wipo internal auditing manual

Internal Audit and Oversight Division

INTERNAL AUDIT MANUAL

February 14, 2011

Internal Audit Manual

February 14, 2011

i.

TABLE OF CONTENTS

FOREWORD..................................................................................................................................................... 1

1. PURPOSE............................................................................................................................................. 2

2. POLICY FRAMEWORK........................................................................................................................ 2

3. ORGANIZATIONAL STRUCTURE AND RESPONSIBILITIES ............................................................ 2

3.1 THE INTERNAL AUDIT FUNCTION IN WIPO ....................................................................................... 2 3.2 MISSION............................................................................................................................................. 3 3.3 INDEPENDENCE.................................................................................................................................. 3 3.4 AUTHORITY ....................................................................................................................................... 4 3.5 CONFLICT OF INTEREST ..................................................................................................................... 4

4. ATTRIBUTES OF INTERNAL AUDIT STAFF ...................................................................................... 4

4.2 DUE PROFESSIONAL CARE ................................................................................................................. 4 4.3 CONTINUOUS PROFESSIONAL DEVELOPMENT.................................................................................... 5

5. KEY AUDIT PROCEDURES................................................................................................................. 5

5.1 GENERAL INFORMATION.................................................................................................................... 5 5.2 AUDIT PLANNING AND RISK ASSESSMENT PROCESS ......................................................................... 5 5.3 AUDIT NEEDS ASSESSMENT (ANA)................................................................................................... 6 5.4 RISK ASSESSMENT CRITERIA USED IN BI-ANNUAL AUDIT PLANNING............................................... 6 5.5 AUDIT COVERAGE METHODOLOGY AND CYCLE................................................................................ 7 5.6 AUDIT RESOURCES PLANNING AND BUDGETING ............................................................................... 7 5.6.1 Cooperation with External Auditors........................................................................................ 7 5.6.2 Criteria for Calculation of Audit Days .................................................................................... 8

5.7 CONDUCTING AUDITS........................................................................................................................ 8 5.7.1 Audit Assignment Planning ..................................................................................................... 9 5.7.2 Assignment Planning Considerations: .................................................................................... 9 5.7.3 Notifying Management ............................................................................................................ 9 5.7.4 Audit Planning Quality Review ............................................................................................... 9 5.7.5 Audit Fieldwork........................................................................................................................ 9 5.7.5.1 Arranging Audit Files ................................................................................................................... 10 5.7.5.2 Working Paper Summaries ......................................................................................................... 11 5.7.5.3 Working Papers ............................................................................................................................. 11 5.7.5.4 Indexing and Referencing ........................................................................................................... 11 5.7.5.5 Working Paper Review................................................................................................................. 11

5.7.6 Reporting of Audit Results..................................................................................................... 12 5.7.6.1 Draft Audit Report ......................................................................................................................... 12 5.7.6.2 Final Audit Report ......................................................................................................................... 12 5.7.6.3 Other Internal Audit and Oversight Reports........................................................................... 13 5.7.6.4 Access to IAOD Oversight Reports and Working Papers ................................................... 14 5.7.6.5 Follow up of Internal Audit Recommendations ..................................................................... 14

5.7.7 Acceptance of Risk by Senior Management .......................................................................... 14 5.7.8 Types of Audits ....................................................................................................................... 15 5.7.9 Use of Information Technology in Audits............................................................................. 15

6. QUALITY CONTROL AND ASSURANCE.......................................................................................... 15

7. COORDINATION WITH OTHER OVERSIGHT BODIES.................................................................... 16

7.1 WIPO AUDIT COMMITTEE............................................................................................................... 16 7.2 EXTERNAL AUDITOR ....................................................................................................................... 16 7.3 JOINT INSPECTION UNIT (JIU) ......................................................................................................... 16

Internal Audit Manual ii

February 14, 2011

ANNEX I: AUDIT PRE-PLANNING ............................................................................................................... 17

ANNEX II: AUDIT PLANNING....................................................................................................................... 18

ANNEX III: AUDIT FIELDWORK................................................................................................................... 19

ANNEX V: RISK ASSESSMENT................................................................................................................... 21

ANNEX VI: INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) ............................................................................................................................. 24


February 14, 2011

1.

Foreword

This WIPO Internal Audit Manual is established in accordance with the provisions

of the WIPO Internal Oversight Charter (2010).

The preparation of this Manual has taken into account the International Standards

for the Professional Practice of Internal Auditing (Standards) of the IIA and good

practice applied by the United Nations and promulgated by the UN

Representatives of Internal Audit Services (RIAS).

The Manual includes information on internal audit techniques, methods and

procedures followed by IADO internal auditors. It will help ensure the delivery of

internal audit work reports of a consistently high standard and assured quality.

I am pleased to gratefully acknowledge the good work Tuncay Efendioglu,

Steve Woess and Silvia Nunez have put into developing this Manual.

Nick Treen

Director, IAOD February 14, 2011


February 14, 2011

2.

1. Purpose

The Internal Audit Manual (the Manual) establishes the key operating policies and

procedures that govern the internal audit activity, in compliance with the Internal Oversight

Charter (IOC); the Organizations policies and procedures, and other international standards

for the professional practice of internal auditing.

This Manual is primarily designed to establish a level of uniformity and consistency within the

Internal Audit Section with a view to further strengthening professionalism of internal audit

staff, and serving as a guidance document for all World Intellectual Property Organization

(the WIPO) staff and other WIPO stakeholders (Member States, Audit Committee, External

Auditors, etc.) on the modus operandi of the Internal Audit Section.

2. Policy Framework

The key policies and procedures that govern the work of the Internal Audit Activity in WIPO

are:

(a) The IOC (Attachment 1) which defines the mandate, authority and

prerogatives, reporting, resources and other duties and modalities of work of

the Internal Audit and Oversight Division (IAOD).

(b) The WIPO Financial Regulations and Rules (the FRR) which incorporates the

IOC as an annex.

(c) The WIPO Staff Regulations and Staff Rules.

(d) WIPO General Assembly Decisions.

(e) Internal Audit Strategy (The strategy) and Audit Risk Assessment

Methodology (Attachments 2 and 3).

(f) WIPOs policies and procedures relating to the system of internal control and

framework.

(g) Accounting Standards applicable to the UN System Organizations.

(h) International Standards for the Professional Practice of Internal Auditing

Framework (IPPF).

3. Organizational Structure and Responsibilities

The Internal Audit and Oversight Division (IAOD) was established in May 2000. Its original

mandate included both internal audit and investigation functions. The Division also informally

acted as a focal point for investigation and inspection. With the approval of the WIPO

Internal Audit Charter by the General Assembly in September 2005 (revised twice in

September 2007 and September 2010), inspection and evaluation activities were

incorporated into the IAODs mandate.

3.1 The Internal Audit Function in WIPO

The Internal Audit Section is part of the Internal Audit and Oversight Division (IAOD),

and consists of the Head of Audit, and sufficient internal audit staff based in Geneva.

Changes in audit needs in line with the organizational structure and risk appetite of

senior management are taken into account in determining the sufficiency of audit staff

in WIPO.

The Director, IAOD (hereinafter referred to as Director, IAOD) shall determine the

extent of human and other resources required to accomplish IAODs mandate and

objectives economically, effectively and efficiently. In doing so, the Director shall take


February 14, 2011

3.

into account:

- The results of risk assessment of operations, which is part of the

audit universe1;

- The needs for implementing the IAOD bi-annual audit work plan;

- Resources required to secure staff training and development

programmes, audit research and development efforts; and,

- Meet administrative and logistical requirements.

In addition, the Director shall:

- Establish and maintain a personnel management system for

recruiting, training, developing, evaluating, and administering IAOD

staff in accordance with the WIPO Staff Regulations and Staff Rules

and the Standards for the Professional Practice of Internal Auditing;

- Assist the Human Resources Management Department in developing

a Post Description for each Internal Auditor;

- Appraise the performance of each Internal Auditor;

- Counsel staff on their performance and professional development;

- Promptly notify IAOD staff of career development opportunities;

- Conduct regular meetings to discuss issues of concern to IAOD staff;

and,

- Establish and maintain the policies and procedures that govern the

Internal Audit Section in accordance with the provisions of the IOC,

the WIPO FRR and International Standards for Professional Practice

of Internal Auditing (IPPF).

3.2 Mission

The mission of the Internal Audit Section is to provide the Management with

systematic assurance, analysis, appraisals, recommendations, advice and

information, with a view to assisting WIPO Management and other stakeholders on

the effective discharge of their responsibilities and the achievement of WIPO mission

and goals.

In line with its mission, the objectives of the Internal Audit Section include

endeavoring to assess the cost-effectiveness of controls, and making

recommendations for effectiveness, efficiency, economy of WIPOs policies and

procedures and use of resources, as well as assessing compliance with WIPOs

Financial Regulations and Rules, Staff Regulations and Staff Rules, relevant General

Assembly decisions, the applicable accounting standards and the Standards of

Conduct for the International Civil Service, as well as best practice.

3.3 Independence

The Director, IAOD is responsible to the Director General and is part of the WIPO

staff but not management. The Director, IAOD and oversight staff shall be

independent of all WIPO programs, operations and activities he/she audits, to ensure

impartiality and credibility of the work undertaken.

The Director, IAOD, enjoys functional and operational independence in the conduct of

his/her duties. He/she has the authority to initiate, carry out and report on any action,

1 Audit Universe is an inventory of all auditable areas that is compiled and maintained to identify areas for audit

during the audit planning process.


February 14, 2011

4.

which he/she considers necessary to fulfill his/her mandate. The Director, IAOD shall

receive requests for his/her services from the Director General, to be included in the

workplans, but he/she should be free to carry out any action within the purview of

his/her mandate.

3.4 Authority

For the performance of his/her duties, the Director, IAOD shall have unrestricted,

unlimited, direct and prompt access to all WIPO records, officials or personnel,

holding any WIPO contractual status, and to all WIPO premises. The Director, IAOD

shall have access to the Chair of the General Assembly, the Program and Budget

Committee and the Audit Committee.

The right of all staff and personnel to communicate confidentially with, and provide

information to, the Director, IAOD, without fear of reprisal, shall be guaranteed by the

Director General. This is without prejudice to measures under WIPO Staff

Regulations and Staff Rules, where information is transmitted to the Director, IAOD

with knowledge of its falsity, or with willful disregard of its truth or falsity.

The Director, IAOD shall respect and keep the confidential nature of any information

gathered or received that is applicable to an internal audit, evaluation, investigation or

inspection, and shall use such information only in so far as it is necessary for the

performance of these functions.

3.5 Conflict of Interest

Conflicts of interest should be avoided. Significant and material conflicts of interest

are required to be reported to the Audit Committee who shall recommend such

actions that may be needed to mitigate and reduce the undesirable effects of any

conflicts of interest. The Director, IOAD shall obtain periodically information from

internal oversight staff and ensure that potential and actual conflict of interest and

bias situations are prevented, and that internal audit and oversight work is conducted

in accordance with the professional Code of Ethics and the Code of Conduct for

International Civil Servants.

4. Attributes of internal Audit Staff

4.1 Professional Proficiency

Internal audit staff are expected to possess adequate knowledge, technical skills and

competencies to be able to apply and comply with the provisions of the IOC,

international standards for professional practice of internal auditing and procedures

covered in this Manual. The Director, IAOD and the Head of the Internal Audit

Section have the overall responsibility to ensure compliance with the Manual.

Knowledge, skills, and other competencies is a collective term that refers to the

professional proficiency required of internal auditors, to effectively carry out their

professional responsibilities. Internal auditors are encouraged to demonstrate their

proficiency by obtaining appropriate professional certifications and qualifications,

such as the Certified Internal Auditor (CIA) designation and other designations

offered by The Institute of Internal Auditors and other internationally recognized

professional organizations.

4.2 Due Professional Care

Internal auditors must apply the care and skill expected of a reasonably prudent and

competent internal auditor. Due professional care does not imply infallibility.


February 14, 2011

5.

Internal auditors must exercise due professional care by considering:

- The extent of work needed to achieve the assignments objectives;

- The relative complexity, materiality, or significance of matters to which

assurance procedures are applied;

- The adequacy and effectiveness of governance, risk management,

and control processes;

- The probability of significant errors, fraud, or noncompliance; and,

- The cost of assurance in relation to potential benefits.

In exercising due professional care, internal auditors must consider the use of

technology-based audit and other data analysis techniques.

Internal auditors must be alert to the significant risks that might affect objectives,

operations, or resources. However, assurance procedures alone, even when

performed with due professional care, do not guarantee that all significant risks will

be identified.

4.3 Continuous Professional Development

Internal Audit staff are responsible for continuing their education in order to maintain

their proficiency. They should keep abreast of latest developments and

improvements in internal auditing standards, procedures, and techniques. Continuing

education may be obtained through membership and participation in professional

societies, attendance at meetings, seminars, college courses, in-house training

programmes, on-line or correspondence courses and participation in research

projects. However, these activities should be kept at a reasonable level and not

impinge on the internal audit staffs availability.

IAOD have adopted a training policy (Attachment 4 ) that sets out the framework of

training activities for each section, i.e. Internal Audit, Investigation and Evaluation,

and individual staff members within the division, to ensure that staff possess the

necessary technical knowledge, skills and competencies to be able to carry out duties

and responsibilities they are assigned to.

5. Key Audit Procedures

5.1 General Information

Internal audit work is conducted in line with the provisions of the IOC, WIPO FRR and

International Standards for Professional Practice of Internal Auditing (IPPF) issued by

the Institute of Internal Auditors (the IIA).

In accordance with the existing framework, IAOD adopted an Internal Audit Strategy

that sets out the context for internal audit activities in WIPO. The Strategy aims to

provide the Director General, Member States and the Audit Committee with an

independent and objective assessment of the WIPOs business processes and

systems, risk management, control and governance processes. The strategy

document has been revised to reflect the changes WIPO (the Organization) has

undergone since the inception of the Strategy in 2007 thereon and to align with the

new strategic objectives of the Organization.

5.2 Audit Planning and Risk Assessment Process

WIPO has not yet established an organization-wide Enterprise Risk Management

(ERM) framework which Internal Audit Section could take into account when


February 14, 2011

6.

developing annual work plans. In line with the Institute of Internal Auditors (IIA)

standards and good practice, IAOD have therefore been carrying out its own risk

assessments with a view to identifying an Audit Needs Assessment (ANA), to

maximize the effective and efficient use of limited audit resources, by focusing on

operational areas of high risk. The risk model developed by IAOD is based on good

practice advisory suggested by the IIA. The risk model is reviewed and revised, if

need be, to strengthen common understanding and facilitate audit planning

discussion with WIPO Management and the Audit Committee.

5.3 Audit Needs Assessment (ANA)

The ANA establishes what are the audit requirements to enable the Internal Audit

Section to provide adequate assurance for all WIPO activities over a period of time (4

years initially) to the Director General, the Member States and other stakeholders,

that the system of internal controls in place is effective and operating as intended.

The Internal Audit Section will help WIPO management in developing its own

enterprise level risk registers at corporate and program levels which should be linked

to the WIPOs strategic goals and monitored by the Management on an ongoing

basis.

The ANA helps determine the full amount of audit resources; IAOD should have to

effectively carry out its mandate and link the resource requirements to the Audit Work

Plans.

5.4 Risk Assessment Criteria Used in Bi-Annual Audit Planning

The Bi-annual risk assessment process will take into account the following criteria:

- Materiality High monetary value and/or volume of transactions;

- Past audit coverage;

- Degree of Organizational and Management Change;

- Essential functions;

- Financial exposure of the area being audited;

- Inherent risk of the area being audited;

- Existence of Fall Back Arrangements;

- Complexity and maturity of IT systems.

The risk assessment criteria are applied to each operational area/process to develop

a risk factor for each auditable unit. The criteria being used for risk ranking are

assigned a value from 1 to 5 and then sorted by significance to identify high audit

areas in order of risk.

In addition to the criteria used above, risk assessment process shall consider the

below-mentioned factors in finalizing the annual audit plan:

- Audit requests mandated by the General Assembly;

- Specific requests by the Director General;

- Specific internal audit work on which the external auditors may place

reliance;

- Specific areas of high risk identified by the Audit Committee which

need priority attention;

- Follow up on External Audit Reports;


February 14, 2011

7.

- The audit needs for audit activities supporting the development of

important new business systems like the new FRR, IPSAS, and ERP

etc.

5.5 Audit Coverage Methodology and Cycle

IAOD adopted the method of full audit coverage of the Audit Universe within four-

year cycle. It is worth underlining that in planning the time schedule for audits, the

priority will be set in accordance with the ranking of each auditable area, the area of

high audit concern being the top priority.

Based on the risk ranking, IAOD plans aim to cover all operational areas with the

following frequency2:

- High Risk Areas: Every year

- Medium Risk Areas: Every 2 years

- Low Risk Areas: Every 4 years

All of the highest risks that have been identified should be audited at least annually to

minimum defensible levels of assurance. For the purpose of identifying all high risk

audit tasks, and the planning of assurance for lower levels of risk over a four year

period, a reliable risk assessment process is undertaken to identify the level of audit

coverage and the resources necessary to meet this objective in the audit work plans

and programs.

The planned audit cycle will be reassessed and modified in the annual audit planning

process to ensure that IAOD is in due course able to achieve the goal of auditing all

operations at least once within the specific cycle.

5.6 Audit Resources Planning and Budgeting

The Director, IAOD establishes and maintains a bi-annual resource allocation plan so

as to help ensure the adequate audit coverage of the identified high risk audit areas

of the Organization. In doing so, the exchange of information and coordination of

audit plans with the Organizations External Auditors helps better audit coverage and

avoid any unnecessary duplication of work. Additionally, the Director may decide for

the provision of services from external specialists where internal audits own

resources do not suffice to provide effective and efficient audit coverage in the

specific high risk areas. Areas where it is likely that outsourcing for recourses will be

used are:

- Information Systems (IS) audits;

- Audit areas of high risk where in-house resources are insufficient;

- Specialist advice for some of the developing system work.

5.6.1 Cooperation with External Auditors

The strategy for cooperating with the External Auditors will be based on the

IIA Standards and Practice Advisory relating to internal audit work, on which

the external auditors may rely. This cooperation aims to:

2 Given the current staffing and the number of unaudited high risk areas, in line with the recommendation by the External Auditors, IAOD have decided to suspend the implementation of the cyclical approach for full audit coverage until staffing situation is improved. IAOD will continue to outsource some of the high risk areas to third party service providers to be able to more effectively cover as many high audit risks as possible in the audit universe.


February 14, 2011

8.

- Contribute to the Internal Audit Section plan;

- Be more economic than having external audit perform the

audit themselves;

- Be at the written request of the External Auditor.

A long term resource allocation plan based on a thorough needs assessment

for the same period, allows for an effective and reliable assessment of the

number of permanent audit staff necessary to deliver adequate audit

coverage. Consequently, the Director, IAOD develops medium to long term

resource needs assessment including staffing, training and development

aspects and submit them to the Audit Committee and Senior Management for

their review and approval.

5.6.2 Criteria for Calculation of Audit Days

In estimating the audit days required to deliver an audit assignment, as well

as effectively allocate available work days in a year, the following factors

need to be taken into account;

Supervision time - all audit work is subject to appropriate management review

and supervision to ensure quality control.

Training time adequate time for training ensuring that staff maintain and are

equipped with requisite professional and other skills is essential.

Follow-up time Adequate time should be allocated for follow-up on whether

management has acted on significant audit recommendations in a timely

manner. This will be done in three ways:

- At the start of each new audit, a review of the implementation

of earlier recommendations will be undertaken.

- Through the review and updating of the database set up for

monitoring the Implementation of Outstanding Oversight

Recommendations.

- As a specific annual exercise to inform reporting on

implementation of the Open Oversight Recommendations

Report to the DG and the General Assembly.

Contingency time- a certain period of time should be allocated for any

unexpected issues which may arise during the course of the year.

Management and administrative time- Allow sufficient time for support to the

WIPO governing bodies, including the Audit Committee.

5.7 Conducting Audits

The WIPO IOC refers to the Standards for the Professional Practice of Internal

Auditing issued by the Institute of Internal Auditors (IIA) in performing audit

assignments. Those standards were also adopted at the 33rd meeting of

Representatives of the Internal Audit Services of the United Nations Organizations

and multilateral financial institutions (RIAS). Internal audit staff shall also abide by

the Code of Ethics and the Standards of Conduct for the International Civil Service,

as established by the IIA and generally accepted by the internal auditing profession.

The IIA standards delineate basic principles that represent the practice of internal

auditing and provide a framework for performing value added internal auditing. In line

with the IIA Standards, each individual audit assignment consists of planning,

fieldwork and reporting of audit results. Also a follow up audit needs to be


February 14, 2011

9.

undertaken to assess whether management have taken proper action on agreed

recommendations after a reasonable period of time has passed.

5.7.1 Audit Assignment Planning

WIPO Internal Auditors must develop an audit plan and programme for each

individual audit assignment, including the assignments objectives, scope,

timing, resource allocation and any relevant information such as possibility of

fraud, significant error and non compliance and other exposures. The results

of the preliminary risk assessment are also included in the assignment plan.

Assignment work programs include procedures for identifying, analyzing,

evaluating and documenting information during the assignment. The level of

detail in audit plans and programs and documentation required are decided

by the Director, IAOD based on criteria that may include, inter alia, the level of

experience and expertise of the internal audit staff in the subject matter to be

audited, the assignments complexity and scope, whether the audit will be

performed internally or outsourced to external service providers etc.

5.7.2 Assignment Planning Considerations:

- The objectives of the activity being reviewed and the means

by which the activity controls its performance;

- The significant risks to the activity, its objectives, resources,

and operations, and the means by which the potential impact

of risk is kept to an acceptable level;

- The adequacy and effectiveness of the activitys risk

management and control processes compared to a relevant

control framework or model; and,

- The opportunities for making significant improvements to the

activitys risk management and control processes.

5.7.3 Notifying Management

Management should be given reasonable advance notification of an audit

unless the work involves cash counts or other similar audits, where surprise is

essential to accomplish the audit objectives. The advance notification, which

may be in either electronic or written form, should include the purpose and

scope of the audit and the time period during which the audit is to be

performed.

5.7.4 Audit Planning Quality Review

The audit plans and programs are reviewed and approved by the Director,

IAOD prior to its implementation, and any subsequent changes during the

audit fieldwork are also promptly reviewed and approved. IAOD has

developed templates for audit plans and programs that are reviewed on a

regular basis to ensure conformity with IPPF. A flowchart for the audit

process is provided at the end of this document (see Annexes I to IV).

5.7.5 Audit Fieldwork

Approved audit work programs prepared based on a risk assessment are

executed in the conduct of audit fieldwork. Internal auditors identify, analyze,

evaluate and document sufficient information to satisfy the procedures set out

in the work program which may be modified during the conduct of the audit


February 14, 2011

10.

fieldwork Information gathered for the audit purposes need to be sufficient,

reliable, relevant and useful3.

Working papers document the information obtained, the analysis made, and

the support for the conclusions and assignment results. Internal auditors

communicate regularly with the management and staff of the Unit under audit,

with a view to gaining a better understanding and providing feedback on the

preliminary audit observations and recommendations, and issues that need

immediate management action.

The main purpose of the working papers generally is:

- Aid in the planning, performance, and review of assignments.

- Provide the principal support for assignment results.

- Document process flow charts indicating the key controls that

are assessed during the audits.

- Document whether assignment objectives were achieved.

- Support the accuracy and completeness of the work

performed.

- Provide a basis for the internal audit activitys quality

assurance and improvement program.

- Facilitate third-party reviews.

- Assignment working papers document all aspects of the

assignment process from planning to communicating results.

IAOD determines the media used to document and store audit

working papers.

5.7.5.1 Arranging Audit Files

There are two general classes of working paper files: permanent and

current.

- Permanent files should contain materials of a

continuing nature that would be useful in future audits.

Background data, prior audit and inspection reports

are examples of what should be included in this file.

- Current files should be arranged according to the file

structure developed for the audit. For large audits, the

current files may consist of several distinct segments:

one file for each segment examined, others for general

segments pertaining to the audit as a whole, and one

for audit administrative matters. As a minimum,

current files should contain the table of contents,

review sheets, summary of the audit area,

cross-referenced audit program and analysis,

schedules, exhibits, and other supporting

documentation.

3 Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals


February 14, 2011

11.

5.7.5.2 Working Paper Summaries

A narrative summary prepared by the auditor for each audit area

should be included in the working papers, whether or not deficiencies

are found. Summaries should support the development of audit

findings and spell out deficiencies surrounding facts, effects, causes,

and recommended actions.

5.7.5.3 Working Papers

Working papers should include succinct descriptions of the following

at a minimum:

1. The audit objective for the particular area documented

in the working paper;

2. What was done i.e. interview held, documentation

reviewed, audit tests conducted;

3. Results achieved. i.e. the key points from the

interviews and documentation reviewed, and the audit

test results;

4. Conclusions relating to the area under review. When

concluding, the auditor should strive to determine

whether the controls for the area under review are

operating effectively. If they are not, the impact on the

area under review should clearly be stated.

5.7.5.4 Indexing and Referencing

The indexing system should be simple but capable of expansion and

should be tailored to the overall focus of the audit, the selection of

areas for emphasis, and the planned sequence of the audit. Working

papers should be indexed concurrent with, or as soon after, their

preparation, as possible.

The referencing of working papers ensures that all pertinent facts and

conclusions have been considered and that support exists for the

auditor's position. Corrections made to supporting information should

also be cross-referenced to other affected sections of the working

papers. A copy of the draft audit report should be cross-referenced.

If any new information is added to the final audit report as a result of

the audit reply process, that information should be cross-referenced

as well.

5.7.5.5 Working Paper Review

Review of working papers permits the reviewer to assess the auditor's

conclusions, determine what additional steps are necessary, and

decide whether to revise the audit coverage.

In line with the best practice guidance, the audit working papers are

reviewed to ensure that quality is assured, staff is developed and

audit objectives are met.

In doing so, working papers prepared for each audit assignment must

be reviewed by the Head of the Internal Audit Section or the Director,

IAOD to ensure compliance with International standards for

professional practice of internal auditing that have been adopted by

the UN RIAS in its 33rd meeting. This gives the reviewer the

opportunity to appraise working paper quality, the relationship of the


February 14, 2011

12.

audit work to the objectives, and the completeness of the auditor's

examination.

The reviewer should prepare written notes on the results of the

review, and the auditor should revise working papers and perform

additional work, if needed. The reviewer and the auditor should reach

a mutual agreement on the disposition of comments and further

actions required. The process should be documented. Regular staff

meetings will also serve to discuss, inter alia, the work paper quality

A flowchart for the audit fieldwork process is provided at the end of

this document.

5.7.6 Reporting of Audit Results

Audit results are communicated to auditees in a closing meeting following the

completion of audit fieldwork. This meeting is intended to clarify any issues

which may need further explanation and help avoid any misperception or

inaccurate conclusion which could be reflected in the draft report.

5.7.6.1 Draft Audit Report

At the end of each audit, a report shall be issued, which shall present

the objectives, scope, methodology, findings, conclusions and

recommendations of the specific activity concerned and include, if

applicable, recommendations for improvements and lessons learnt

from the program, person or activity.

Draft internal audit reports shall be presented to the program manager

and other relevant officials directly responsible for the program or

activity that has been the object of the internal audit, inspection or

evaluation, who shall be given the opportunity to respond within the

term provided therein.

5.7.6.2 Final Audit Report

The Director, IAOD shall include in his annual summary report to the

Director General, with a copy to the Audit Committee and External

Auditors, information on the Internal Audit Functions activities, the

schedule of audit work undertaken and the progress on the

implementation of recommendations, including those made by

External Auditors. The Summary Annual Report (SAR) will also

include a reference to the major risk factors facing the organization

identified during the reporting period. The SAR (July 1 to June 30)

report on the internal audits activities shall be submitted to the

General Assembly on an annual basis.

The Director, IAOD will also make regular progress reporting and/or

presentations to the Director General, Audit Committee and Program

and Budget Committee, on IAOD activities including internal audit,

investigation and evaluation.

The Director, IAOD shall submit final internal audit and oversight

reports to the Director General. Internal audit, evaluation and

inspection reports will be copied to the Audit Committee. The

External Auditor shall also receive a copy of internal audit, evaluation

and inspection reports, along with any supporting documentation they

may require.

A flowchart for the audit reporting process is provided at the end of

this document.


February 14, 2011

13.

5.7.6.3 Other Internal Audit and Oversight Reports

The Director, IAOD shall present, on an annual basis, a report to the

Director General, regarding the implementation of recommendations

made by the External Auditor.

The Director, IAOD shall make a presentation on a regular basis on

his/her activities to the Program and Budget Committee.

The Director, IAOD shall present, on an annual basis, a summary

report to the Director General with a copy to the External Auditor and

the Audit Committee, of his/her internal audit and oversight activities,

including the orientation and scope of such activities, the schedule of

work undertaken and the progress on the implementation of prioritized

recommendations contained in his/her reports. This summary report

shall be presented to the WIPO General Assembly as submitted by

the Director, IAOD. Comments the Director General may deem

appropriate may be submitted in a separate report.

When applicable, the annual report shall include the following:

(a) A description of significant problems, abuses and

deficiencies relating to the administration of WIPO in

general, or a program or operation in particular,

disclosed during the period.

(b) A description of all final recommendations for

corrective action made by the Director, IAOD during

the reporting period, relative to significant problems,

abuses or deficiencies identified.

(c) A description of all recommendations which were not

approved by the Director General, together with his

reasons for not doing so.

(d) An identification of each significant recommendation in

previous reports, on which corrective action has not

been completed.

(e) A description and explanation of the reasons for any

significant revised management decision made during

the reporting period.

(f) Information concerning any significant management

decision with which the Director, IAOD is in

disagreement.

(g) A summary of any instance where information or

assistance requested by the Director, IAOD was

refused.

(h) A summarized version of the report submitted by the

Director, IAOD to the Director General, regarding the

implementation of recommendations made by the

External Auditor.

(i) In addition, the Director, IAOD shall comment on the

scope of his activities and the adequacy of resources

for the purpose intended.


February 14, 2011

14.

The Director, IAOD may also issue communications concerning

oversight matters to any concerned WIPO manager for matters of a

minor or routine nature, which do not necessitate formal reporting.

5.7.6.4 Access to IAOD Oversight Reports and Working Papers

Internal audit reports will be copied to the Audit Committee. The

External Auditor shall also receive a copy of internal audit reports,

along with any supporting documentation they may require.

Permanent Representatives of Member States to WIPO or their

designates can read final internal audit and oversight reports in the

Director, IAODs office.

Audit working paper files should be adequately safeguarded, and

prescribed security procedures be followed. Access to working paper

files are restricted to authorized personnel only. To this end, IAOD

has drawn up a Documentation Retention and Archiving Policy

(Attachment 5).

5.7.6.5 Follow up of Internal Audit Recommendations

IAOD follow up on all outstanding recommendations contained in

internal audit reports on a regular basis. Follow up is performed after

a reasonable period of time has passed from the date of issuance of

the audit reports, to assess whether management actions have been

effectively implemented or that senior management has accepted the

risk of not taking action.

As per the provisions of the IOC, IAOD also follow up on the

implementation status of recommendations made by the External

Auditor and, at the request of the Audit Committee (AC), IAOD follow

up all the outstanding recommendations of the AC and other oversight

bodies (e.g. Joint Inspection Unit) as well. WIPO has issued an Office

Instruction (see the OI16/2010) on the Implementation of Oversight

Recommendations including Reporting Procedures, Roles and

Responsibilities of Management and IAOD. To this end, IAOD has

developed, in close cooperation with the IT Division, an Excel

Spreadsheet for the effective follow up and update of implementation

status of outstanding oversight recommendations.

To accept a recommendation as implemented, the Internal Audit

Section can rely on Managements detailed description of action taken

resulting in full implementation of the recommendation. However, in

the case of recommendations where the outcome can be supported

with documentary evidence, internal auditors should receive a copy of

supporting documentation.

IAOD perform regular follow up of outstanding internal/external audit

and Audit Committee recommendations and maintain a database for

this purpose, which is updated with new oversight reports as and

when needed.

5.7.7 Acceptance of Risk by Senior Management

The Director, IAOD holds meetings regularly with the Director General on

audit and other oversight issues and informs him about the level of risk taken

by the Organization. In line with the IIA standard 2600, the Director, IAOD

also reports to the General Assembly on a yearly basis on the activities of the

IAOD including, where appropriate, whether WIPO Senior Management has

taken significant residual risks that may be unacceptable to the Organization.


February 14, 2011

15.

5.7.8 Types of Audits

The audit assignments which shall be undertaken by IAOD include, but are

not limited to:

- Operational audits

- Financial Audits

- IT Audits

- Compliance Audits

- Value-for-money audits

- Management Audits

- Performance Audits

Additionally, IAOD will proactively perform reviews and give reasonable

professional advice on controls and risks pertaining to the development of

recently introduced systems and processes, to ensure that effective systems

of internal controls exist and they operate as intended with full audit trails.

5.7.9 Use of Information Technology in Audits

IAOD intend to employ information technology tools in the conduct of audits

where appropriate, to increase the effectiveness and efficiency of audit

process and enable internal audit staff to acquire technical skills and

knowledge in the use of specialized softwares for audit purposes. IAOD have

already been using the Audit Command Language (ACL), which is special

audit software to enable analysis of huge amount of data from source, and

also help detect suspicious transactions and activities. This tool will also help

IAOD with its continuous auditing efforts to check selected set of transactions

on regular internals.

IAOD has planned to purchase special software for audit working paper

management and audit documentation system to automate the recording of

the audit process that will provide, among others, time tracking capability with

a view to increasing the time efficiency in audit assignments.

6. Quality Control and Assurance

The Director, IAOD shall ensure that all audit staff are equipped with necessary knowledge,

technical skills and competencies in discharging their duties and responsibilities and that

audit work is carried out in line with the professional practice of international auditing

standards accepted by the UN System Organizations. Each internal auditor shall strive to

acquire the necessary skills and competencies to be able to effectively carry out tasks

entrusted to him/her. To this end, this audit manual and detailed guidance, and standard

documentation and procedures, have been developed and used since 2007.

In addition, internal quality control measures such as the adequate direction, supervision and

review of each audit assignment will take place once the size of the Internal Audit Section will

allow for a two level review and a separation between direction and audit management.

Internal Audit Function was evaluated by independent External Auditors4 in accordance with

the IIA professional standards of internal auditing. Feedback received by this evaluation will

be used by IAOD in completing its quality self assessment exercise within three years.

4 Evaluation of the Internal Audit Function recorded an overall percentage of the application of the IIA Standards of just above 80 percent.


February 14, 2011

16.

It is the strategic aim of the IAOD to follow the procedures for Quality Assurance set out by

the IIA and to now have an external quality review in (and every such period thereafter) five

years. This exercise will be undertaken in accordance with the IIA standards for quality self

assessment, as well as the Internal Audit Capability Model for the public sector organizations

(IA-CM), developed by the IIA.

7. Coordination with Other Oversight Bodies

7.1 WIPO Audit Committee

In September 2005, the WIPO General Assembly approved the proposal of the

Program and Budget Committee on the establishment of a WIPO Audit Committee

that is an independent, expert advisory and external oversight body (see WIPO Audit

Committee Terms of Reference, annex XX). It aims to assist Member States in their

role of oversight and for better exercise of their governance responsibilities with

respect to the various operations of WIPO. IAOD participate into Audit Committee

Meetings regularly on a quarterly basis, to discuss and inform the AC of oversight

related issues including issued audit reports, evaluation activities, and providing

information on investigation activities, safeguarding the integrity of confidentiality of

investigation activities.

7.2 External Auditor

The External Auditor, who shall be the Auditor General (or officer holding the

equivalent title) of a Member State, shall be appointed by the General Assembly, in

the manner decided by the Assembly. The External Auditor shall conduct his work in

conformity with international auditing standards. The External Auditor may make

observations with respect to the efficiency of the financial procedures, the accounting

system and internal financial controls, and on the administration and management of

the organization. The General Assembly may ask the External Auditor to perform

certain specific examinations and issue separate reports on the results (for further

information see Terms of Reference Governing External Audit). IAOD have

developed excellent working relationship with the External Auditor. This includes, but

is not limited to, regular exchange of view on risk and control issues, audit reports, bi-

annual and annual audit plans, etc.

7.3 Joint Inspection Unit (JIU)

By its resolution 31/192 of 22 December 1976, the UN General Assembly decided to

establish the Joint Inspection Unit which is mandated to provide an independent view

through inspection and evaluation, aimed at improving management and methods

and at achieving greater coordination between organizations. IAOD meet with the

Inspectors of the JIU when needed and provide feedback/comments on JIU reports.


February 14, 2011

17.

Annex I: Audit Pre-planning

Phase 1- Audit Pre-planning

Activity Product/Result

Select an Assignment in line with Bi-annual Audit Plan

Identify audit staff (taking into account specific experience/qualities of staff,

Team meetings

Identify Audit Requirements

Identify Clear and Specific Objectives/Sub objectives

Identify Type of Audit

Contact Auditee (notification of the audit and arrangements for meeting)

Work Plan and program

Form Audit Team

Staff roles and responsibilities

Preliminary Decisions on Objectives, Scope, Methodology (to be refined after review and analysis in planning Phase)

Define audit program for including objectives and audit steps to be followed.

Applicable Auditing Standards (determining specific compliance requirements)

Notification Letter/Memorandum

Audit and time requirements

Preliminary expectations relative to the content of the report


February 14, 2011

18.

Annex II: Audit Planning

Phase 1 - Audit Planning


Identify audit Objectives and Sub objectives and audit

steps to be followed

Preliminary Review and

Analysis of available documents/information

Preliminary Data Analysis.

Preliminary Conclusions.

Update Audit Plan and Program.

Preliminary Results.

Scope of Audit

Identify Data sources

Determine Risk Factors

Preliminary Assessment of Internal Control.

Audit Plan.

Identify additional issues

Team meeting and discussion

Finalize Audit Program

Data Collection, Analysis, interpretation for each objective/sub objective.

Target Dates.

Roles and Responsibilities.


February 14, 2011

19.

Annex III: Audit Fieldwork


Collect Information Pertaining to each Objectives and Sub objectives. Identify pertinent audit evidence in terms of-Cause- Effect analysis and formulate Recommendations

Compilation of Working Papers (containing evidence to support findings, opinions, conclusions.

Update Short List of Findings.

Evidence (physical, documentary, testimonial, analytical).

Developed Findings (re criteria, condition, cause(s), effect(s), and recommendations.

Implement audit work program and substantiate audit findings

with factual evidence/observations

Continuous Dialogue with management of audited unit to discuss preliminary audit issues/actions to be taken

promptly

Based on feedback/comments by, management, fine-tune audit issues/recommendations to be included in the draft audit report.


February 14, 2011

20.

Annex IV: Audit Reporting Process

Phase 3 Reporting Audit Results


Draft audit report

Write draft audit report with agreed upon findings and recommendations.

Review and approval of draft audit report by Director, IAOD for Quality Assurance Purposes.

Final Audit Report including management comments/ action plan is finalized and issued within the given timeline.

Get agreement with the auditee and finalize findings/conclusions and recommendations audit issues and recommendations.

A transmittal letter and Draft report sent to the auditee for comments and designate responsible and action plan for agreed recommendations.

Audit Closing Meeting

Follow up of recommendations

In case, management fails to provide comments/feedback on the draft report, Final audit report is issued without management.

Final Audit Report

Outstanding audit recommendations are followed up after a reasonable period of time.


February 14, 2011

21.

Annex V: Risk Assessment

1. Conduct Initial Risk Assessment

As part of the audit planning phase, prior to the start of the audit field work, the auditor should

conduct a risk assessment of the area under review. This will include initial analysis of

information requested prior to the audit, as well as other pertinent information known to the

auditor. A sample risk assessment is provided in figure 1 below.

Figure 1

The Risk Matrix shown in Figure 1 was compiled based on work completed prior to commencing the audit and provided the justification for progressing with the audit. The risk assessment provided the nine areas of focus for the audit.

Risk Label Likelihood Impact Risk

1. Label 1 Unlikely Marginal High



4. Label 4 Rare Negligible Low

5. Label 5 Rare Catastrophic Extreme

6. Label 6 Rare Catastrophic Extreme

7. Label 7 Unlikely Marginal Low

8. Label 8 Almost Certain Negligible Moderate

9. Label 9 Unlikely Negligible Moderate

Negligible Marginable Critical Catastrophic

Almost

Certain

Likely

Possible

Unlikely

Rare

I m p a c t

L i k e l i h o o d 1,2 3

4

5,6 7 8,9


February 14, 2011

22.

8. Hold Check Point Meeting 1 with the Director of Audit

The purpose of this meeting is to agree upon the areas of focus for the audit, and where

necessary adjust them based on the outcome of the Check Point Meeting.

9. Conduct Walkthroughs of the areas of focus

During this stage of the audit, the auditors primary focus is to flowchart the key processes

and to document the key controls. The auditor will typically analyze the controls in a

particular process, by understanding the main steps and control points in a particular

process. At this point the objective is to determine the nature of the process and assess the

controls which have been designed into the process. To establish an understanding of the

control environment, the auditors focus is the process flow and certain variations. For

example in a purchasing process, there are different controls depending upon the nature of

the purchase. Controls for purchasing services may vary from controls for purchasing goods

or specialized materials. At this point the focus is on understanding the controls in place and

the control variants, not the testing of multiple transactions within a process.

10. Reassess the Risks based on the Updated understanding of the control

environment

At this point the risks as assessed initially may change due to the level of the controls in the

process. Typically the likelihood is the element which is most likely to be reassessed. The

impact typically remains unchanged, unless the auditor determines that there is a lower

volume of financial transactions, for example, than originally thought.

11. Hold Check Point Meeting 2 with the Director of Audit

The revised risks are discussed during this meeting following the results of the walkthrough

testing, and the level of transactional testing for the areas of focus is agreed upon. It may be

concluded at this point that other areas of focus should be included in the review or that more

than the standard volume of transactional testing may be required due to special

circumstances. It may also be agreed that no transactional testing is required for a particular

area.

The result of Checkpoint 2 will be a revised risk matrix as in Figure 3:

7,9

Negligible Marginable Critical Catastrophic

Almost

Certain

Likely

Possible

Unlikely

Rare

I m p a c t

L i k e l i h o o d

1,2,3

8

4 5,6

7.9


February 14, 2011

23.

Figure 3

Risk Label Likelihood Impact Risk




4. Label 4 Rare Negligible Low

5. Label 5 Rare Catastrophic High

6. Label 6 Rare Catastrophic High


8. Label 8 Almost Certain Negligible Low

9. Label 9 Unlikely Negligible Low


February 14, 2011

24.

Annex VI: International Standards for the Professional Practice of Internal

Auditing (Standards)

The Internal Oversight Charter (see paragraph 2 (a) footnote 3) says we will follow the Code of Ethics and the

Internal Auditing Standards established by the IIA. Below are the details of the International Professional Practiaces

Framework which contain Standards, Definitions, Code of Ethics and other guide papers and practice advice issued

by the IIA.

International Professional Practices Framework

A trustworthy, global guidance-setting body, The IIA provides for internal audit professionals all around the world

authoritative guidance organized in the International Professional Practices Framework as mandatory and strongly

recommended guidance.

Mandatory Guidance Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal

auditing. Mandatory guidance is developed following an established due diligence process, which includes a period of public exposure for stakeholder input. The three mandatory elements of the IPPF are the Definition of Internal Auditing, the Code of

Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards).

Element Definition

Definition The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing.

Code of Ethics

The Code of Ethics states the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and

behavioral expectations rather than specific activities.

International Standards

Standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards are mandatory requirements consisting of:

Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable at

organizational and individual levels.

Interpretations, which clarify terms or concepts within the statements.

It is necessary to consider both the statements and their interpretations to understand and apply the Standards correctly. The Standards employ terms that have been given specific meanings that are included

in the Glossary.

Strongly Recommended Guidance Strongly recommended guidance is endorsed by The IIA through a formal approval processes. It describes practices for effective

implementation of The IIA's Definition of Internal Auditing, Code of Ethics, and Standards. The three strongly recommended elements of the IPPF are Position Papers, Practice Advisories, and Practice Guides.

Element Definition

Position Papers

Position Papers assist a wide range of interested parties, including those not in the internal audit profession, in understanding significant governance, risk, or control issues and delineating related roles and

responsibilities of internal auditing.

Practice Advisories

Practice Advisories assist internal auditors in applying the Definition of Internal Auditing, the Code of Ethics, and the Standards and promoting good practices. Practice Advisories address internal auditing's approach, methodologies, and consideration, but not detail processes or procedures. They include practices relating to:

international, country, or industry-specific issues; specific types of engagements; and legal or regulatory issues.

Practice Guides

Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well

as examples of deliverables.


February 14, 2011

25.

International Standards

Attribute Standards 1000 Purpose, Authority, and Responsibility 1010 Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal

Audit Charter. 1100 Independence and Objectivity 1110 Organizational Independence 1111 Direct Interaction with the Board 1120 Individual Objectivity 1130 Impairment to Independence or Objectivity 1200 Proficiency and Due Professional Care 1210 Proficiency. 1220 Due Professional Care 1230 Continuing Professional Development 1300 Quality Assurance and Improvement Program 1310 Requirements of the Quality Assurance and Improvement Program 1311 Internal Assessments 1312 External Assessments 1320 Reporting on the Quality Assurance and Improvement Program 1321 Use of Conforms with the International Standards for the Professional Practice of Internal Auditing 1322 Disclosure of Nonconformance

Performance Standards

2000 Managing the Internal Audit Activity 2010 Planning 2020 Communication and Approval 2030 Resource Management 2040 Policies and Procedures 2050 Coordination 2060 Reporting to Senior Management and the Board 2070 External Service Provider and Organizational Responsibility for Internal Auditing 2100 Nature of Work 2110 Governance 2120 Risk Management 2130 Control 2200 Engagement Planning 2201 Planning Considerations 2210 Engagement Objectives 2220 Engagement Scope 2230 Engagement Resource Allocation 2240 Engagement Work Program 2300 Performing the Engagement 2310 Identifying Information 2320 Analysis and Evaluation 2330 Documenting Information 2340 Engagement Supervision 2400 Communicating Results 2410 Criteria for Communicating 2420 Quality of Communications 2421 Errors and Omissions 2430 Use of Conducted in Conformance with the International

Standards for the Professional Practice of Internal Auditing 2431 Engagement Disclosure of Nonconformance 2440 Disseminating Results 2450 Overall Opinions 2500 Monitoring Progress 2600 Resolution of Senior Managements Acceptance of Risks

Practice Advisories

Attribute Standards PA 1000-1 - Internal Audit Charter PA 1110-1 - Organizational Independence PA 1111-1 - Board Interaction PA 1120-1 - Individual Objectivity PA 1130-1 - Impairment to Independence or Objectivity PA 1130.A1-1 - Assessing Operations for Which Internal Auditors Were Previously Responsible PA 1130.A2-1 - Internal Audits Responsibility for Other (Non-audit) Function PA 1200-1 - Proficiency and Due Professional Care PA 1210-1 - Proficiency PA 1210.A1-1 - Obtaining External Service Providers to Support or Complement the Internal Audit

Activity PA 1220-1 - Due Professional Care PA 1230-1 - Continuing Professional Development PA 1300-1 - Quality Assurance and Improvement Program PA 1310-1 - Requirements of the Quality Assurance and Improvement Program


February 14, 2011

26.

PA 1311-1 - Internal Assessments PA 1312-1 - External Assessments PA 13 12-2 - External Assessments: Self-assessment with Independent Validation PA 132 1-1 - Use of Conforms with the International Standards for the Professional Practice of

Internal Auditing

Performance Standards

PA 2010-1 Linking the Audit Plan to Risk and Exposures PA 2010-2 Using the Risk Management Process in Internal Audit Planning PA 2020-1 Communication and Approval PA 2030-1 Resource Management PA 2040-1 Policies and Procedures PA 2050-1 Coordination PA 2050-2 Assurance Maps PA 2050-3 Relying on the Work of Other Assurance Providers PA 2060-1 Reporting to Senior Management and the Board PA 2110-1 Governance: Definition PA 2110-2 Governance: Relationship with Risk and Control PA 2110-3 Governance: Assessments PA 2120-1 Assessing the Adequacy of Risk Management Processes PA 2120-2 Managing the Risk of the Internal Audit Activity PA 2130-1 Assessing the Adequacy of Control Processes PA 2130.A1-1 Information Reliability and Integrity PA 2130.A1-2 Evaluating an Organizations Privacy Framework PA 2200-1 Engagement Planning PA 2200-2 Using a Top-down, Risk-based Approach to Identify the Controls to be Assessed in an Internal

Audit Engagement PA 2210-1 Engagement Objectives PA 2210.A1-1 Risk Assessment in Engagement Planning PA 2230-1 Engagement Resource Allocation PA 2240-1 Engagement Work Program PA 2300-1 Use of Personal Information in Conducting Engagements PA 2320-1 Analytical Procedures PA 2330-1 Documenting Information PA 2330.A1-1 Control of Engagement Records PA 2330.A1-2 Granting Access to Engagement Records PA 2330.A2-1 Retention of Records PA 2340-1 Engagement Supervision PA 2400-1 Legal Considerations in Communicating Results PA 2410-1 Communication Criteria PA 2420-1 Quality of Communications PA 2440-1 Disseminating Results PA 2440-2 Communicating Sensitive Information Within and Outside the Chain of Command PA 2440.A2-1 Communications Outside the Organization PA 2500-1 Monitoring Progress PA 2500.A1-1 Follow-up Process

Practice Guides

1. Auditing Executive Compensation and Benefits 2. Auditing External Business Relationships 3. Chief Audit Executives - Appointment, Performance Evaluation and Termination Evaluating

Corporate Social Responsibility/Sustainable Development Formulating and Expressing Internal Audit Opinions

4. Internal Auditing and Fraud

Global Technology Audit Guides (GTAG)

GTAG 1 Information Technology Controls GTAG 2 Change and Patch Management Controls: Critical for Organizational Success GTAG 3 Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment GTAG 4 Management of IT Auditing GTAG 5 Managing and Auditing Privacy Risks GTAG 6 Managing and Auditing IT Vulnerabilities GTAG 7 Information Technology Outsourcing GTAG 8 Auditing Application Controls GTAG 9 Identity and Access Management GTAG 10 Business Continuity Management GTAG 11 Developing the IT Audit Plan GTAG 12 Auditing IT Projects GTAG 13 Fraud Prevention and Detection in an Automated World GTAG 14 Auditing User-developed

Applications GTAG 15 Information Security Governance

Detailed information on the International Professional Practice Framework including IIA Standards and Practice Advisory can be found at:

http://www.theiia.org/bookstore/product/international-professional-practice-framework-2011-1533.cfm


February 14, 2011

27.

Annex VII: IAOD Internal Audit Section Internal Audit Templates

Audit File Index

Audit Review Sheet

Audit Working Papers

Audit Process Walkthrough

Initial Risk Assessment

Revised Risk Assessment

Audit Notification Letter

Audit Exit Conference Briefing

Audit Plan

Audit Program

Audit File Clearance Check Sheet

Draft Audit Report

Draft Report Transmittal Memo

Final Audit Report

Final Report Memo

wipo internal auditing manual

Documents

internal audit function

audit resources planning

audit assignment planning

audit coverage methodology

calculation of audit

key audit procedures

biannual audit planning

audit needs assessment