Internal Audit: What We Do

Internal Audit services to the Centers include assurance and advice in relation to a wide range of aspects of a Center’s operations, including Center Governance, Research Operations, Management of Physical infrastructure, Finance and Administration, Technology and Outreach activities. Through the CGIAR IAU, Internal Audit also provides System-wide services to support the enhancement of risk management and control activities uniformly across the System. To learn more about what Internal Audit does in relation to specific aspects of Center and System-wide activities, see the sections below.

Center Governance

Internal Audit advises Center senior management, Audit Committees and Boards of Trustees on good practice with regard to Center governance. The CGIAR IAU has prepared a number of materials to promote the implementation of internationally accepted enterprise governance good practice. These materials support reports and presentations on the subjects to particular Centers.

A prominent example of this is enterprise risk management. The CGIAR IAU is working with Centers to develop their enterprise risk management systems. The CGIAR IAU believes that effective enterprise risk management systems will aid Centers to avoid surprises, better manage risks and opportunities, and strengthen donor confidence in their overall governance. The CGIAR IAU made a general presentation on Risk Management in the CGIAR Future Harvest Centers at the CGIAR Annual General Meeting in Mexico in October 2004.

A Good Practice Note on Enterprise Risk Management and a Discussion Paper on Board Statements on Risk Management have been prepared by the CGIAR IAU after extensive research on standards, codes and practices in CGIAR member countries. These documents, as well as a Summary presentation on Center-wide Risk Management , provide reference resources to Centers. In general, the frameworks and approaches being adopted by the Centers follow these benchmarks.

Other Center governance-related presentations and guides prepared by the CGIAR IAU include:

• Presentation on Board and Audit Committee Oversight: Elements for Consideration
• Good Practice Note on Documenting Board-Center Reporting Arrangements and Delegations of Authority
• Good Practice Note on Audit Committee Terms of Reference
• Good Practice Note on Questionnaire on Audit Committee Meeting Effectiveness
• Good Practice Note on Internal Audit Charters
• Good Practice Note on Selection Criteria for External Auditors
• Good Practice Note on Evaluation of Incumbent External Auditor
• Good Practice Note on Communications by Employees of Concerns about Center Compliance
• Good Practice Note on Center Business Integrity Strategy

During 2008 the CGIAR IAU is planning to issue Good Practice Notes on Codes of Conduct and Enterprise Performance Information Reporting.

Since 2005 the CGIAR IAU has also been assisting with the review of the indicators relating to governance practice, scientific publications and human resources in the CGIAR Performance Measurement System. The IAU seeks, as the Performance Measurement System matures, to identify opportunities to improve the indicators, and to promote consistency of measurements and validation methods.

Research Project Management

A major part of the Centers’ core business is carried out in the form of research projects with defined scope, duration and outputs. The research project management cycle broadly covers project development, approval, donor negotiation (where funding is sought from restricted sources), initiation, implementation, closure and evaluation.

The CGIAR IAU has prepared an overview Good Practice Note on Project Management Processes, to provide benchmarks at the project activity level for effective and efficient portfolio management and quality systems. This has been developed for Center self-assessment as well as for audit reviews of project management which are scheduled in Center audit work programs. The Good Practice Note draws on practice from within the Centers as well as external standards and practices applicable to project management generally and research management in particular. During 2005, the CGIAR IAU will focus on supplementing this Note with further good practice information on research project risk identification, analysis and management.

Research Partnerships

CGIAR Centers work with partners in a variety of modes in pursuit of their missions. The Centers sub-contract research activities with national agricultural research systems in developing countries, advanced research institutes, non-governmental organizations and the private sector. Some Centers also coordinate research networks which bring together various organizations working on related research problems. These partnerships are essential elements of Center research activities but also bring with them effectiveness, efficiency, financial and reputational risks. Internal Audit conducts audits for Centers to assess the management of partner contracts and network coordination and evaluate how well these risks are managed. Internal Audit may also, as part of program, project or outreach office audits, survey partners to assess Center performance, and upon request of Centers will conduct financial and internal control audits in partner organizations as part of Center due diligence activities.

 Business Continuity

Many Centers operate in locations where the risks to operations of significant natural disaster or political turbulence is heightened. All Centers rely heavily on the ongoing availability of information and communication technology (ICT) for their operations. Business continuity encompasses the resilience of Center operations in the event of a disaster affecting its people, infrastructure, genetic resource collections, knowledge resources and information and communications systems. Internal Audit supports the implementation of effective business continuity management through:

• the publication of a Good Practice Note on Business Continuity Management which provides a framework for business continuity management drawing on external standards as well as lessons learned from Center experience;
• reviews of business continuity practice in the context of Center-wide risk management processes;
• audits of existing Center practice against the Good Practice framework; and,
• working closely with the CGIAR Chief Information Officer (CIO) Office and Center IT Managers on the planning and implementation of a System-wide Enterprise Security and Business Continuity Project , which aims to develop and implement baseline policies for the protection of the CGIAR Centers’ information assets, as a component of a broader Center business continuity plan.

 Information and Communications Technology

The CGIAR Centers use information and communications technology (ICT) extensively for both scientific and business purposes, and ICTs are critical for effective global connectivity within and between the Centers, and with their partners and investors. Each Center governs its ICT policies and management, but there is a growing trend of collective action, harmonization and shared services among the Centers concerning ICT, and this is being actively promoted by the CGIAR CIO and the Center ICT Manager community. Some services have been jointly outsourced to external providers for some time and other services are now under similar consideration as the marketplace for these services evolves. ICT risks figure prominently in Center risk assessments as key risks which are highly dynamic and require close attention. The CGIAR IAU works with the CIO’s Office and the Center ICT Manager community to enhance the common understanding in the CGIAR System of the ICT risks, control issues, potential solutions and methodology for evaluating potential ICT investments.

The Internal Audit group within the CGIAR includes a small, core group of auditors who are qualified and experienced in ICT audit, and these are regularly supplemented by outsourced expertise. The CGIAR IAU promotes the CISA-certification and related continuing professional development of CGIAR internal auditors: CISA is the globally recognized Certified Information System Auditor certification from the Information Systems Audit and Control Association, a worldwide professional body for ICT audit and control professionals.

Internal Audit supports individual Centers with assurance and advisory services focused on ICT functions in their headquarters and regional locations, and is sharing lessons from these audits and from external research through ICT-related Good Practice Notes. The number of such Good Practice Notes, which are published in exposure draft and final form is gradually growing and existing ones are in the process of being updated. The current Notes cover:

• Management of Information Technology Risks - Overview
• Management of Information Security
• User Security Awareness Seminars
• Formulating Information Technology Performance Indicators
• Development, Acquisition, Implementation and Maintenance of Application Systems

Research Infrastructure

Eleven Centers maintain experimental stations and other research facilities in various locations in Africa, Asia and Latin America. These include farms, laboratories, workshops and warehouses. Internal Audit includes, in its Center work programs, audits of the management of these facilities. As well as providing assurance to Center management that there are adequate measures in place to protect the physical assets, the audits can identify opportunities to improve the efficiency of the facilities and advise Centers on facility charge-back arrangements to ensure the full cost of research projects can be properly determined, budgeted and reported, and that informed decisions on the financing of the full costs can be made.

Genetic Resources Collection and Distribution

The CGIAR Centers hold priceless collections of genetic resources for food and agriculture, and work with national systems in the collection and preservation of these genetic resources. Eleven Centres together maintain over 700,000 samples of crop, forage and agroforestry genetic resources in the public domain, in various ex situ and in situ genebanks. Of these, over 533,000 are designated in trust for the world community under international agreements. The Centres are committed to conserving these collections for the long-term and to making the germplasm and associated information available as global public goods. The CGIAR IAU has worked closely with the Center genebank managers and the System-Wide Genetic Resources Program (SGRP) to develop and update a Genetic Resources Collection and Distribution Risk Analysis Template to help Center genebank managers identify, analyze and manage risks related to the collection, accessioning, storage, distribution and information keeping on germplasm. This risk assessment forms part of the Unit’s support to risk management systems in the Centers.

This template will be further refined and linked to best practice guidance on risk mitigations for by a senior scientist funded by the World Bank-supported Global Public Goods Asset Rehabilitation Project Phase II. The CGIAR IAU worked closely with SGRP on the development of this project, particularly the components relating to risk assessment. The second phase will as also extend the risk analysis to the development of a global system of crop genetic resources conservation and use as envisaged under the International Treaty on Plant Genetic Resources for Food and Agriculture.

Financial Management and External Audit

The CGIAR System has adopted common policies ( CGIAR Financial Guidelines series) for financial management, accounting, financial reporting and external audit, which draw on international best practice. Accounting and financial reporting policies draw on, and are almost fully aligned with, the International Financial Reporting Standards published by the International Accounting Standards Board. CGIAR policies commit the Centers to having external financial statement audits conducted in accordance with International Standards on Auditing published by the International Auditing Practices Committee of the International Federation of Accountants.

The development and update of these policies is coordinated by the CGIAR Secretariat in Washington DC, but conducted jointly with the Finance Executives community of the CGIAR Centers. The CGIAR IAU participates in these processes, providing advice and facilitation.

Internal Audit undertakes audits, as part of Center internal audit work programs, of various aspects of financial management. This can include reviewing Center policies, procedures and practices for the management of accounts payable and expenditures, accounts receivable and revenue, treasury functions, liquid assets (investments, bank accounts, cash flow management and protection of cash on hand), payroll processing, accruals and provisions, and designated reserves. The CGIAR IAU has prepared a Good Practice Note on the Management of Liquid Assets to assist Centers benchmark and improve their own practices and controls in this area. From time to time, Centers may also seek advice of Internal Audit on the application of particular accounting policies. The CGIAR IAU also participates as an observer and resource for the review group of Center financial executives, which on an annual basis undertakes peer reviews of the Center financial statements.

Each Center Board of Trustees, assisted by their Audit Committees, is responsible for arranging, receiving the results of, and evaluating the annual external audits of the Center’s financial statements. The CGIAR IAU has prepared a Good Practice Note on the Evaluation of Incumbent External Auditors to assist Audit Committees to discharge their oversight role.

The external auditors are responsible for forming an independent opinion on the financial statements and are responsible for ensuring that they undertake appropriate audit procedures to enable this according to international standards. The external auditors' work will focus on reviewing the risk of material misstatement in the Center's annual financial statements, while the internal auditor's work will focus on other risks not covered by the external audit. There is a mutual interest by the external and internal auditors to ensure that there are no important gaps in review coverage across the range of risks facing the Centers. However, from time to time more in depth testing of financial transactions by internal audit may be requested by Centers to help prepare for, or support, the external audit. A typical area where this is the case is the audit of the controls over, and reporting on, financial activities and fixed asset holdings in locations outside Center headquarters.

The CGIAR has determined a policy of rotation of Center external auditors at least every 5 or 7 years and Boards of Trustees are requested to implement this policy in their own audit policy. The CGIAR IAU has published a Good Practice Note on the Selection Criteria for External Auditors, to assist Centers with the process, development of requests for proposals and evaluation methodology. Consistent with international internal auditing standards, Internal Audit can assist the Centers’ Audit Committees by coordinating or advising on the tendering for and evaluation of external audit proposals, and submitting relevant information for decision making by the Audit Committee and Board of Trustees.

Procurement

CGIAR Centers engage in national and international purchasing of specialized research equipment, information technology, laboratory and experimental station supplies, vehicles, office equipment and supplies, and outsourced services such as farm labor, security, grounds maintenance, construction, catering and transport. The CGIAR IAU conducts audits for Centers to provide assurance over compliance with CGIAR and Center procurement policies, assess the design and effectiveness of anti-fraud measures, and evaluate options to improve the value for money in the purchasing activity.

The IAU also conducts audits of the selection and use of consultants and research partners. During 2007, the IAU supported a CGIAR task force to review the CGIAR Procurement Guidelines, and this effort included expanding the guidelines in relation to research sub-contracting.

Fraud Prevention and Detection

Internal Audit supports the Centers to implement effective fraud prevention and detection systems through various aspects of its work. This is closely linked to work by the CGIAR IAU to support the implementation of risk management processes, codes of conduct and other activities related to reinforcing the control environment in the Centers. Internal Audit reviews the design and effectiveness of anti-fraud measures for such activities as financial management and reporting, procurement, payroll, warehouse/workshop/farm operations, IT systems management, partnership management and project management, as part of audits of these topics.

Internal Audit can also assist Centers in the conduct of fraud investigations, either by providing information and logistical support to expert investigators commissioned directly by the Centers or by supervising investigations which are conducted by externally-sourced experts. In such cases Internal Audit will work closely with Center legal counsel.

Internal Audit draws on practice advisories of the Institute of Internal Auditors and on the resources of the Association of Certified Fraud Examiners, an internationally active professional body in this field, in the conduct of work related to fraud prevention and detection.

Donor Compliance

A majority of Center funding now comes through restricted or targeted funding, wherein donors provide finance under specific conditions established in agreements. Internal Audit undertakes reviews of systems and processes within the Centers, and tests samples of research projects, to ensure consistent compliance. Internal Audit may also, on request of Centers, undertake financial audits of projects to meet Center reporting obligations to donors where this has been agreed with the donors.

Human Resources Management

The effectiveness of Centers is underpinned by their human resource management. The CGIAR IAU is working with CGIAR System Office colleagues in the CGIAR Strategic Advisory Service for Human Resources and the CGIAR Gender and Diversity Program as well as the CGIAR Centers’ Human Resources Manager community, to develop good practice benchmarks for human resources management. Centers can self-assess, and internal auditors can conduct audits, against such benchmarks to support HR continuous improvement efforts in the Centers. These cover such aspects as the promotion of values and equity, strategic workforce planning, HR metrics, organizational design, change management, diversity management, recruitment/selection/orientation, performance management, staff development, codes of conduct, benefits administration and exit procedures. An overview Good Practice Note on Human Resource Management has been prepared by the CGIAR IAU in collaboration with System Office and Center HR practitioners.