discuss the checklist with the IAOC and prepare any required list for the IAOC’s consideration.

Responsible staff: Thierry Rajaobelina


Standard 2110 – Consider incorporating an evaluation of the effectiveness of the organization’s ethics-related objectives, programs, and activities as well as information technology governance in support of the organization’s strategies and objectives into the annual audit planning process.

Implementation Standards 2110.A1 and 2110.A2 adopted in 2009 require that the ethics and compliance program and information technology governance be evaluated as part of the evaluation of governance activities required by the nature of work Standards. Each of these items should be included in the audit universe, evaluated as part of the annual risk assessment, and incorporated into the annual audit plan as appropriate.

Comment and action plan: IAOD agrees with the recommendation. IAOD notes that audits of the organizations’ ethics-related objectives and of information technology governance were done in recent years (2010 in one case and from 2011 to 2013 for the second). In addition as regards ethics, IAOD also notes that the organization’s framework is continuously reviewed through investigations conducted by IAOD. IAOD will nevertheless specifically incorporate the ethics and compliance program and information technology governance in its oversight universe, risk assessment and annual plan as appropriate.

Responsible staff: Tuncay Efendioglu - Sashidhar Boriah

Deadline: 2015 annual plan exercise

15

www.theiia.org



Standard 2120 – Consider expanding the role of Internal Audit in support of the maturing and evolving ERM process within WIPO.

Consider the IIA Position Paper “The Role of Internal Auditing in Enterprise-Wide Risk Assessment”as guidance for the ongoing role. As the ERM process within WIPO continues to evolve, Internal Audit can provide assurance into how the organization identifies risks, assigns ownership of those risks, documents risk mitigation strategies and results, and monitors the residual levels of risk. Internal Audit should appropriately link the entity-level view of risk into their annual risk assessment process consistent with Standards requirements.

Comment and action plan: IAOD takes note of the recommendation. IAOD will continue advising the organization on the implementation of its ERM process. IAOD will also continue taking into account the entity-level view of risk when conducting its annual risk-assessment process.

Responsible staff: Thierry Rajaobelina

Deadline: on-going

Standard 2410 – Consider enhancing the audit reporting process by providing more clarity with regards to the relative significance of observations reported.

The current process describes the impact of observations but does not necessarily provide input into significance of the issue. Several key stakeholders suggested this would help them focus on those areas most critical to their operation while still being kept informed of other important issues. Categorizing exceptions using pre-defined criteria can provide a consistent view of significance across the organization and can provide insight into prioritization for management response and action. Rating criteria should be developed in consultation with key stakeholders consistent with the requirement of Standard 2410 A1.

Comment and action plan: IAOD agrees with the recommendation. IAOD will continue working on the clarity of its audit reports. IAOD will continue to prioritize its observations and recommendations. Efforts will be put in enhancing the process. Auditors have already been registered on report writing courses and collectively IAOD will organize a follow-up training in January 2015 on report writing.

Responsible staff: Tuncay Efendioglu - Alain Garba -Sashidhar Boriah

Deadline: next audit report

16

www.theiia.org

Attachment AConformance Rating Criteria

GC – “Generally Conforms” means the assessor has concluded the following:• For individual standards, that the internal audit activity conforms to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or elements of the

Code of Ethics (both Principles and Rules of Conduct) in all material respects. • For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity achieves general conformity

to a majority of the individual standards and/or elements of the Code of Ethics, and at least partial conformity to others, within the section/category.• For the internal audit activity overall, there may be opportunities for improvement, but these should not represent situations where the internal audit activity

has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives.

PC – “Partially Conforms” means the assessor has concluded the following:• For individual standards, the internal audit activity is making good faith efforts to conform to the requirements of the standard (e.g., 1000, 1010, 2000, 2010,

etc.) or element of the Code of Ethics (both Principles and Rules of Conduct) but falls short of achieving some major objectives.• For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity partially achieves

conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics• For the internal audit activity overall, there will be significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or

achieving their objectives. Some deficiencies may be beyond the control of the internal audit activity and may result in recommendations to senior management or the board of the organization.

DNC – “Does Not Conform” means the assessor has concluded the following:• For individual standards, the internal audit activity is not aware of, is not making good faith efforts to conform to, or is failing to achieve many/all of the

objectives of the standard (e.g., 1000, 1010, 2000, 2010, etc.) and/or elements of the Code of Ethics (both Principles and Rules of Conduct)• For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity does not achieve

conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics• For the internal audit activity overall, there will be deficiencies that will usually have a significant negative impact on the internal audit activity’s effectiveness

and its potential to add value to the organization. These may also represent significant opportunities for improvement, including actions by senior management or the board.

17

www.theiia.org

Attachment BRequired Communications with the Internal Advisory Oversight Committee ChecklistExample of Documentation

18

Standard Communication Requirement Annual Communication Documentation

1000 The CAE must periodically review the Internal Audit Department Charter and present it to Senior Management and the Audit Committee for review and Audit Committee approval.

The Internal Audit charter was amended and presented to senior management and the Audit Committee for review and approval at the January XX, 20XX, Audit Committee Meeting.

1010 The CAE should discuss the Definition of Internal Auditing, the Code of Ethics, and the IIA Standards with Senior Management and the Audit Committee.

The Definition of Internal Auditing, the Code of Ethics, and the Standards were discussed with senior management and the Audit Committee in conjunction with the Internal Audit charter review at the January XX, 20XX, Audit Committee meeting.

1110 The CAE must confirm to the Audit Committee, at least annually, the organizational independence of the internal auditing activity.

As the CAE, I hereby confirm the organizational independence of the internal audit activity as of May XX, 20XX.

1111 The CAE must communicate and interact directly with the Audit Committee. As the CAE, I confirm that an appropriate level of communication and interaction has taken place between me and the Audit Committee.

1312 The chief audit executive must discuss with the Audit Committee the form and frequency of external assessment as well as the qualifications and independence of the external assessor or assessment team, including any potential conflicts of interest.

Discussions were held at the November XX, 20XX, Audit Committee Meeting related to the need for and the frequency of the periodic external assessments, the form of the external assessment, and the qualification and independence of the external assessor.

1320 The CAE must communicate the results of the quality assurance and improvement program to senior management and the Audit Committee. The results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the reviewer’s or review team’s assessment with respect to the degree of conformance.

Results of the Continuous Monitoring and Annual Internal Quality Assessment Review of Internal Audit was communicated to Executive Management on January XX, 20XX, and to the Audit Committee on January XX, 20XX. The results of the external quality assessment performed by XXXX was communicated to Executive Management and the Audit Committee on February XX, 20XX.

2020 The CAE must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the Audit Committee for review and approval. The CAE must also communicate the impact of resource limitations.

Communication of status of internal audit plans and resource requirements was reported on at least a quarterly basis to the Audit Committee. At the November XX, 20XX, Audit Committee Meeting, Internal Audit reported that there were no audits below the resource cut line on the Proposed 20XX Audit Plan that Internal Audit believed were necessary to be performed in 20XX. Accordingly, there were no material impacts associated with resource limitations.

2060 The CAE must report periodically to senior management and the Audit Committee on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Audit Committee.

Communication of Internal Audit’s purpose, authority, and responsibility was reported to the Audit Committee on January XX, 20XX. On a periodic basis, the CAE also reports significant risk exposures and control issues, including fraud risks, governance issues, and other matters at the request of the Audit Committee.

internal audit quality assessment presented to: world ... · internal audit quality assessment...

Documents