wipo internal auditing manual
DESCRIPTION
Internal AuditingTRANSCRIPT
-
Internal Audit and Oversight Division
INTERNAL AUDIT MANUAL
February 14, 2011
-
Internal Audit Manual
February 14, 2011
i.
TABLE OF CONTENTS
FOREWORD..................................................................................................................................................... 1
1. PURPOSE............................................................................................................................................. 2
2. POLICY FRAMEWORK........................................................................................................................ 2
3. ORGANIZATIONAL STRUCTURE AND RESPONSIBILITIES ............................................................ 2
3.1 THE INTERNAL AUDIT FUNCTION IN WIPO ....................................................................................... 2 3.2 MISSION............................................................................................................................................. 3 3.3 INDEPENDENCE.................................................................................................................................. 3 3.4 AUTHORITY ....................................................................................................................................... 4 3.5 CONFLICT OF INTEREST ..................................................................................................................... 4
4. ATTRIBUTES OF INTERNAL AUDIT STAFF ...................................................................................... 4
4.2 DUE PROFESSIONAL CARE ................................................................................................................. 4 4.3 CONTINUOUS PROFESSIONAL DEVELOPMENT.................................................................................... 5
5. KEY AUDIT PROCEDURES................................................................................................................. 5
5.1 GENERAL INFORMATION.................................................................................................................... 5 5.2 AUDIT PLANNING AND RISK ASSESSMENT PROCESS ......................................................................... 5 5.3 AUDIT NEEDS ASSESSMENT (ANA)................................................................................................... 6 5.4 RISK ASSESSMENT CRITERIA USED IN BI-ANNUAL AUDIT PLANNING............................................... 6 5.5 AUDIT COVERAGE METHODOLOGY AND CYCLE................................................................................ 7 5.6 AUDIT RESOURCES PLANNING AND BUDGETING ............................................................................... 7 5.6.1 Cooperation with External Auditors........................................................................................ 7 5.6.2 Criteria for Calculation of Audit Days .................................................................................... 8
5.7 CONDUCTING AUDITS........................................................................................................................ 8 5.7.1 Audit Assignment Planning ..................................................................................................... 9 5.7.2 Assignment Planning Considerations: .................................................................................... 9 5.7.3 Notifying Management ............................................................................................................ 9 5.7.4 Audit Planning Quality Review ............................................................................................... 9 5.7.5 Audit Fieldwork........................................................................................................................ 9 5.7.5.1 Arranging Audit Files ................................................................................................................... 10 5.7.5.2 Working Paper Summaries ......................................................................................................... 11 5.7.5.3 Working Papers ............................................................................................................................. 11 5.7.5.4 Indexing and Referencing ........................................................................................................... 11 5.7.5.5 Working Paper Review................................................................................................................. 11
5.7.6 Reporting of Audit Results..................................................................................................... 12 5.7.6.1 Draft Audit Report ......................................................................................................................... 12 5.7.6.2 Final Audit Report ......................................................................................................................... 12 5.7.6.3 Other Internal Audit and Oversight Reports........................................................................... 13 5.7.6.4 Access to IAOD Oversight Reports and Working Papers ................................................... 14 5.7.6.5 Follow up of Internal Audit Recommendations ..................................................................... 14
5.7.7 Acceptance of Risk by Senior Management .......................................................................... 14 5.7.8 Types of Audits ....................................................................................................................... 15 5.7.9 Use of Information Technology in Audits............................................................................. 15
6. QUALITY CONTROL AND ASSURANCE.......................................................................................... 15
7. COORDINATION WITH OTHER OVERSIGHT BODIES.................................................................... 16
7.1 WIPO AUDIT COMMITTEE............................................................................................................... 16 7.2 EXTERNAL AUDITOR ....................................................................................................................... 16 7.3 JOINT INSPECTION UNIT (JIU) ......................................................................................................... 16
-
Internal Audit Manual ii
February 14, 2011
ANNEX I: AUDIT PRE-PLANNING ............................................................................................................... 17
ANNEX II: AUDIT PLANNING....................................................................................................................... 18
ANNEX III: AUDIT FIELDWORK................................................................................................................... 19
ANNEX V: RISK ASSESSMENT................................................................................................................... 21
ANNEX VI: INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) ............................................................................................................................. 24
-
Internal Audit Manual
February 14, 2011
1.
Foreword
This WIPO Internal Audit Manual is established in accordance with the provisions
of the WIPO Internal Oversight Charter (2010).
The preparation of this Manual has taken into account the International Standards
for the Professional Practice of Internal Auditing (Standards) of the IIA and good
practice applied by the United Nations and promulgated by the UN
Representatives of Internal Audit Services (RIAS).
The Manual includes information on internal audit techniques, methods and
procedures followed by IADO internal auditors. It will help ensure the delivery of
internal audit work reports of a consistently high standard and assured quality.
I am pleased to gratefully acknowledge the good work Tuncay Efendioglu,
Steve Woess and Silvia Nunez have put into developing this Manual.
Nick Treen
Director, IAOD February 14, 2011
-
Internal Audit Manual
February 14, 2011
2.
1. Purpose
The Internal Audit Manual (the Manual) establishes the key operating policies and
procedures that govern the internal audit activity, in compliance with the Internal Oversight
Charter (IOC); the Organizations policies and procedures, and other international standards
for the professional practice of internal auditing.
This Manual is primarily designed to establish a level of uniformity and consistency within the
Internal Audit Section with a view to further strengthening professionalism of internal audit
staff, and serving as a guidance document for all World Intellectual Property Organization
(the WIPO) staff and other WIPO stakeholders (Member States, Audit Committee, External
Auditors, etc.) on the modus operandi of the Internal Audit Section.
2. Policy Framework
The key policies and procedures that govern the work of the Internal Audit Activity in WIPO
are:
(a) The IOC (Attachment 1) which defines the mandate, authority and
prerogatives, reporting, resources and other duties and modalities of work of
the Internal Audit and Oversight Division (IAOD).
(b) The WIPO Financial Regulations and Rules (the FRR) which incorporates the
IOC as an annex.
(c) The WIPO Staff Regulations and Staff Rules.
(d) WIPO General Assembly Decisions.
(e) Internal Audit Strategy (The strategy) and Audit Risk Assessment
Methodology (Attachments 2 and 3).
(f) WIPOs policies and procedures relating to the system of internal control and
framework.
(g) Accounting Standards applicable to the UN System Organizations.
(h) International Standards for the Professional Practice of Internal Auditing
Framework (IPPF).
3. Organizational Structure and Responsibilities
The Internal Audit and Oversight Division (IAOD) was established in May 2000. Its original
mandate included both internal audit and investigation functions. The Division also informally
acted as a focal point for investigation and inspection. With the approval of the WIPO
Internal Audit Charter by the General Assembly in September 2005 (revised twice in
September 2007 and September 2010), inspection and evaluation activities were
incorporated into the IAODs mandate.
3.1 The Internal Audit Function in WIPO
The Internal Audit Section is part of the Internal Audit and Oversight Division (IAOD),
and consists of the Head of Audit, and sufficient internal audit staff based in Geneva.
Changes in audit needs in line with the organizational structure and risk appetite of
senior management are taken into account in determining the sufficiency of audit staff
in WIPO.
The Director, IAOD (hereinafter referred to as Director, IAOD) shall determine the
extent of human and other resources required to accomplish IAODs mandate and
objectives economically, effectively and efficiently. In doing so, the Director shall take
-
Internal Audit Manual
February 14, 2011
3.
into account:
- The results of risk assessment of operations, which is part of the
audit universe1;
- The needs for implementing the IAOD bi-annual audit work plan;
- Resources required to secure staff training and development
programmes, audit research and development efforts; and,
- Meet administrative and logistical requirements.
In addition, the Director shall:
- Establish and maintain a personnel management system for
recruiting, training, developing, evaluating, and administering IAOD
staff in accordance with the WIPO Staff Regulations and Staff Rules
and the Standards for the Professional Practice of Internal Auditing;
- Assist the Human Resources Management Department in developing
a Post Description for each Internal Auditor;
- Appraise the performance of each Internal Auditor;
- Counsel staff on their performance and professional development;
- Promptly notify IAOD staff of career development opportunities;
- Conduct regular meetings to discuss issues of concern to IAOD staff;
and,
- Establish and maintain the policies and procedures that govern the
Internal Audit Section in accordance with the provisions of the IOC,
the WIPO FRR and International Standards for Professional Practice
of Internal Auditing (IPPF).
3.2 Mission
The mission of the Internal Audit Section is to provide the Management with
systematic assurance, analysis, appraisals, recommendations, advice and
information, with a view to assisting WIPO Management and other stakeholders on
the effective discharge of their responsibilities and the achievement of WIPO mission
and goals.
In line with its mission, the objectives of the Internal Audit Section include
endeavoring to assess the cost-effectiveness of controls, and making
recommendations for effectiveness, efficiency, economy of WIPOs policies and
procedures and use of resources, as well as assessing compliance with WIPOs
Financial Regulations and Rules, Staff Regulations and Staff Rules, relevant General
Assembly decisions, the applicable accounting standards and the Standards of
Conduct for the International Civil Service, as well as best practice.
3.3 Independence
The Director, IAOD is responsible to the Director General and is part of the WIPO
staff but not management. The Director, IAOD and oversight staff shall be
independent of all WIPO programs, operations and activities he/she audits, to ensure
impartiality and credibility of the work undertaken.
The Director, IAOD, enjoys functional and operational independence in the conduct of
his/her duties. He/she has the authority to initiate, carry out and report on any action,
1 Audit Universe is an inventory of all auditable areas that is compiled and maintained to identify areas for audit
during the audit planning process.
-
Internal Audit Manual
February 14, 2011
4.
which he/she considers necessary to fulfill his/her mandate. The Director, IAOD shall
receive requests for his/her services from the Director General, to be included in the
workplans, but he/she should be free to carry out any action within the purview of
his/her mandate.
3.4 Authority
For the performance of his/her duties, the Director, IAOD shall have unrestricted,
unlimited, direct and prompt access to all WIPO records, officials or personnel,
holding any WIPO contractual status, and to all WIPO premises. The Director, IAOD
shall have access to the Chair of the General Assembly, the Program and Budget
Committee and the Audit Committee.
The right of all staff and personnel to communicate confidentially with, and provide
information to, the Director, IAOD, without fear of reprisal, shall be guaranteed by the
Director General. This is without prejudice to measures under WIPO Staff
Regulations and Staff Rules, where information is transmitted to the Director, IAOD
with knowledge of its falsity, or with willful disregard of its truth or falsity.
The Director, IAOD shall respect and keep the confidential nature of any information
gathered or received that is applicable to an internal audit, evaluation, investigation or
inspection, and shall use such information only in so far as it is necessary for the
performance of these functions.
3.5 Conflict of Interest
Conflicts of interest should be avoided. Significant and material conflicts of interest
are required to be reported to the Audit Committee who shall recommend such
actions that may be needed to mitigate and reduce the undesirable effects of any
conflicts of interest. The Director, IOAD shall obtain periodically information from
internal oversight staff and ensure that potential and actual conflict of interest and
bias situations are prevented, and that internal audit and oversight work is conducted
in accordance with the professional Code of Ethics and the Code of Conduct for
International Civil Servants.
4. Attributes of internal Audit Staff
4.1 Professional Proficiency
Internal audit staff are expected to possess adequate knowledge, technical skills and
competencies to be able to apply and comply with the provisions of the IOC,
international standards for professional practice of internal auditing and procedures
covered in this Manual. The Director, IAOD and the Head of the Internal Audit
Section have the overall responsibility to ensure compliance with the Manual.
Knowledge, skills, and other competencies is a collective term that refers to the
professional proficiency required of internal auditors, to effectively carry out their
professional responsibilities. Internal auditors are encouraged to demonstrate their
proficiency by obtaining appropriate professional certifications and qualifications,
such as the Certified Internal Auditor (CIA) designation and other designations
offered by The Institute of Internal Auditors and other internationally recognized
professional organizations.
4.2 Due Professional Care
Internal auditors must apply the care and skill expected of a reasonably prudent and
competent internal auditor. Due professional care does not imply infallibility.
-
Internal Audit Manual
February 14, 2011
5.
Internal auditors must exercise due professional care by considering:
- The extent of work needed to achieve the assignments objectives;
- The relative complexity, materiality, or significance of matters to which
assurance procedures are applied;
- The adequacy and effectiveness of governance, risk management,
and control processes;
- The probability of significant errors, fraud, or noncompliance; and,
- The cost of assurance in relation to potential benefits.
In exercising due professional care, internal auditors must consider the use of
technology-based audit and other data analysis techniques.
Internal auditors must be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when
performed with due professional care, do not guarantee that all significant risks will
be identified.
4.3 Continuous Professional Development
Internal Audit staff are responsible for continuing their education in order to maintain
their proficiency. They should keep abreast of latest developments and
improvements in internal auditing standards, procedures, and techniques. Continuing
education may be obtained through membership and participation in professional
societies, attendance at meetings, seminars, college courses, in-house training
programmes, on-line or correspondence courses and participation in research
projects. However, these activities should be kept at a reasonable level and not
impinge on the internal audit staffs availability.
IAOD have adopted a training policy (Attachment 4 ) that sets out the framework of
training activities for each section, i.e. Internal Audit, Investigation and Evaluation,
and individual staff members within the division, to ensure that staff possess the
necessary technical knowledge, skills and competencies to be able to carry out duties
and responsibilities they are assigned to.
5. Key Audit Procedures
5.1 General Information
Internal audit work is conducted in line with the provisions of the IOC, WIPO FRR and
International Standards for Professional Practice of Internal Auditing (IPPF) issued by
the Institute of Internal Auditors (the IIA).
In accordance with the existing framework, IAOD adopted an Internal Audit Strategy
that sets out the context for internal audit activities in WIPO. The Strategy aims to
provide the Director General, Member States and the Audit Committee with an
independent and objective assessment of the WIPOs business processes and
systems, risk management, control and governance processes. The strategy
document has been revised to reflect the changes WIPO (the Organization) has
undergone since the inception of the Strategy in 2007 thereon and to align with the
new strategic objectives of the Organization.
5.2 Audit Planning and Risk Assessment Process
WIPO has not yet established an organization-wide Enterprise Risk Management
(ERM) framework which Internal Audit Section could take into account when
-
Internal Audit Manual
February 14, 2011
6.
developing annual work plans. In line with the Institute of Internal Auditors (IIA)
standards and good practice, IAOD have therefore been carrying out its own risk
assessments with a view to identifying an Audit Needs Assessment (ANA), to
maximize the effective and efficient use of limited audit resources, by focusing on
operational areas of high risk. The risk model developed by IAOD is based on good
practice advisory suggested by the IIA. The risk model is reviewed and revised, if
need be, to strengthen common understanding and facilitate audit planning
discussion with WIPO Management and the Audit Committee.
5.3 Audit Needs Assessment (ANA)
The ANA establishes what are the audit requirements to enable the Internal Audit
Section to provide adequate assurance for all WIPO activities over a period of time (4
years initially) to the Director General, the Member States and other stakeholders,
that the system of internal controls in place is effective and operating as intended.
The Internal Audit Section will help WIPO management in developing its own
enterprise level risk registers at corporate and program levels which should be linked
to the WIPOs strategic goals and monitored by the Management on an ongoing
basis.
The ANA helps determine the full amount of audit resources; IAOD should have to
effectively carry out its mandate and link the resource requirements to the Audit Work
Plans.
5.4 Risk Assessment Criteria Used in Bi-Annual Audit Planning
The Bi-annual risk assessment process will take into account the following criteria:
- Materiality High monetary value and/or volume of transactions;
- Past audit coverage;
- Degree of Organizational and Management Change;
- Essential functions;
- Financial exposure of the area being audited;
- Inherent risk of the area being audited;
- Existence of Fall Back Arrangements;
- Complexity and maturity of IT systems.
The risk assessment criteria are applied to each operational area/process to develop
a risk factor for each auditable unit. The criteria being used for risk ranking are
assigned a value from 1 to 5 and then sorted by significance to identify high audit
areas in order of risk.
In addition to the criteria used above, risk assessment process shall consider the
below-mentioned factors in finalizing the annual audit plan:
- Audit requests mandated by the General Assembly;
- Specific requests by the Director General;
- Specific internal audit work on which the external auditors may place
reliance;
- Specific areas of high risk identified by the Audit Committee which
need priority attention;
- Follow up on External Audit Reports;
-
Internal Audit Manual
February 14, 2011
7.
- The audit needs for audit activities supporting the development of
important new business systems like the new FRR, IPSAS, and ERP
etc.
5.5 Audit Coverage Methodology and Cycle
IAOD adopted the method of full audit coverage of the Audit Universe within four-
year cycle. It is worth underlining that in planning the time schedule for audits, the
priority will be set in accordance with the ranking of each auditable area, the area of
high audit concern being the top priority.
Based on the risk ranking, IAOD plans aim to cover all operational areas with the
following frequency2:
- High Risk Areas: Every year
- Medium Risk Areas: Every 2 years
- Low Risk Areas: Every 4 years
All of the highest risks that have been identified should be audited at least annually to
minimum defensible levels of assurance. For the purpose of identifying all high risk
audit tasks, and the planning of assurance for lower levels of risk over a four year
period, a reliable risk assessment process is undertaken to identify the level of audit
coverage and the resources necessary to meet this objective in the audit work plans
and programs.
The planned audit cycle will be reassessed and modified in the annual audit planning
process to ensure that IAOD is in due course able to achieve the goal of auditing all
operations at least once within the specific cycle.
5.6 Audit Resources Planning and Budgeting
The Director, IAOD establishes and maintains a bi-annual resource allocation plan so
as to help ensure the adequate audit coverage of the identified high risk audit areas
of the Organization. In doing so, the exchange of information and coordination of
audit plans with the Organizations External Auditors helps better audit coverage and
avoid any unnecessary duplication of work. Additionally, the Director may decide for
the provision of services from external specialists where internal audits own
resources do not suffice to provide effective and efficient audit coverage in the
specific high risk areas. Areas where it is likely that outsourcing for recourses will be
used are:
- Information Systems (IS) audits;
- Audit areas of high risk where in-house resources are insufficient;
- Specialist advice for some of the developing system work.
5.6.1 Cooperation with External Auditors
The strategy for cooperating with the External Auditors will be based on the
IIA Standards and Practice Advisory relating to internal audit work, on which
the external auditors may rely. This cooperation aims to:
2 Given the current staffing and the number of unaudited high risk areas, in line with the recommendation by the External Auditors, IAOD have decided to suspend the implementation of the cyclical approach for full audit coverage until staffing situation is improved. IAOD will continue to outsource some of the high risk areas to third party service providers to be able to more effectively cover as many high audit risks as possible in the audit universe.
-
Internal Audit Manual
February 14, 2011
8.
- Contribute to the Internal Audit Section plan;
- Be more economic than having external audit perform the
audit themselves;
- Be at the written request of the External Auditor.
A long term resource allocation plan based on a thorough needs assessment
for the same period, allows for an effective and reliable assessment of the
number of permanent audit staff necessary to deliver adequate audit
coverage. Consequently, the Director, IAOD develops medium to long term
resource needs assessment including staffing, training and development
aspects and submit them to the Audit Committee and Senior Management for
their review and approval.
5.6.2 Criteria for Calculation of Audit Days
In estimating the audit days required to deliver an audit assignment, as well
as effectively allocate available work days in a year, the following factors
need to be taken into account;
Supervision time - all audit work is subject to appropriate management review
and supervision to ensure quality control.
Training time adequate time for training ensuring that staff maintain and are
equipped with requisite professional and other skills is essential.
Follow-up time Adequate time should be allocated for follow-up on whether
management has acted on significant audit recommendations in a timely
manner. This will be done in three ways:
- At the start of each new audit, a review of the implementation
of earlier recommendations will be undertaken.
- Through the review and updating of the database set up for
monitoring the Implementation of Outstanding Oversight
Recommendations.
- As a specific annual exercise to inform reporting on
implementation of the Open Oversight Recommendations
Report to the DG and the General Assembly.
Contingency time- a certain period of time should be allocated for any
unexpected issues which may arise during the course of the year.
Management and administrative time- Allow sufficient time for support to the
WIPO governing bodies, including the Audit Committee.
5.7 Conducting Audits
The WIPO IOC refers to the Standards for the Professional Practice of Internal
Auditing issued by the Institute of Internal Auditors (IIA) in performing audit
assignments. Those standards were also adopted at the 33rd meeting of
Representatives of the Internal Audit Services of the United Nations Organizations
and multilateral financial institutions (RIAS). Internal audit staff shall also abide by
the Code of Ethics and the Standards of Conduct for the International Civil Service,
as established by the IIA and generally accepted by the internal auditing profession.
The IIA standards delineate basic principles that represent the practice of internal
auditing and provide a framework for performing value added internal auditing. In line
with the IIA Standards, each individual audit assignment consists of planning,
fieldwork and reporting of audit results. Also a follow up audit needs to be
-
Internal Audit Manual
February 14, 2011
9.
undertaken to assess whether management have taken proper action on agreed
recommendations after a reasonable period of time has passed.
5.7.1 Audit Assignment Planning
WIPO Internal Auditors must develop an audit plan and programme for each
individual audit assignment, including the assignments objectives, scope,
timing, resource allocation and any relevant information such as possibility of
fraud, significant error and non compliance and other exposures. The results
of the preliminary risk assessment are also included in the assignment plan.
Assignment work programs include procedures for identifying, analyzing,
evaluating and documenting information during the assignment. The level of
detail in audit plans and programs and documentation required are decided
by the Director, IAOD based on criteria that may include, inter alia, the level of
experience and expertise of the internal audit staff in the subject matter to be
audited, the assignments complexity and scope, whether the audit will be
performed internally or outsourced to external service providers etc.
5.7.2 Assignment Planning Considerations:
- The objectives of the activity being reviewed and the means
by which the activity controls its performance;
- The significant risks to the activity, its objectives, resources,
and operations, and the means by which the potential impact
of risk is kept to an acceptable level;
- The adequacy and effectiveness of the activitys risk
management and control processes compared to a relevant
control framework or model; and,
- The opportunities for making significant improvements to the
activitys risk management and control processes.
5.7.3 Notifying Management
Management should be given reasonable advance notification of an audit
unless the work involves cash counts or other similar audits, where surprise is
essential to accomplish the audit objectives. The advance notification, which
may be in either electronic or written form, should include the purpose and
scope of the audit and the time period during which the audit is to be
performed.
5.7.4 Audit Planning Quality Review
The audit plans and programs are reviewed and approved by the Director,
IAOD prior to its implementation, and any subsequent changes during the
audit fieldwork are also promptly reviewed and approved. IAOD has
developed templates for audit plans and programs that are reviewed on a
regular basis to ensure conformity with IPPF. A flowchart for the audit
process is provided at the end of this document (see Annexes I to IV).
5.7.5 Audit Fieldwork
Approved audit work programs prepared based on a risk assessment are
executed in the conduct of audit fieldwork. Internal auditors identify, analyze,
evaluate and document sufficient information to satisfy the procedures set out
in the work program which may be modified during the conduct of the audit
-
Internal Audit Manual
February 14, 2011
10.
fieldwork Information gathered for the audit purposes need to be sufficient,
reliable, relevant and useful3.
Working papers document the information obtained, the analysis made, and
the support for the conclusions and assignment results. Internal auditors
communicate regularly with the management and staff of the Unit under audit,
with a view to gaining a better understanding and providing feedback on the
preliminary audit observations and recommendations, and issues that need
immediate management action.
The main purpose of the working papers generally is:
- Aid in the planning, performance, and review of assignments.
- Provide the principal support for assignment results.
- Document process flow charts indicating the key controls that
are assessed during the audits.
- Document whether assignment objectives were achieved.
- Support the accuracy and completeness of the work
performed.
- Provide a basis for the internal audit activitys quality
assurance and improvement program.
- Facilitate third-party reviews.
- Assignment working papers document all aspects of the
assignment process from planning to communicating results.
IAOD determines the media used to document and store audit
working papers.
5.7.5.1 Arranging Audit Files
There are two general classes of working paper files: permanent and
current.
- Permanent files should contain materials of a
continuing nature that would be useful in future audits.
Background data, prior audit and inspection reports
are examples of what should be included in this file.
- Current files should be arranged according to the file
structure developed for the audit. For large audits, the
current files may consist of several distinct segments:
one file for each segment examined, others for general
segments pertaining to the audit as a whole, and one
for audit administrative matters. As a minimum,
current files should contain the table of contents,
review sheets, summary of the audit area,
cross-referenced audit program and analysis,
schedules, exhibits, and other supporting
documentation.
3 Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals
-
Internal Audit Manual
February 14, 2011
11.
5.7.5.2 Working Paper Summaries
A narrative summary prepared by the auditor for each audit area
should be included in the working papers, whether or not deficiencies
are found. Summaries should support the development of audit
findings and spell out deficiencies surrounding facts, effects, causes,
and recommended actions.
5.7.5.3 Working Papers
Working papers should include succinct descriptions of the following
at a minimum:
1. The audit objective for the particular area documented
in the working paper;
2. What was done i.e. interview held, documentation
reviewed, audit tests conducted;
3. Results achieved. i.e. the key points from the
interviews and documentation reviewed, and the audit
test results;
4. Conclusions relating to the area under review. When
concluding, the auditor should strive to determine
whether the controls for the area under review are
operating effectively. If they are not, the impact on the
area under review should clearly be stated.
5.7.5.4 Indexing and Referencing
The indexing system should be simple but capable of expansion and
should be tailored to the overall focus of the audit, the selection of
areas for emphasis, and the planned sequence of the audit. Working
papers should be indexed concurrent with, or as soon after, their
preparation, as possible.
The referencing of working papers ensures that all pertinent facts and
conclusions have been considered and that support exists for the
auditor's position. Corrections made to supporting information should
also be cross-referenced to other affected sections of the working
papers. A copy of the draft audit report should be cross-referenced.
If any new information is added to the final audit report as a result of
the audit reply process, that information should be cross-referenced
as well.
5.7.5.5 Working Paper Review
Review of working papers permits the reviewer to assess the auditor's
conclusions, determine what additional steps are necessary, and
decide whether to revise the audit coverage.
In line with the best practice guidance, the audit working papers are
reviewed to ensure that quality is assured, staff is developed and
audit objectives are met.
In doing so, working papers prepared for each audit assignment must
be reviewed by the Head of the Internal Audit Section or the Director,
IAOD to ensure compliance with International standards for
professional practice of internal auditing that have been adopted by
the UN RIAS in its 33rd meeting. This gives the reviewer the
opportunity to appraise working paper quality, the relationship of the
-
Internal Audit Manual
February 14, 2011
12.
audit work to the objectives, and the completeness of the auditor's
examination.
The reviewer should prepare written notes on the results of the
review, and the auditor should revise working papers and perform
additional work, if needed. The reviewer and the auditor should reach
a mutual agreement on the disposition of comments and further
actions required. The process should be documented. Regular staff
meetings will also serve to discuss, inter alia, the work paper quality
A flowchart for the audit fieldwork process is provided at the end of
this document.
5.7.6 Reporting of Audit Results
Audit results are communicated to auditees in a closing meeting following the
completion of audit fieldwork. This meeting is intended to clarify any issues
which may need further explanation and help avoid any misperception or
inaccurate conclusion which could be reflected in the draft report.
5.7.6.1 Draft Audit Report
At the end of each audit, a report shall be issued, which shall present
the objectives, scope, methodology, findings, conclusions and
recommendations of the specific activity concerned and include, if
applicable, recommendations for improvements and lessons learnt
from the program, person or activity.
Draft internal audit reports shall be presented to the program manager
and other relevant officials directly responsible for the program or
activity that has been the object of the internal audit, inspection or
evaluation, who shall be given the opportunity to respond within the
term provided therein.
5.7.6.2 Final Audit Report
The Director, IAOD shall include in his annual summary report to the
Director General, with a copy to the Audit Committee and External
Auditors, information on the Internal Audit Functions activities, the
schedule of audit work undertaken and the progress on the
implementation of recommendations, including those made by
External Auditors. The Summary Annual Report (SAR) will also
include a reference to the major risk factors facing the organization
identified during the reporting period. The SAR (July 1 to June 30)
report on the internal audits activities shall be submitted to the
General Assembly on an annual basis.
The Director, IAOD will also make regular progress reporting and/or
presentations to the Director General, Audit Committee and Program
and Budget Committee, on IAOD activities including internal audit,
investigation and evaluation.
The Director, IAOD shall submit final internal audit and oversight
reports to the Director General. Internal audit, evaluation and
inspection reports will be copied to the Audit Committee. The
External Auditor shall also receive a copy of internal audit, evaluation
and inspection reports, along with any supporting documentation they
may require.
A flowchart for the audit reporting process is provided at the end of
this document.
-
Internal Audit Manual
February 14, 2011
13.
5.7.6.3 Other Internal Audit and Oversight Reports
The Director, IAOD shall present, on an annual basis, a report to the
Director General, regarding the implementation of recommendations
made by the External Auditor.
The Director, IAOD shall make a presentation on a regular basis on
his/her activities to the Program and Budget Committee.
The Director, IAOD shall present, on an annual basis, a summary
report to the Director General with a copy to the External Auditor and
the Audit Committee, of his/her internal audit and oversight activities,
including the orientation and scope of such activities, the schedule of
work undertaken and the progress on the implementation of prioritized
recommendations contained in his/her reports. This summary report
shall be presented to the WIPO General Assembly as submitted by
the Director, IAOD. Comments the Director General may deem
appropriate may be submitted in a separate report.
When applicable, the annual report shall include the following:
(a) A description of significant problems, abuses and
deficiencies relating to the administration of WIPO in
general, or a program or operation in particular,
disclosed during the period.
(b) A description of all final recommendations for
corrective action made by the Director, IAOD during
the reporting period, relative to significant problems,
abuses or deficiencies identified.
(c) A description of all recommendations which were not
approved by the Director General, together with his
reasons for not doing so.
(d) An identification of each significant recommendation in
previous reports, on which corrective action has not
been completed.
(e) A description and explanation of the reasons for any
significant revised management decision made during
the reporting period.
(f) Information concerning any significant management
decision with which the Director, IAOD is in
disagreement.
(g) A summary of any instance where information or
assistance requested by the Director, IAOD was
refused.
(h) A summarized version of the report submitted by the
Director, IAOD to the Director General, regarding the
implementation of recommendations made by the
External Auditor.
(i) In addition, the Director, IAOD shall comment on the
scope of his activities and the adequacy of resources
for the purpose intended.
-
Internal Audit Manual
February 14, 2011
14.
The Director, IAOD may also issue communications concerning
oversight matters to any concerned WIPO manager for matters of a
minor or routine nature, which do not necessitate formal reporting.
5.7.6.4 Access to IAOD Oversight Reports and Working Papers
Internal audit reports will be copied to the Audit Committee. The
External Auditor shall also receive a copy of internal audit reports,
along with any supporting documentation they may require.
Permanent Representatives of Member States to WIPO or their
designates can read final internal audit and oversight reports in the
Director, IAODs office.
Audit working paper files should be adequately safeguarded, and
prescribed security procedures be followed. Access to working paper
files are restricted to authorized personnel only. To this end, IAOD
has drawn up a Documentation Retention and Archiving Policy
(Attachment 5).
5.7.6.5 Follow up of Internal Audit Recommendations
IAOD follow up on all outstanding recommendations contained in
internal audit reports on a regular basis. Follow up is performed after
a reasonable period of time has passed from the date of issuance of
the audit reports, to assess whether management actions have been
effectively implemented or that senior management has accepted the
risk of not taking action.
As per the provisions of the IOC, IAOD also follow up on the
implementation status of recommendations made by the External
Auditor and, at the request of the Audit Committee (AC), IAOD follow
up all the outstanding recommendations of the AC and other oversight
bodies (e.g. Joint Inspection Unit) as well. WIPO has issued an Office
Instruction (see the OI16/2010) on the Implementation of Oversight
Recommendations including Reporting Procedures, Roles and
Responsibilities of Management and IAOD. To this end, IAOD has
developed, in close cooperation with the IT Division, an Excel
Spreadsheet for the effective follow up and update of implementation
status of outstanding oversight recommendations.
To accept a recommendation as implemented, the Internal Audit
Section can rely on Managements detailed description of action taken
resulting in full implementation of the recommendation. However, in
the case of recommendations where the outcome can be supported
with documentary evidence, internal auditors should receive a copy of
supporting documentation.
IAOD perform regular follow up of outstanding internal/external audit
and Audit Committee recommendations and maintain a database for
this purpose, which is updated with new oversight reports as and
when needed.
5.7.7 Acceptance of Risk by Senior Management
The Director, IAOD holds meetings regularly with the Director General on
audit and other oversight issues and informs him about the level of risk taken
by the Organization. In line with the IIA standard 2600, the Director, IAOD
also reports to the General Assembly on a yearly basis on the activities of the
IAOD including, where appropriate, whether WIPO Senior Management has
taken significant residual risks that may be unacceptable to the Organization.
-
Internal Audit Manual
February 14, 2011
15.
5.7.8 Types of Audits
The audit assignments which shall be undertaken by IAOD include, but are
not limited to:
- Operational audits
- Financial Audits
- IT Audits
- Compliance Audits
- Value-for-money audits
- Management Audits
- Performance Audits
Additionally, IAOD will proactively perform reviews and give reasonable
professional advice on controls and risks pertaining to the development of
recently introduced systems and processes, to ensure that effective systems
of internal controls exist and they operate as intended with full audit trails.
5.7.9 Use of Information Technology in Audits
IAOD intend to employ information technology tools in the conduct of audits
where appropriate, to increase the effectiveness and efficiency of audit
process and enable internal audit staff to acquire technical skills and
knowledge in the use of specialized softwares for audit purposes. IAOD have
already been using the Audit Command Language (ACL), which is special
audit software to enable analysis of huge amount of data from source, and
also help detect suspicious transactions and activities. This tool will also help
IAOD with its continuous auditing efforts to check selected set of transactions
on regular internals.
IAOD has planned to purchase special software for audit working paper
management and audit documentation system to automate the recording of
the audit process that will provide, among others, time tracking capability with
a view to increasing the time efficiency in audit assignments.
6. Quality Control and Assurance
The Director, IAOD shall ensure that all audit staff are equipped with necessary knowledge,
technical skills and competencies in discharging their duties and responsibilities and that
audit work is carried out in line with the professional practice of international auditing
standards accepted by the UN System Organizations. Each internal auditor shall strive to
acquire the necessary skills and competencies to be able to effectively carry out tasks
entrusted to him/her. To this end, this audit manual and detailed guidance, and standard
documentation and procedures, have been developed and used since 2007.
In addition, internal quality control measures such as the adequate direction, supervision and
review of each audit assignment will take place once the size of the Internal Audit Section will
allow for a two level review and a separation between direction and audit management.
Internal Audit Function was evaluated by independent External Auditors4 in accordance with
the IIA professional standards of internal auditing. Feedback received by this evaluation will
be used by IAOD in completing its quality self assessment exercise within three years.
4 Evaluation of the Internal Audit Function recorded an overall percentage of the application of the IIA Standards of just above 80 percent.
-
Internal Audit Manual
February 14, 2011
16.
It is the strategic aim of the IAOD to follow the procedures for Quality Assurance set out by
the IIA and to now have an external quality review in (and every such period thereafter) five
years. This exercise will be undertaken in accordance with the IIA standards for quality self
assessment, as well as the Internal Audit Capability Model for the public sector organizations
(IA-CM), developed by the IIA.
7. Coordination with Other Oversight Bodies
7.1 WIPO Audit Committee
In September 2005, the WIPO General Assembly approved the proposal of the
Program and Budget Committee on the establishment of a WIPO Audit Committee
that is an independent, expert advisory and external oversight body (see WIPO Audit
Committee Terms of Reference, annex XX). It aims to assist Member States in their
role of oversight and for better exercise of their governance responsibilities with
respect to the various operations of WIPO. IAOD participate into Audit Committee
Meetings regularly on a quarterly basis, to discuss and inform the AC of oversight
related issues including issued audit reports, evaluation activities, and providing
information on investigation activities, safeguarding the integrity of confidentiality of
investigation activities.
7.2 External Auditor
The External Auditor, who shall be the Auditor General (or officer holding the
equivalent title) of a Member State, shall be appointed by the General Assembly, in
the manner decided by the Assembly. The External Auditor shall conduct his work in
conformity with international auditing standards. The External Auditor may make
observations with respect to the efficiency of the financial procedures, the accounting
system and internal financial controls, and on the administration and management of
the organization. The General Assembly may ask the External Auditor to perform
certain specific examinations and issue separate reports on the results (for further
information see Terms of Reference Governing External Audit). IAOD have
developed excellent working relationship with the External Auditor. This includes, but
is not limited to, regular exchange of view on risk and control issues, audit reports, bi-
annual and annual audit plans, etc.
7.3 Joint Inspection Unit (JIU)
By its resolution 31/192 of 22 December 1976, the UN General Assembly decided to
establish the Joint Inspection Unit which is mandated to provide an independent view
through inspection and evaluation, aimed at improving management and methods
and at achieving greater coordination between organizations. IAOD meet with the
Inspectors of the JIU when needed and provide feedback/comments on JIU reports.
-
Internal Audit Manual
February 14, 2011
17.
Annex I: Audit Pre-planning
Phase 1- Audit Pre-planning
Activity Product/Result
Select an Assignment in line with Bi-annual Audit Plan
Identify audit staff (taking into account specific experience/qualities of staff,
Team meetings
Identify Audit Requirements
Identify Clear and Specific Objectives/Sub objectives
Identify Type of Audit
Contact Auditee (notification of the audit and arrangements for meeting)
Work Plan and program
Form Audit Team
Staff roles and responsibilities
Preliminary Decisions on Objectives, Scope, Methodology (to be refined after review and analysis in planning Phase)
Define audit program for including objectives and audit steps to be followed.
Applicable Auditing Standards (determining specific compliance requirements)
Notification Letter/Memorandum
Audit and time requirements
Preliminary expectations relative to the content of the report
-
Internal Audit Manual
February 14, 2011
18.
Annex II: Audit Planning
Phase 1 - Audit Planning
Activity Product/Result
Identify audit Objectives and Sub objectives and audit
steps to be followed
Preliminary Review and
Analysis of available documents/information
Preliminary Data Analysis.
Preliminary Conclusions.
Update Audit Plan and Program.
Preliminary Results.
Scope of Audit
Identify Data sources
Determine Risk Factors
Preliminary Assessment of Internal Control.
Audit Plan.
Identify additional issues
Team meeting and discussion
Finalize Audit Program
Data Collection, Analysis, interpretation for each objective/sub objective.
Target Dates.
Roles and Responsibilities.
-
Internal Audit Manual
February 14, 2011
19.
Annex III: Audit Fieldwork
Activity Product/Result
Collect Information Pertaining to each Objectives and Sub objectives. Identify pertinent audit evidence in terms of-Cause- Effect analysis and formulate Recommendations
Compilation of Working Papers (containing evidence to support findings, opinions, conclusions.
Update Short List of Findings.
Evidence (physical, documentary, testimonial, analytical).
Developed Findings (re criteria, condition, cause(s), effect(s), and recommendations.
Implement audit work program and substantiate audit findings
with factual evidence/observations
Continuous Dialogue with management of audited unit to discuss preliminary audit issues/actions to be taken
promptly
Based on feedback/comments by, management, fine-tune audit issues/recommendations to be included in the draft audit report.
-
Internal Audit Manual
February 14, 2011
20.
Annex IV: Audit Reporting Process
Phase 3 Reporting Audit Results
Activity Product/Result
Draft audit report
Write draft audit report with agreed upon findings and recommendations.
Review and approval of draft audit report by Director, IAOD for Quality Assurance Purposes.
Final Audit Report including management comments/ action plan is finalized and issued within the given timeline.
Get agreement with the auditee and finalize findings/conclusions and recommendations audit issues and recommendations.
A transmittal letter and Draft report sent to the auditee for comments and designate responsible and action plan for agreed recommendations.
Audit Closing Meeting
Follow up of recommendations
In case, management fails to provide comments/feedback on the draft report, Final audit report is issued without management.
Final Audit Report
Outstanding audit recommendations are followed up after a reasonable period of time.
-
Internal Audit Manual
February 14, 2011
21.
Annex V: Risk Assessment
1. Conduct Initial Risk Assessment
As part of the audit planning phase, prior to the start of the audit field work, the auditor should
conduct a risk assessment of the area under review. This will include initial analysis of
information requested prior to the audit, as well as other pertinent information known to the
auditor. A sample risk assessment is provided in figure 1 below.
Figure 1
The Risk Matrix shown in Figure 1 was compiled based on work completed prior to commencing the audit and provided the justification for progressing with the audit. The risk assessment provided the nine areas of focus for the audit.
Risk Label Likelihood Impact Risk
1. Label 1 Unlikely Marginal High
2. Label 2 Unlikely Marginal High
3. Label 3 Unlikely Marginal High
4. Label 4 Rare Negligible Low
5. Label 5 Rare Catastrophic Extreme
6. Label 6 Rare Catastrophic Extreme
7. Label 7 Unlikely Marginal Low
8. Label 8 Almost Certain Negligible Moderate
9. Label 9 Unlikely Negligible Moderate
Negligible Marginable Critical Catastrophic
Almost
Certain
Likely
Possible
Unlikely
Rare
I m p a c t
L i k e l i h o o d 1,2 3
4
5,6 7 8,9
-
Internal Audit Manual
February 14, 2011
22.
8. Hold Check Point Meeting 1 with the Director of Audit
The purpose of this meeting is to agree upon the areas of focus for the audit, and where
necessary adjust them based on the outcome of the Check Point Meeting.
9. Conduct Walkthroughs of the areas of focus
During this stage of the audit, the auditors primary focus is to flowchart the key processes
and to document the key controls. The auditor will typically analyze the controls in a
particular process, by understanding the main steps and control points in a particular
process. At this point the objective is to determine the nature of the process and assess the
controls which have been designed into the process. To establish an understanding of the
control environment, the auditors focus is the process flow and certain variations. For
example in a purchasing process, there are different controls depending upon the nature of
the purchase. Controls for purchasing services may vary from controls for purchasing goods
or specialized materials. At this point the focus is on understanding the controls in place and
the control variants, not the testing of multiple transactions within a process.
10. Reassess the Risks based on the Updated understanding of the control
environment
At this point the risks as assessed initially may change due to the level of the controls in the
process. Typically the likelihood is the element which is most likely to be reassessed. The
impact typically remains unchanged, unless the auditor determines that there is a lower
volume of financial transactions, for example, than originally thought.
11. Hold Check Point Meeting 2 with the Director of Audit
The revised risks are discussed during this meeting following the results of the walkthrough
testing, and the level of transactional testing for the areas of focus is agreed upon. It may be
concluded at this point that other areas of focus should be included in the review or that more
than the standard volume of transactional testing may be required due to special
circumstances. It may also be agreed that no transactional testing is required for a particular
area.
The result of Checkpoint 2 will be a revised risk matrix as in Figure 3:
7,9
Negligible Marginable Critical Catastrophic
Almost
Certain
Likely
Possible
Unlikely
Rare
I m p a c t
L i k e l i h o o d
1,2,3
8
4 5,6
7.9
-
Internal Audit Manual
February 14, 2011
23.
Figure 3
Risk Label Likelihood Impact Risk
1. Label 1 Unlikely Marginal Low
2. Label 2 Unlikely Marginal Low
3. Label 3 Unlikely Marginal Low
4. Label 4 Rare Negligible Low
5. Label 5 Rare Catastrophic High
6. Label 6 Rare Catastrophic High
7. Label 7 Unlikely Marginal Low
8. Label 8 Almost Certain Negligible Low
9. Label 9 Unlikely Negligible Low
-
Internal Audit Manual
February 14, 2011
24.
Annex VI: International Standards for the Professional Practice of Internal
Auditing (Standards)
The Internal Oversight Charter (see paragraph 2 (a) footnote 3) says we will follow the Code of Ethics and the
Internal Auditing Standards established by the IIA. Below are the details of the International Professional Practiaces
Framework which contain Standards, Definitions, Code of Ethics and other guide papers and practice advice issued
by the IIA.
International Professional Practices Framework
A trustworthy, global guidance-setting body, The IIA provides for internal audit professionals all around the world
authoritative guidance organized in the International Professional Practices Framework as mandatory and strongly
recommended guidance.
Mandatory Guidance Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal
auditing. Mandatory guidance is developed following an established due diligence process, which includes a period of public exposure for stakeholder input. The three mandatory elements of the IPPF are the Definition of Internal Auditing, the Code of
Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards).
Element Definition
Definition The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing.
Code of Ethics
The Code of Ethics states the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and
behavioral expectations rather than specific activities.
International Standards
Standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards are mandatory requirements consisting of:
Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable at
organizational and individual levels.
Interpretations, which clarify terms or concepts within the statements.
It is necessary to consider both the statements and their interpretations to understand and apply the Standards correctly. The Standards employ terms that have been given specific meanings that are included
in the Glossary.
Strongly Recommended Guidance Strongly recommended guidance is endorsed by The IIA through a formal approval processes. It describes practices for effective
implementation of The IIA's Definition of Internal Auditing, Code of Ethics, and Standards. The three strongly recommended elements of the IPPF are Position Papers, Practice Advisories, and Practice Guides.
Element Definition
Position Papers
Position Papers assist a wide range of interested parties, including those not in the internal audit profession, in understanding significant governance, risk, or control issues and delineating related roles and
responsibilities of internal auditing.
Practice Advisories
Practice Advisories assist internal auditors in applying the Definition of Internal Auditing, the Code of Ethics, and the Standards and promoting good practices. Practice Advisories address internal auditing's approach, methodologies, and consideration, but not detail processes or procedures. They include practices relating to:
international, country, or industry-specific issues; specific types of engagements; and legal or regulatory issues.
Practice Guides
Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well
as examples of deliverables.
-
Internal Audit Manual
February 14, 2011
25.
International Standards
Attribute Standards 1000 Purpose, Authority, and Responsibility 1010 Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal
Audit Charter. 1100 Independence and Objectivity 1110 Organizational Independence 1111 Direct Interaction with the Board 1120 Individual Objectivity 1130 Impairment to Independence or Objectivity 1200 Proficiency and Due Professional Care 1210 Proficiency. 1220 Due Professional Care 1230 Continuing Professional Development 1300 Quality Assurance and Improvement Program 1310 Requirements of the Quality Assurance and Improvement Program 1311 Internal Assessments 1312 External Assessments 1320 Reporting on the Quality Assurance and Improvement Program 1321 Use of Conforms with the International Standards for the Professional Practice of Internal Auditing 1322 Disclosure of Nonconformance
Performance Standards
2000 Managing the Internal Audit Activity 2010 Planning 2020 Communication and Approval 2030 Resource Management 2040 Policies and Procedures 2050 Coordination 2060 Reporting to Senior Management and the Board 2070 External Service Provider and Organizational Responsibility for Internal Auditing 2100 Nature of Work 2110 Governance 2120 Risk Management 2130 Control 2200 Engagement Planning 2201 Planning Considerations 2210 Engagement Objectives 2220 Engagement Scope 2230 Engagement Resource Allocation 2240 Engagement Work Program 2300 Performing the Engagement 2310 Identifying Information 2320 Analysis and Evaluation 2330 Documenting Information 2340 Engagement Supervision 2400 Communicating Results 2410 Criteria for Communicating 2420 Quality of Communications 2421 Errors and Omissions 2430 Use of Conducted in Conformance with the International
Standards for the Professional Practice of Internal Auditing 2431 Engagement Disclosure of Nonconformance 2440 Disseminating Results 2450 Overall Opinions 2500 Monitoring Progress 2600 Resolution of Senior Managements Acceptance of Risks
Practice Advisories
Attribute Standards PA 1000-1 - Internal Audit Charter PA 1110-1 - Organizational Independence PA 1111-1 - Board Interaction PA 1120-1 - Individual Objectivity PA 1130-1 - Impairment to Independence or Objectivity PA 1130.A1-1 - Assessing Operations for Which Internal Auditors Were Previously Responsible PA 1130.A2-1 - Internal Audits Responsibility for Other (Non-audit) Function PA 1200-1 - Proficiency and Due Professional Care PA 1210-1 - Proficiency PA 1210.A1-1 - Obtaining External Service Providers to Support or Complement the Internal Audit
Activity PA 1220-1 - Due Professional Care PA 1230-1 - Continuing Professional Development PA 1300-1 - Quality Assurance and Improvement Program PA 1310-1 - Requirements of the Quality Assurance and Improvement Program
-
Internal Audit Manual
February 14, 2011
26.
PA 1311-1 - Internal Assessments PA 1312-1 - External Assessments PA 13 12-2 - External Assessments: Self-assessment with Independent Validation PA 132 1-1 - Use of Conforms with the International Standards for the Professional Practice of
Internal Auditing
Performance Standards
PA 2010-1 Linking the Audit Plan to Risk and Exposures PA 2010-2 Using the Risk Management Process in Internal Audit Planning PA 2020-1 Communication and Approval PA 2030-1 Resource Management PA 2040-1 Policies and Procedures PA 2050-1 Coordination PA 2050-2 Assurance Maps PA 2050-3 Relying on the Work of Other Assurance Providers PA 2060-1 Reporting to Senior Management and the Board PA 2110-1 Governance: Definition PA 2110-2 Governance: Relationship with Risk and Control PA 2110-3 Governance: Assessments PA 2120-1 Assessing the Adequacy of Risk Management Processes PA 2120-2 Managing the Risk of the Internal Audit Activity PA 2130-1 Assessing the Adequacy of Control Processes PA 2130.A1-1 Information Reliability and Integrity PA 2130.A1-2 Evaluating an Organizations Privacy Framework PA 2200-1 Engagement Planning PA 2200-2 Using a Top-down, Risk-based Approach to Identify the Controls to be Assessed in an Internal
Audit Engagement PA 2210-1 Engagement Objectives PA 2210.A1-1 Risk Assessment in Engagement Planning PA 2230-1 Engagement Resource Allocation PA 2240-1 Engagement Work Program PA 2300-1 Use of Personal Information in Conducting Engagements PA 2320-1 Analytical Procedures PA 2330-1 Documenting Information PA 2330.A1-1 Control of Engagement Records PA 2330.A1-2 Granting Access to Engagement Records PA 2330.A2-1 Retention of Records PA 2340-1 Engagement Supervision PA 2400-1 Legal Considerations in Communicating Results PA 2410-1 Communication Criteria PA 2420-1 Quality of Communications PA 2440-1 Disseminating Results PA 2440-2 Communicating Sensitive Information Within and Outside the Chain of Command PA 2440.A2-1 Communications Outside the Organization PA 2500-1 Monitoring Progress PA 2500.A1-1 Follow-up Process
Practice Guides
1. Auditing Executive Compensation and Benefits 2. Auditing External Business Relationships 3. Chief Audit Executives - Appointment, Performance Evaluation and Termination Evaluating
Corporate Social Responsibility/Sustainable Development Formulating and Expressing Internal Audit Opinions
4. Internal Auditing and Fraud
Global Technology Audit Guides (GTAG)
GTAG 1 Information Technology Controls GTAG 2 Change and Patch Management Controls: Critical for Organizational Success GTAG 3 Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment GTAG 4 Management of IT Auditing GTAG 5 Managing and Auditing Privacy Risks GTAG 6 Managing and Auditing IT Vulnerabilities GTAG 7 Information Technology Outsourcing GTAG 8 Auditing Application Controls GTAG 9 Identity and Access Management GTAG 10 Business Continuity Management GTAG 11 Developing the IT Audit Plan GTAG 12 Auditing IT Projects GTAG 13 Fraud Prevention and Detection in an Automated World GTAG 14 Auditing User-developed
Applications GTAG 15 Information Security Governance
Detailed information on the International Professional Practice Framework including IIA Standards and Practice Advisory can be found at:
http://www.theiia.org/bookstore/product/international-professional-practice-framework-2011-1533.cfm
-
Internal Audit Manual
February 14, 2011
27.
Annex VII: IAOD Internal Audit Section Internal Audit Templates
Audit File Index
Audit Review Sheet
Audit Working Papers
Audit Process Walkthrough
Initial Risk Assessment
Revised Risk Assessment
Audit Notification Letter
Audit Exit Conference Briefing
Audit Plan
Audit Program
Audit File Clearance Check Sheet
Draft Audit Report
Draft Report Transmittal Memo
Final Audit Report
Final Report Memo