A Global Agricultural Research Partnership

This page contains archived content which could be out of date or no longer accurate. Click the logo above to return to the home page.

 

Spanish French German Russian Japanese Arabic Home About This Site Contact Us Site Map Search
CGIAR: Consultative Group on International Agricultural Research
Nourishing the Future through Scientific Excellence
Fund Donors
Fund Council Chair
Fund Executive Secretary
Independent Science and Partnership Council
Research Centers
Partners
History
Structure &
Governance
Committees
bullet System Support Units
Centers
Internal Audit: | Who we Are | How we Work | News Archive | RESTRICTED AREA |

Feature Article Archive

  CGIAR Internal Auditors and Information Technology Professionals see Eye to Eye!

Often the relationship between auditors and auditees is caricatured as adversarial. You may have heard the joke that the second biggest lie told on the planet is when internal auditors turn up to a client and say "Hi we are the auditors and we are here to help you.", and that the biggest lie is the response: "Great, we are so happy to see you!"

Auditors aren't paid to be loved. But we are paid to be effective. And the philosophy of the CGIAR Internal Audit

Unit is that we will be most effective as internal auditors when our auditees trust us and can work with us effectively in order to promote improvements for the good of their Center and for the CGIAR System as a whole. One way of reaching this desired state is for us to work together with auditees on the benchmarks for evaluating practices in their areas. Achieving this collaborative relationship is not always easy, and we have to balance this with keeping our independence and professional skepticism, but it is one of the most enjoyable aspects of our work.

We have benefited from a long history of working together with the CGIAR Chief Information Officer and with Center information and communication technology (ICT) professionals, who have welcomed our presence as part of the CGIAR ICT community of practice. As well as working with ICT staff on particular audits in their Centers, and participating in the annual meetings of the ICT managers where risk and control aspects are discussed, the CGIAR IAU has had a long engagement with the CGIAR Enterprise Security and Business Continuity Project. An important product of this project, after a lengthy consultative process involving ICT staff, external consultants and internal auditors, is a recently completed series of Good Practice Guides on topics relating to ICT security and usage, to which all parties have subscribed.

The initial sets of topics were voted by the Center IT Managers as being of highest priority. The guides that have now been co-published by the CGIAR IAU and the CGIAR ICT-KM Program provide a set of "do's and don'ts" on such topics as how to make good use of limited connectivity, how to keep Center networks secure, and how to avoid spam and usage practices that degrade the performance of systems. They can also serve as benchmarks for Centers and their internal auditors, to see where the Center stands in terms of good and better practices, to put in context audit recommendations and ICT Unit proposals for further investments in ICT security and continuity.

In recognition that every Center's environment is different, the documents are deliberately prepared as guides. Judgment will still be required, by Center ICT managers and staff and by internal auditors, as to what is applicable and feasible in the case of each Center, when evaluating that Center against the benchmarks.

The Guides were recently endorsed at the 2009 CGIAR ICT Managers' Meeting in Cali, Colombia, and topics for further guides to be developed in future were agreed. The published Guides are global public goods, available freely to CGIAR partners as well as internally, under a Creative Commons license. To access them, click on the links below:

A meeting of minds doesn't always produce a love-fest between auditors and their clients, but it makes sure our engagements are as professional and productive as possible for everyone. We hope this will be the case as a result of working together closely with our ICT colleagues on these Good Practice Guides.

  Internal Auditors Meet in Mexico

Good Center governance, effective risk management and efficiency. Without these the CGIAR Centers would not be able to do their job. Everyone in a Center has their role to play in supporting these. But there are some Center staff who devote all their work day to looking into these subjects - the internal auditors. There are about 25 of them spread across the CGIAR System. Drawing on their international internal auditing standards and a whole host of good practice benchmarks, they review a wide variety of aspects of Center operations each year, in Headquarters and in outreach stations. As well as looking at financial systems they review such things as project management, occupational health and safety, farm management, partnership contracts and information technology.

Every two-three years, all the internal auditors of the CGIAR System get together, along with a number of guests, to share experience, participate in professional development activities and consult on the best ways of applying the international internal auditing standards to their work. This year the meeting was held in Mexico between June 24 to July 2, 2009, partly in Mexico City and partly at the International Center for Wheat and Maize Improvement (CIMMYT) at Texcoco.

The meeting is sponsored by the CGIAR Internal Auditing Unit. The event provided a rare opportunity for auditors and clients of their services, who are spread all over the globe, to get together in one place to exchange views and undertake training to make their work more relevant and useful to the CGIAR Centers.

CGIAR Internal Auditors based in Benin, Colombia, India, Kenya, Mexico, Philippines and the United States attended, as well as a number of Center finance/corporate services staff, who provided a client perspective to the proceedings. Taking advantage of the meeting being held this time in the Western Hemisphere, the group was joined by a number of guest speakers and trainers, active in the international internal auditing profession, who are based in Mexico and the United States. .

In a welcome address to the group, the CIMMYT Director General, Dr. Tom Lumpkin discussed the crucial and evolving role of internal auditing in the business world and the importance of it for centers like CIMMYT and endorsed the need for a strong, independent internal audit function: "We count on you to give us the 'bad' news when we get off course, to oppose us when we're wrong," he said. IAU Director John Fitzsimon noted that "timely advice from well trained and well informed internal auditors can help Centers as they strive to meet their missions".

The agenda for the week, a record of proceedings and copies of various presentations made are available in the "CGIAR-only" section of this website.

  Thinking about the use, adoption or influence of internal audit work

The CGIAR Internal Auditing Unit is one of several shared service units in the CGIAR System, and participates in a common annual Unit performance assessment process within the Center Alliance structure. Interestingly, one element of the assessment is for the common service units to reflect on, and present, the major outcomes of their activities.

This requires the Internal Audit community in the CGIAR System to consider this in relation to our own work. We are familiar, in the international internal auditing profession, with analyzing what we produce (our outputs) and other more intermediate effects of our work. But what could be the main outcomes and impact of the internal audit function?

This requires us to think more closely about the use, adoption or influence of internal audit work, no less than our audit clients must do so about their activities . One way to approach this in the internal audit context is to ask a number of key questions:

  • Have the audits and advisory work of the Unit, and the Center IAs under its guidance, resulted in useful changes by Centers that improve their capacity to mitigate various risks? This is tested with Center management in each audit assignment, and at six monthly or annual intervals when the Audit Committees of the Board of Trustees review the work and the Center's responsiveness to audit recommendations. In that sense, the CGIAR Internal Audit Unit has to prove its worth on a continual basis to stay in business. Internal Audit has, over recent years, undertaken work across a wide range of topics based on individual Center priorities, so far to the overall satisfaction of the Center clients. The adoption rates for recommendations rated as significant, which is one metric of utility, are increasingly being systematically monitored and reported to Audit Committees. In general, implementation rates range from good to high depending on the Center, and where significant recommendations remain pending, their relevance is regularly reviewed and confirmed. Feedback from Centers on, and examples of use of the IAU Good Practice Notes, indicates that this remains a valued product of the Unit.
  • has the visibility of the Unit, and the Center IAs under its guidance, encouraged discipline and deterred misuse of Center resources even in those areas of operation not directly audited? There appears to be wide agreement among Center clients that this is the case although it is impossible to test or determine its significance, and mismanagement and misuse/fraud certainly hasn't been reduced to zero! The IAU hypothesizes that the efforts, since the Unit's establishment in 2000, to improve the professionalism of the internal audit function in the Centers has had a positive effect in this regard. However there is an ongoing challenge for the Unit and the Center Internal Auditors who work with it to find ways, without requiring more resources, to detect, and foster action on, potential problems inside their client Centers as early as possible.
  • has the existence of the Unit, and its efforts to increase internal audit professionalism across the Centers, resulted in maintaining or improving donor confidence? Again hard to test. It is expected this would be the case, in a negative sense i.e. an absense of a well functioning internal audit service within the CGIAR System would be detrimental to donor confidence. There are particular cases over the years where the existence of the IAU has enabled positive interactions at the donor auditor level that has hopefully contributed to a sense of ease on the donor side.

As part of the continual improvement of the internal audit function in the CGIAR System, the CGIAR Internal Auditing Unit is promoting a conversation within the internal audit community and with its Center clients on how to better define and track the outcomes of investments in the function. This will be a topic at the next CGIAR Internal Audit Professional Development Week to be held in June 2009 in Mexico.

  How to Disagree with Auditors
This article was authored by Dan Swanson , president and CEO of Dan Swanson and Associates. He is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors. The article appeared on the Expert Q&A section of the ICT Compliance Institute website ( www.itcinstitute.com ) and is reproduced with the kind permission of the author.

A Reader Asks: I don't agree with a couple of points in my auditors' assessment. What's the best strategy for getting them to revise it?

The Auditor Responds: In short, getting an auditor to revise an assessment does not require a "strategy": just facts. An auditor's function is to provide an independent and objective opinion on the activity, project, subject, etc, that's "under review." If you can provide facts that support your viewpoint, the auditors should adjust their opinion. If you can't provide the facts, you cannot expect the auditors to change the report.

Disagreements are generally painful-awkward at best, disastrous at worst. Thus, you should have two goals whenever you disagree with your auditor: (1) resolving the disagreement, and (2) figuring out how to prevent disagreements in future audit cycles.

Most issues fall in one of two categories:

  • The auditor's assessment is wrong, in which case you should start gathering the facts and arguments that will sway the auditor to your point of view
  • The auditor's assessment is basically accurate, but you don't agree it's a problem or you don't want the problem to appear on a report. In reality, this is the more common type of manager/auditor disagreement. Unfortunately, it tends to spark less productive discussions, since it challenges auditor judgment, not findings. A successful strategy for swaying auditor opinion should focus on the report tone, item significance and recommended action plan.

Years ago, a colleague learned the distinction of these two categories from a managerial auditee. The manager started a review meeting of a draft audit with a statement that said, essentially, "I accept that we screwed up and that we need to fix some problems. Here is my action plan and our progress to date. Can anything be done to make the final audit report sound less harsh?" A very productive discussion between auditors and the manager ensued. Ultimately, the auditors revised the draft statement so that it was less damaging to the manager's department. And the auditors and manager had a much better relationship in future audits.

Sometimes management disagrees not with facts, but with the auditor's interpretation of the significance of the situation. In other words, a manager is less concerned with the facts than the "rating." What happens if the auditor and manager cannot come to an agreement? In such (hopefully rare) situations, the audit committee has ultimate authority: both the manager and the auditor should present their views to the audit committee, which will recommend an action or finding with input from the governance oversight committee.

Obviously, however, preventing a disagreement is more desirable than resolving a conflict that has already generated tension and even ill will between the disputants. To reduce the potential of audit-related conflict, management must be involved early and often with each audit-not just at the reporting stage. In fact, the earlier and more involved management is, the better and more relevant the final audit is likely to be.

During audit planning, management should discuss with auditors the audit scope, purpose, objectives, approach, and proposed evaluation criteria. During audit testing, management should understand what the audit team is doing; for example, what audit tests are being performed and generally what the test results are. Finally, during audit reporting, management should find out early (during the audit debriefing meeting) what the main issues are and what the key recommendations will be-prior to the actual writing of the audit report. Management should raise its concerns early, before the report is set in stone and while discussion can still help to clarify arguable matters.

For its part, the audit team should establish an open and transparent audit process, from start to finish, that allows managers to better understand and fully participate in the audit process. This way, when disagreements do occur (and they will) the "discussions" will be productive, and the facts will "speak for themselves."

  Implementing Whistleblowing Systems

There is increasing interest in organizations establishing whistleblowing systems as part of good governance. They provide a confidential channel, bypassing normal supervisory communication channels in an organization, for staff or others to convey concerns regarding conduct by Board members, managers or staff which they feel:

  • Is against or circumvents the Organization's governing rules, policies and established standards and codes of conduct;
  • Is improper, unethical or unlawful;
  • Is, or will result in, a waste of the Organization's resources;
  • Is inconsistent with the standards they believe the Organization subscribes to;
  • Is an attempt to cover up any of these types of actions; or
  • Is already known to, but not being diligently reviewed and acted upon by, the Organization's managers.

The benefits of having a whistle-blowing policy are that it helps to create an environment of efficiency, openness and transparency, and demonstrates a commitment on the part of the organization to operate in a manner intended to facilitate high levels of honesty and integrity amongst its staff. Such a policy can also act as an effective early warning system in identifying possible illegal activity or mismanagement, since staff are generally in the best position to identify these types of problems. Finally, a whistle-blowing policy makes it clear that it is every staff member's duty to report evidence of misconduct, and then provides them with a clear avenue to do so. Not knowing where to turn to when confronted with evidence of this type of problem in the absence of such a policy can be extremely stressful for employees.

A commonly heard argument against whistle-blowing policies is that they are an invitation for anonymous griping, or may lead to a culture of denunciation. This, however, can be avoided by a well-designed policy, with appropriate implementation procedures.

However, implementing whistleblowing systems effectively is a complex undertaking. The CGIAR Internal Auditing Unit has produced a good practice guide and policy template to assist CGIAR Centers implement such systems. Important elements of an effective whistleblowing system, which are explained in the Note, are:

  • Make the whistleblower channels part of a broader set of communication channels which promote open communication about concerns and use of whistleblowing channels as a last resort.
  • Ensure employee communication channels reinforce the Center's Codes of Conduct, conflict of interest policies, business integrity strategies and risk management systems and promote compliance. They should enable and promote a trustful, fair and transparent organizational culture in the Center.
  • Implement an employee reporting system that is broad in scope, permitting employees to register concerns about any aspect of Center compliance with internal policies, laws or regulations.
  • Include, in ethics policies or codes of conduct, a duty to disclose serious violations of Center policy and laws. Employee reporting policy and/or orientation material and presentations should provide guidance on the steps taken to protect employees against retaliation and reporting systems should ensure confidentiality and permit anonymity that will protect genuine complainants.
  • Ensure the employee reporting system includes appropriate procedures for the timely assessment of the merits of complaints received, for protecting the system against frivolous or malicious use by disgruntled employees, and for maintaining the strict confidentiality of complaint information to protect reputations of complaint targets while the complaints are investigated.
  • Implement an employee reporting system which can support the identification of "hotspots" that indicate a need for policy or other institutional changes beyond the actions specific to particular complaints.
  • Analyze the costs and benefits of in house versus co-sourcing solutions to providing confidential employee reporting, case management and analysis systems. An appropriate balance between cost and best practice should be determined and explicitly considered by the Center.

The CGIAR Internal Auditing Unit promotes the use of an external provider to provide secure web and telephone contact points for whistleblowers and to provide an established system to track reports. However it believes one provider should be selected by all Centers, or at least a group of Centers, to make this option economical. In the meantime, Centers are opting to use the Board Chair, Audit Committee Chair or Internal Audit as the contact point for whistleblowers.

The Good Practice Note on Whistleblowing has been circulated to Centers but can also be downloaded from the restricted (CGIAR only) section of this website.

 

Auditors, Genebanks and Crop Databases.

When you think of internal auditors, what comes to mind? Probably for many of you it will be people with their noses in the financial records, checking whether numbers add up, appropriate documentary evidence supports accounting entries, the cash is under lock and key, and vehicles, stores and equipment are tracked and can be found at all times. This is certainly important bread and butter work for auditors.

But there is more to the work of CGIAR internal auditors than this. Take for instance our work related to what may be the most visible and enduring activity of the CGIAR System, the one that will continue perhaps in perpetuity: the ex situ conservation of genetic resources relating to the staple food crops for which the CGIAR has an internationally recognized mandate to research. Just as critical as the CGIAR Centers' reputation for sound management of financial resources, is their reputation for being responsible and reliable custodians of the priceless assets which these genetic resource collections comprise.

It is no accident that number 1a. of the CGIAR's Research Priorities is promoting conservation and characterization of staple crops.

Conserving plant genetic resources in genebanks - as seeds, in vitro or cryogenically - and recording and disseminating the information that will make the collections useful for agricultural development, is a complex, intensive and expensive activity. But getting it right is essential for ensuring that the germplasm collections are always available for research to aid, even save, many poor people around the world and, if necessary for the restart of agriculture in countries devastated by natural or man-made disaster.

As part of its advisory work for Centers on the implementation of enterprise risk management, the CGIAR Internal Auditing Unit has been working with the Center genebank managers and the System-wide Genetic Resources Program (SGRP) to develop an appropriate framework of analysis for the risks relating to conservation and use of genetic resources, and using this framework to articulate the priority areas for improvement efforts in managing the genebank collections and the information on them.

Under Phase 2 of a World Bank-funded Global Public Goods project, starting in early 2007, the IAU will be assisting the Centers with an extensive re-assessment of the risk management framework and extending this framework to consider inter-Center collaboration on crops in common, and wider collaborative activities with national and regional genebanks under an emergent global system of conservation and use as envisaged under the International Treaty for Plant Genetic Resources for Food and Agriculture. It is also expected that the products of this re-assessment, along with the best practice material to be developed in parallel under other activities of the Project, will become valuable global public goods that national and regional genebanks can also use for the management of their own collections and their collaborative activities in a global system.

As internal auditors, we are not about to drop our interest in traditional areas, but don't be surprised if some of us show more interest these days in such matters as material transfer agreements, phytosanitary protocols, strategies to manage somaclonal variations in vegetatively propagated collections, the correct use of pollination bags during seed regeneration, black box safety duplication arrangements and the quality of crop database records!

 

From Afghanistan to Zimbabwe: Auditos of the CGIAR Center Regional Offices

Did you know that, beside the 15 headquarters, the CGIAR Centers have a collective presence in well over 100 other locations around the world? In every Center, internal auditors are requested by Boards of Trustees and management to undertake assurance and advisory work in such locations, including facilitation of the roll out of risk management programs. Not every CGIAR location can be covered every year, and some locations are very small or fully hosted by other CGIAR Centers. However, in the twelve months of 2006 CGIAR internal auditors audited offices and experimental stations in such diverse countries as Afghanistan, Brazil, Costa Rica, Egypt, Ethiopia, France, Malawi, Mali, Mozambique, Nepal, New Caledonia, Niger, Senegal, Solomon Islands, Turkey, Uganda and Zimbabwe, in addition to the 14 countries where the CGIAR Centers have their main headquarters campuses. Even within headquarter countries, internal auditors have been called on during 2006 to visit remote stations and project offices such as in the Sonora Desert of Mexico, Gujarat in India and western and northern Nigeria. Coverage of the widely decentralized presence of the CGIAR Centers represents a major component of internal audit work every year. To respond, the CGIAR Internal Auditing Unit has prepared a good practice note on Regional/Country Office Business Objectives and performance Indicators. This note is aimed at helping Centers to have clear rationale for maintaining their investments in the various locations and to monitor expected deliverables from the investments. In addition the IAU has developed a detailed risk analysis template for regional and country offices and experimental stations away from headquarters. These help the offices to self-assess the adequacy of controls and other measures for typical risks and/or prepare for future internal audit visits. The template also helps the internal auditors efficiently manage their planning for their audit visits, using them as communication tools to help the offices prepare and send much information ahead of time. Audit visits are not just carried out to check the cash box and the local bank account. Internal auditors review and advise on such diverse topics as decentralized program and project management, research data practices, occupational health and safety, sale of station produce, local taxation and labor law compliance, asset management and partner contracting. And we take back lessons and recommendations to the headquarters for wider application across the Centers….. Truly A-Z auditing!

 

CGIAR Internal Auditors Meet in Nairobi

Approximately every two years, all the internal auditors of the CGIAR System get together, along with a number of guests, to share experience, participate in professional development activities and consult on the best ways of applying the international internal auditing standards to their work. This year the meeting, lasting 5 days, was held in Nairobi at the end of June and beginning of July 2006 and the venue rotated between the World Agrofrestry Center (ICRAF) and the International Livestock Research Institute (ILRI), both headquartered in Nairobi.

The meeting was sponsored by the CGIAR Internal Auditing Unit. Internal Auditors based in Kenya, Nigeria, Benin, India, Philippines, Mexico, Cali and Washington DC attended, as well as a number of Center corporate services / finance staff and the Lead Financial Officer from the CGIAR Secretariat who provided a client perspective to the discussions. The group was joined by a number of invited guest speakers providing multiple perspectives under the broad theme of "Challenges and Opportunities for Internal Audit". Guests included the Acting Regional Inspector General of USAID based in South Africa; the Internal Auditor General of the Government of Kenya; the Regional Partner for Sub-Saharan Africa from PricewaterhouseCoopers; and the Managing Partner of UHY Advisors, which is assisting with a number of donor-funded initiatives on the development of the internal auditing profession in Africa.

Part of the week also involved collaboration with the Kenya Chapter of the Institute of Internal Auditors Inc. - the worldwide professional body. Some high quality sessions on various internal audit topics were led by a number of leading internal auditors and risk managers from the Kenyan private sector. These sessions enabled the CGIAR internal auditors to update themselves on various specific aspects of professional best practice, and showcased some of the remarkable internal audit talent from the continent.

Drawing on the various discussions, the internal audit group worked on the last day of the meeting on the development of a common CGIAR Internal Auditing Manual - a work in progress whose first edition is planned to be completed in 2006.

The agenda for the week, a record of proceedings and copies of various presentations made are available in the "CGIAR-only" section of this website.

 

The Good, the Bad and the Ugly : Audit as a tool for institutional learning and change

The environment for audit is changing. With rapid evolution in such areas as technology, markets, competition for funds, and cost structures, the idea of a single, fixed model of good practice often no longer applies in many aspects of CGIAR Center operations. Multiple business objectives add complexity. There are also risks versus opportunity considerations to be considered: the what, where, when and how of internal control depends on a "risk appetite" not a "golden standard". What does this mean for Internal Audits' work? This was the subject of a presentation in 2005 to ICRISAT staff. Click to see the presentation.

 

Risk Management Initiative Underway

The CGIAR Internal Auditing Unit is working with client Centers to develop their risk management systems. Spurred by recent spectacular governance failures in the private and public sectors, a number of CGIAR member countries have developed standards and codes on risk management, and for some public and private sector enterprises the implementation of systematic organization-wide risk management processes and public reporting on these by governing boards is now mandatory. An influential CGIAR donor wrote to all Centers in 2003 encouraging them to adopt a similar approach. The CGIAR Internal Auditing Unit believes that this will aid Centers to avoid surprises, better manage risks and opportunities, and strengthen donor confidence in their overall governance - a key ingredient in any strategy to stem the erosion of unrestricted funding of the Centers.

A Good Practice Note on Center-wide Risk Management and a Discussion Paper on Board Statements on Risk Management have been prepared by the Unit after extensive research on standards, codes and practices in CGIAR member countries. These documents, as well as a summary presentation on Center-wide Risk Management, are available to staff of the CGIAR Centers, System Office and CGIAR partners in the restricted section of this website. Access to this section is being developed through Center intranets.

The planned outcome of the Unit's work this year is the adoption by client Center Boards of a risk management policy and a format for an annual Board statement on risk management (for the Center's annual report or equivalent).

 

New Internal Audit Web Pages Launched

These pages were launched during the IWMI Board of Governors meeting in New Delhi in November 2003. The IWMI Board of Governors Chair Ambassador Remo Gautschi and Director General Frank Rijsberman joined the Audit Committee Chair, Ms. R. Daba Fall and Audit Committee members Ms. Joan Joshi and Dr. Rivka Kfir to view the new pages.
The web pages are aimed at providing information on the internal auditing functions in the CGIAR System, and a database of good practice and discussion notes on topics related to risk management, internal control and corporate governance, for CGIAR Centers and CGIAR System Office components and for CGIAR partners. Photo caption: The IWMI Board Chair, Audit Committee members and Director General view the new internal audit web pages with the CGIAR Internal Auditing Unit Director, John Fitzsimon.