Internal Audit: What We Do
Internal Audit services to the Centers include assurance and
advice in relation to a wide range of aspects of a Center's
operations, including Center governance, research operations,
management of physical infrastructure, finance and administration,
technology and outreach activities. Through the CGIAR IAU, Internal
Audit also provides System-wide services to support the enhancement
of risk management and control activities uniformly across the
System. To learn more about what Internal Audit does in relation to
specific aspects of Center and System-wide activities, see the
sections below.
 Center Governance
Internal Audit advises Center senior management, Audit
Committees and Boards of Trustees on good practice with regard to
Center governance. The CGIAR IAU has prepared a number of materials
to promote the implementation of internationally accepted
enterprise governance good practice. These materials support
reports and presentations on the subjects to particular
Centers.
A prominent example of this is enterprise risk management. The
CGIAR IAU has been working with Centers over a number of years, to
develop, launch and maintain their enterprise risk management
systems. The CGIAR IAU believes that effective enterprise risk
management systems will aid Centers to avoid surprises, better
manage risks and opportunities, and strengthen donor confidence in
their overall governance.
A
Good Practice Note on Enterprise Risk Management
and a
Discussion
Paper on Board Statements on Risk Management have been
prepared by the CGIAR IAU after extensive research on standards,
codes and practices in CGIAR member countries. The Good Practice
Note has been updated a number of times to capture lessons learned
and further good ideas identified during implementation in a number
of Centers. These documents, as well as a
Summary
presentation on Center-wide Risk Management ,
provide
reference resources to Centers. In general, the frameworks and
approaches that are being adopted by the Centers follow these
benchmarks.
Other Center governance-related presentations and guides
prepared by the CGIAR IAU include:
During 2009 the CGIAR IAU is planning to issue Good Practice
Notes on Codes of Conduct and Enterprise Performance Information
Reporting.
Since 2005 the CGIAR IAU has also been assisting with the review
of the indicators relating to governance practice, scientific
publications and human resources in the CGIAR Performance
Measurement System, and providing advice and support to the
external auditor of the performance indicators reported by the
Centers. The IAU seeks, as the Performance Measurement System
matures, to identify opportunities to improve the indicators, and
to promote consistency of measurements and validation methods.
Research Project Management
A major part of the Centers' core business is carried out in
the form of research projects with defined scope, duration and
outputs. The research project management cycle broadly covers
project development, approval, donor negotiation (where funding is
sought from restricted sources), initiation, implementation,
closure and evaluation.
The CGIAR IAU has prepared an overview
Good
Practice Note on Project Management Processes
, to provide
benchmarks at the project activity level for effective and
efficient portfolio management and quality systems. This has been
developed for Center self-assessment as well as for audit reviews
of project management which are scheduled in Center audit work
programs. The Good Practice Note draws on practice from within the
Centers as well as external standards and practices applicable to
project management generally and research management in
particular.
With the majority of CGIAR Center funding now coming from
restricted grants, accurate budgeting for the full costs of
projects is essential for negotiations with donors on funding and
management decision making on acceptance of cofinancing obligations
where such donors will not or cannot fund the full costs. At a
macro level the proper costing and charge back of project costs is
critical for the overall financial health of the Center. The
IAU's
Good Practice
Note on Project Costing
laid out the principles and
preceded the update of CGIAR Financial Guideline No 5 (FG5). During
2009 the Good Practice Note will be updated to take account of the
new FG5.
Research Partnerships
CGIAR Centers work with partners in a variety of modes in
pursuit of their missions. The Centers sub-contract research
activities with national agricultural research systems in
developing countries, advanced research institutes,
non-governmental organizations and the private sector. Some Centers
also coordinate research networks which bring together various
organizations working on related research problems. These
partnerships are essential elements of Center research activities
but also bring with them effectiveness, efficiency, financial and
reputational risks. Internal Audit conducts audits for Centers to
assess the management of partner contracts and network coordination
and evaluate how well these risks are managed. Internal Audit may
also, as part of program, project or outreach office audits, survey
partners to assess Center performance, and upon request of Centers
will conduct financial and internal control audits in partner
organizations as part of Center due diligence activities.
Business Continuity
Many Centers operate in locations where the risks to operations
of significant natural disaster or political turbulence is
heightened. All Centers rely heavily on the ongoing availability of
information and communication technology (ICT) for their
operations. Business continuity encompasses the resilience of
Center operations in the event of a disaster affecting its people,
infrastructure, genetic resource collections, knowledge resources
and information and communications systems. Internal Audit supports
the implementation of effective business continuity management
through:
- the publication of a
Good
Practice Note on Business Continuity Management
which
provides a framework for business continuity management drawing on
external standards as well as lessons learned from Center
experience;
- reviews of business continuity practice in the context of
Center-wide risk management processes;
- audits of existing Center practice against the Good Practice
framework; and,
- working closely with the CGIAR Chief Information Officer (CIO)
Office and Center IT Managers on follow up activities to a
System-wide Enterprise Security and Business Continuity
Project , with a view to obtaining consensus among the Center
IT managers on best practices for the protection of the CGIAR
Centers' information assets, as a component of a broader Center
business continuity plan.
Information and Communications
Technology
The CGIAR Centers use information and communications technology
(ICT) extensively for both scientific and business purposes, and
ICTs are critical for effective global connectivity within and
between the Centers, and with their partners and investors. Each
Center governs its ICT policies and management, but there is a
growing trend of collective action, harmonization and shared
services among the Centers concerning ICT, and this is being
actively promoted by the CGIAR CIO and the Center ICT Manager
community. Some services have been jointly outsourced to external
providers for some time and other services are now under similar
consideration as the marketplace for these services evolves. ICT
risks figure prominently in Center risk assessments as key risks
which are highly dynamic and require close attention. The CGIAR IAU
works with the CIO's Office and the Center ICT Manager
community to enhance the common understanding in the CGIAR System
of the ICT risks, control issues, potential solutions and
methodology for evaluating potential ICT investments.
The Internal Audit group within the CGIAR includes a number of
auditors who are qualified and experienced in ICT audit, but the
Unit also relies on outsourced expertise. The CGIAR IAU promotes
the CISA-certification and related continuing professional
development of CGIAR internal auditors: CISA is the globally
recognized Certified Information System Auditor certification from
the
Information Systems Audit
and Control Association
, a worldwide professional body for
ICT audit and control professionals.
Internal Audit supports individual Centers with assurance and
advisory services focused on ICT functions in their headquarters
and regional locations, and is sharing lessons from these audits
and from external research through ICT-related Good Practice Notes.
The number of such Good Practice Notes, which are published in
exposure draft and final form is gradually growing and existing
ones are in the process of being updated. The current Notes
cover:
IAU has also co-published in 2009, with the ICT-KM Program, an
initial set of Good Practice Guides which cover, in more depth,
selected topics. The initial set of topics was prioritized by the
CGIAR Center IT Managers, and this group also provided extensive
input into their preparation:
Further topics have been identified by the IT Managers for
future Good Practice Guides.
Research Infrastructure
The Centers maintain experimental stations and other research
facilities in various locations in Africa, Asia and Latin America.
These facilities include farms, laboratories, workshops and
warehouses. Internal Audit includes, in its Center work programs,
audits of the management of these facilities. As well as providing
assurance to Center management that there are adequate measures in
place to protect the physical assets, the audits can identify
opportunities to improve the efficiency of the facilities and
advise Centers on facility charge-back arrangements to ensure the
full cost of research projects can be properly determined, budgeted
and reported, and that informed decisions on the financing of the
full costs can be made.
The CGIAR IAU has prepared Good Practice Notes to guide Centers
in their management of regional, sub-regional and project offices
outside Headquarters:
Genetic Resources Collection and
Distribution
The CGIAR Centers hold priceless collections of genetic
resources for food and agriculture, and work with national systems
in the collection and preservation of these genetic resources.
Eleven Centers together maintain over 700,000 samples of crop,
forage and agroforestry genetic resources in the public domain, in
various ex situ and in situ genebanks. The majorities of these have
been designated as held in trust for the world community and have
recognition under the International Treaty for Plant Genetic
Resources for Food and Agriculture (ITPGRFA).
The Centres are committed to conserving these collections for the
long-term and to making the germplasm and associated information
available as global public goods. The CGIAR IAU is working closely
with the Center genebank managers and the System-Wide Genetic
Resources Program (SGRP), to implement a risk management framework
to identify, analyze and manage risks related to the collection,
accessioning, storage, distribution and information keeping on the
germplasm in their collections. This framework, comprising a risk
management guideline consistent with Center enterprise risk
management systems, and an Excel-based tool for capturing and
analyzing the risks, was developed under Activity 1.1 of the World
Bank-financed Global Public Goods Phase 2 (GPG2) Project, and can
be found in the CGIAR Crop Knowledgebase website at
http://cropgenebank.sgrp.cgiar.org/index.php?option=com_content&view=article&id=135&Itemid=236.
The CGIAR IAU assisted with this: see the overview presentation
made at a
2007 GPG2 Project Workshop on this activity.
Financial Management and External Audit
The CGIAR System has adopted common policies (
CGIAR
Financial Guidelines series
) for financial management,
accounting, financial reporting and external audit, which draw on
international best practice. Accounting and financial reporting
policies draw on, and are almost fully aligned with, the
International Financial Reporting Standards published by the
International Accounting Standards Board. CGIAR policies commit the
Centers to having external financial statement audits conducted in
accordance with International Standards on Auditing published by
the International Auditing Practices Committee of the International
Federation of Accountants.
The development and update of these policies is coordinated by
the CGIAR Secretariat in Washington DC, but conducted jointly with
the Finance Executives community of the CGIAR Centers. The CGIAR
IAU participates in these processes, providing advice and
facilitation.
Internal Audit undertakes audits, as part of Center internal
audit work programs, of various aspects of financial management.
This can include reviewing Center policies, procedures and
practices for the management of accounts payable and expenditures,
accounts receivable and revenue, treasury functions, liquid assets
(investments, bank accounts, cash flow management and protection of
cash on hand), payroll processing, accruals and provisions, and
designated reserves. The CGIAR IAU has prepared a
Good
Practice Note on the Management of Liquid Assets
to assist
Centers benchmark and improve their own practices and controls in
this area. From time to time, Centers may also seek advice of
Internal Audit on the application of particular accounting
policies. The CGIAR IAU also participates as an observer and
resource for the review group of Center financial executives, which
on an annual basis undertakes peer reviews of the Center financial
statements.
Each Center Board of Trustees, assisted by their Audit
Committees, is responsible for arranging, receiving the results of,
and evaluating the annual external audits of the Center's
financial statements. The CGIAR IAU has prepared a
Good Practice Note on the Evaluation of Incumbent External
Auditors
to assist Audit Committees to discharge their
oversight role.
The external auditors are responsible for forming an independent
opinion on the financial statements and are responsible for
ensuring that they undertake appropriate audit procedures to enable
this according to international standards. The external
auditors' work will focus on reviewing the risk of material
misstatement in the Center's annual financial statements, while
the internal auditor's work will focus on other risks not
covered by the external audit. There is a mutual interest by the
external and internal auditors to ensure that there are no
important gaps in review coverage across the range of risks facing
the Centers. However, from time to time more in depth testing of
financial transactions by internal audit may be requested by
Centers to help prepare for, or support, the external audit. A
typical area where this is the case is the audit of the controls
over, and reporting on, financial activities and fixed asset
holdings in locations outside Center headquarters.
The CGIAR has determined a policy of rotation of Center external
auditors at least every 5 or 7 years and Boards of Trustees are
requested to implement this policy in their own audit policy. The
CGIAR IAU has published a
Good Practice Note on the Selection Criteria for External
Auditors
, to assist Centers with the process, development
of requests for proposals and evaluation methodology. Consistent
with international internal auditing standards, Internal Audit can
assist the Centers' Audit Committees by coordinating or
advising on the tendering for and evaluation of external audit
proposals, and submitting relevant information for decision making
by the Audit Committee and Board of Trustees.
Procurement
CGIAR Centers engage in national and international purchasing of
specialized research equipment, information technology, laboratory
and experimental station supplies, vehicles, office equipment and
supplies, and outsourced services such as farm labor, security,
grounds maintenance, construction, catering and transport. The
CGIAR IAU conducts audits for Centers to provide assurance over
compliance with CGIAR and Center procurement policies, assess the
design and effectiveness of anti-fraud measures, and evaluate
options to improve the value for money in the purchasing
activity.
The IAU also conducts audits of the selection and use of
consultants and research partners. During 2007, the IAU supported a
CGIAR task force to review the CGIAR Procurement Guidelines, and
this effort included expanding the guidelines in relation to
research sub-contracting.
Fraud Prevention and Detection
Internal Audit supports the Centers to implement effective fraud
prevention and detection systems through various aspects of its
work. This is closely linked to work by the CGIAR IAU to support
the implementation of risk management processes, codes of conduct
and other activities related to reinforcing the control environment
in the Centers. Internal Audit reviews the design and effectiveness
of anti-fraud measures for such activities as financial management
and reporting, procurement, payroll, warehouse/workshop/farm
operations, IT systems management, partnership management and
project management, as part of audits of these topics.
Internal Audit can also assist Centers in the conduct of fraud
investigations, either by providing information and logistical
support to expert investigators commissioned directly by the
Centers or by supervising investigations which are conducted by
externally-sourced experts. In such cases Internal Audit will work
closely with Center legal counsel.
Internal Audit draws on practice advisories of the
Institute of Internal Auditors
and on the resources of the
Association of Certified Fraud
Examiners
, an internationally active professional body in
this field, in the conduct of work related to fraud prevention and
detection.
Donor Compliance
A majority of Center funding now comes through restricted or
targeted funding, wherein donors provide finance under specific
conditions established in agreements. Internal Audit undertakes
reviews of systems and processes within the Centers, and tests
samples of research projects, to ensure consistent compliance.
Internal Audit may also, on request of Centers, undertake financial
audits of projects to meet Center reporting obligations to donors
where this has been agreed with the donors.
Human Resources Management
The effectiveness of Centers is underpinned by their human
resource management. The CGIAR IAU has worked with the CGIAR
Centers' Human Resources Manager community and the CGIAR Gender
and Diversity (G&D) Program, to develop good practice
benchmarks for human resources management. Centers can self-assess,
and internal auditors can conduct audits, against such benchmarks
to support HR continuous improvement efforts in the Centers. These
cover such aspects as the promotion of values and equity, strategic
workforce planning, HR metrics, organizational design, change
management, diversity management,
recruitment/selection/orientation, performance management, staff
development, codes of conduct, benefits administration and exit
procedures. An overview
Good
Practice Note on Human Resource Management
has been
prepared by the CGIAR IAU in collaboration with the G&D Program
and Center HR practitioners. This overview note supplements
extensive and detailed good practice material on the G&D
Programs website.
The protection of the CGIAR Center's staff, as well as
visitors, is a key item in every Center's human resources risk
management program. To supplement the overview Good Practice Note,
the CGIAR IAU has prepared a
Good Practice Note on
Occupational Health and Safety Management
, which draws on
ILO guidelines in this area.
|
