Internal Audit Quality Assessment
Presented To:
World Intellectual Property Organization
April 2014
www.theiia.org
Table of Contents
Page
List of Acronyms
3
Executive Summary
4
•
•
•
•
Opinion as to Conformance to the Standards, the Code of Ethics, and the
Definition of Internal Auditing
Objectives / Scope / Methodology
Observations Specific to the Internal Audit Section of the Internal Audit and
Oversight Division
IIA Standards Conformance Summary
Successful Internal Audit Practices Noted
9
Opportunities for Improvement Noted
11
Attachment A
17
•
Conformance Rating Criteria
Attachment B
•
18
Required Communications with the Internal Advisory Oversight Committee
Checklist – Example of Documentation
2
www.theiia.org
List of Acronyms
Director, IAOD
Director, Internal Audit and Oversight Division
EQA
External Quality Assessment
ERM
Enterprise Risk Management
IAOC
Internal Advisory Oversight Committee
IAOD
Internal Audit and Oversight Division
IIA
The Institute of Internal Auditors
Internal Audit
The Internal Audit Section of the Internal Audit and Oversight Division
QAIP
Quality Assurance and Improvement Program
Standards
International Standards for the Professional Practice of Internal Auditing
WIPO
The World Intellectual Property Organization
3
www.theiia.org
Executive Summary
Under the International Standards for the Professional Practice of Internal Auditing (“Standards”), an external quality assessment (“EQA”) of an internal audit
activity must be conducted at least once every five years by a qualified assessor or assessment team from outside the organization. The qualified assessor or
assessment team must demonstrate competence in both the professional practice of internal auditing and the EQA process. The World Intellectual Property
Organization (“WIPO”) Internal Audit and Oversight Division (“IAOD”) selected the Institute of Internal Auditors (“IIA”) Quality Services to lead the review. The
IAOD is comprised of three sections; the Internal Audit section, the Evaluation section, and the Investigations section. This EQA was conducted specific to the
Internal Audit section of the IAOD (“Internal Audit”). The EQA was concluded on April 17, 2014 and provides management with information about Internal Audit
as of that date. Future changes in environmental factors and actions by personnel, including actions taken to address recommendations, may have an impact
upon the operation of Internal Audit in a manner that this report did not and cannot anticipate. Considerable professional judgment is involved in evaluating
the findings and developing recommendations. Accordingly, it should be recognized that others could evaluate the results differently, and draw different
conclusions.
Opinion as to Conformance to the Standards, the Code of Ethics, and the Definition of Internal Auditing
It is our overall opinion that Internal Audit generally conforms to the Standards, the Code of Ethics, and the Definition of Internal Auditing. A detailed list of
conformance to individual Standards is shown on page 6 of this report.
The IIA’s Quality Assessment Manual suggests a scale of three ratings, “generally conforms,” “partially conforms,” and “does not conform.” “Generally
Conforms” is the top rating and means the assessor has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes
by which they are applied, comply with the requirements of the Standards, the Code of Ethics, or the Definition of Internal Auditing in all material respects.
Detailed definitions for rating criteria associated with “Generally Conforms”, “Partially Conforms”, and “Does Not Conform” are described in Attachment A on
page 17 of this report and are consistent with the guidance provided by the IIA in their Quality Assessment Manual.
Objectives / Scope / Methodology
• The principal objectives of the EQA were to (1) assess Internal Audit conformance to the Standards, the Code of Ethics, and the Definition of Internal Auditing;
(2) assess the effectiveness of Internal Audit in providing assurance and advisory services to the Internal Advisory Oversight Committee (“IAOC”), senior
executives, and other interested parties; and (3) identify opportunities, offer recommendations for improvement, and provide counsel to the Director, IAOD
and staff for improving their performance and services and promoting the image and credibility of Internal Audit.
• The scope of the assessment included Internal Audit, as set forth in the WIPO Internal Oversight Charter. The WIPO Internal Oversight Charter, approved by
the General Assembly, defines the authority, responsibility, and accountability of the activity. Internal Audit provided the assessment team with a Fox News
article dated April 4, 2014 that alleged improprieties by the Director General at WIPO. The article was considered by the assessment team during the EQA
process and had no bearing upon the final determination of Internal Audit’s conformance with the Standards.
• To accomplish the objectives, the EQA team reviewed information prepared by Internal Audit at the EQA team’s request, conducted interviews with selected
key stakeholders to Internal Audit, reviewed a sample of audit projects and associated work papers and reports, reviewed benchmark and survey data, and
prepared diagnostic tools consistent with the methodology established for an EQA in the IIA Quality Assessment Manual.
4
www.theiia.org
Executive Summary
Observations Specific to the Internal Audit Section of the Internal Audit and Oversight Division
Internal Audit is generally in conformance with the Standards, the IIA Code of Ethics, and the Definition of Internal Auditing. They demonstrate a strong
commitment to exceeding the basic requirements of the Standards and are focused on enhancing quality through continuous improvement. The functional and
administrative reporting relationships are appropriate and support organizational independence and objectivity. Their annual risk assessment process focuses
activities in areas of highest risk and impact consistent with the strategy and objectives of WIPO. Internal Audit has qualified staff that performs their work in a
competent and high quality manner and infrastructure supports consistent performance of Internal Audit activities. They are an integral part of the governance
process for WIPO and are valued by their stakeholders including the IAOC. They operate in a very dynamic environment and their ability to adapt and be
responsive to change, combined with their ability to leverage insight on risks impacting the organization into focused audit plans, will continue to be critical to
their success and value to the organization.
Attribute Standards
Internal Audit generally has the infrastructure in place to support sustainability of internal audit processes in a quality and consistent manner. Their charter is
comprehensive and is foundational to all their activities, but should be modified for several technical requirements of the Standards. The functional and
administrative reporting relationships are appropriate and support organizational independence and objectivity. Functional reporting is supported by direct and
open access between the Director, IAOD and the chairs of the General Assembly, the Coordination Committee, the Program and Budget Committee, and the
IAOC. The structure of IAOD presents an impairment in the ability of Internal Audit to independently evaluate the activities of the Evaluation and Investigation
sections of IAOD. This impairment has been appropriately disclosed and is being managed effectively by the Director, IAOD. Internal Audit management and
staff are qualified with appropriate credentials and experience; and work is performed with due professional care that includes an appropriate level of
supervisory review and approval. Training and professional development processes are appropriate to support proficiency of Internal Audit management and
staff. While the CAE has established a Quality Assurance and Improvement Program (“QAIP”) that promotes quality and continuous improvement, this program
should be more formalized to enhance sustainability and consistency in execution.
Performance Standards
Internal Audit is managed appropriately and the annual audit plan is supported by a risk assessment process that incorporates input from Internal Audit
stakeholders including the Director General, the IAOC, and the various member states when developing the audit universe, conducting risk assessment, and
preparing the annual audit plan. The annual audit plan is reviewed by the IAOC, but should be formally approved by them as well. Results of the annual audit
plan are communicated periodically to the IAOC and on an annual basis to the General Assembly. Internal Audit manages resources effectively and uses third
party resources for specific subject matter expertise on an as needed basis. Internal Audit should continue to refine its role in Enterprise Risk Management
(“ERM”) within WIPO as those processes mature to ensure that Internal Audit plans are linked to the entity-wide view of risk. Policies and procedures
supporting Internal Audit infrastructure and key processes should be updated to align with current practices and the use of the electronic work paper software
tool. This supports sustainability and consistency of these processes and promotes quality. Engagement level planning is supported by an engagement level risk
assessment that appropriately considers fraud risk as a component. Objectives evaluate technology, operational, financial, and compliance components as
appropriate for individual engagements. Individual audits are of a consistent high quality and work papers fully support reported findings. Audit reports are
consistent with the underlying work product and there is a follow-up process in place that tracks audit issues through to resolution.
www.theiia.org
5
Executive Summary
IIA Standards Conformance Summary
GC
OVERALL
X
ATTRIBUTE STANDARDS
X
1000
1010
1100
Purpose, Authority, and Responsibility
DNC
NA
GC
2060
Reporting to Senior Management and the Board
2070
External Service Provider and Organizational Responsibility for
Internal Auditing
2100
X
Nature of Work
X
Risk Management
X
X
2130
Control
X
1110
Organizational Independence
X
2200
1111
Direct Interaction with the Board
X
2201
Planning Considerations
X
1120
Individual Objectivity
X
2210
Engagement Objectives
X
1130
Impairments to Independence or Objectivity
X
2220
Engagement Scope
X
X
2230
Engagement Resource Allocation
X
Engagement Work Programs
X
1200
Proficiency and Due Professional Care
X
1210
Proficiency
X
2240
1220
Due Professional Care
X
2300
Performing the Engagement
X
1230
Continuing Professional Development
X
2310
Identifying Information
X
1300
Quality Assurance and Improvement Program
X
2320
Analysis and Evaluation
X
2330
Documenting Information
X
2340
Engagement Supervision
X
Requirements of the Quality Assurance and Improvement
Program
X
1311
Internal Assessments
X
1312
External Assessments
X
1320
Reporting on the Quality Assurance and Improvement Program
X
1321
Use of “Conforms with the International Standards for the
Professional Practice of Internal Auditing”
X
1310
1322
Disclosure of Nonconformance
PERFORMANCE STANDARDS
2000
Managing the Internal Audit Activity
2400
X
X
X
X
Communicating Results
X
2410
Criteria for Communicating
X
2420
Quality of Communications
X
2421
Errors and Omissions
X
2430
Use of “Conducted in Conformance with the International
Standards for the Professional Practice of Internal Auditing”
X
2431
Engagement Disclosure of Nonconformance
X
2440
Disseminating Results
X
2450
Overall Opinions
2500
Monitoring Progress
X
2600
Communicating the Acceptance of Risks
X
X
2010
Planning
2020
Communication and Approval
2030
Resource Management
X
2040
Policies and Procedures
X
IIA CODE OF ETHICS
X
2050
Coordination
X
DEFINITION OF INTERNAL AUDITING
X
X
NA
X
2120
Engagement Planning
DNC
X
Governance
X
PC
X
2110
Recognition of the Definition of Internal Auditing, the Code of
Ethics and the Standards in the Internal Audit Charter
Independence and Objectivity
PC
6
www.theiia.org
Executive Summary
During the EQA, several areas were noted where Internal Audit is operating in a successful internal audit practice manner. In addition, some areas were noted
where there are opportunities for improvement that will strengthen conformance to the Standards or will enhance efficiency and effectiveness of Internal Audit
processes. Detailed observations, recommendations, and Internal Audit responses to these opportunities for improvement are included in the following section
of this report.
Successful Internal Audit Practices Noted
Standard 1220
The Internal Audit methodology requires the extensive use of checklists and templates embedded within their electronic work paper tool to
ensure Internal Audit projects are planned and executed consistent with the defined methodology and that all required elements are
considered.
Standard 2010
Internal Audit has a robust annual risk assessment process that incorporates input from stakeholders throughout the organization, including
the Director General, the IAOC, and the various member states when developing the audit universe, conducting risk assessment, and preparing
the annual audit plan.
Standard 2030
Internal Audit effectively uses third party resources to supplement audit staff and to provide subject matter expertise.
Standard 2300
Work papers supporting individual audit engagements are of a consistent high quality and generally exceed conformance with Standards
requirements.
Opportunities for Improvement Noted
Standard 1000
Update the WIPO Internal Oversight Charter for several technical adjustments to align with the IIA Model Internal Audit Activity Charter (May
2013) which incorporates newly required elements of the Standards.
Standard 1220
Continue the IAOD strategy to enhance the use of data analytics in support of Internal Audit risk assessment, planning, and engagement
execution.
Standard 1300
Document the QAIP in the Internal Audit Manual to fully describe all required elements such as objectives, scope, internal and external
assessment components, and communication of results.
Standard 1311
Consider enhancing the periodic internal assessment process by using a combination of vertical and horizontal reviews of completed projects
to support evaluation of conformance with the Standards and the Internal Audit methodology as well as efficiency and effectiveness of the
underlying processes.
Standard 2000
Consider updating the 2012-2015 Strategic Plan for IAOD that supports the dynamic nature of WIPO and that guides activities of Internal Audit
in a proactive, thoughtful, systematic, and practical manner.
Standard 2020
Communicate the risk-based audit plan to the IAOC for both review and approval.
Standard 2040
Consider updating the Internal Audit Manual to align with the current Internal Audit methodology that incorporates the effective use of an
electronic work paper software tool.
7
www.theiia.org
Executive Summary
Opportunities for Improvement Noted (Continued)
Standard 2060
Consider adopting a Required Communications with the IAOC Checklist to ensure that all requirements are met and documented in the
appropriate time frames.
Standard 2110
Consider incorporating an evaluation of the effectiveness of the organization’s ethics-related objectives, programs, and activities as well as
information technology governance in support of the organization’s strategies and objectives into the annual audit planning process.
Standard 2120
Consider expanding the role of Internal Audit in support of the maturing and evolving ERM process within WIPO.
Standard 2410
Consider enhancing the audit reporting process by providing more clarity with regards to the relative significance of observations reported.
Thank you for the opportunity to be of service to Internal Audit. We will be pleased to respond to further questions concerning this report and furnish any
desired information.
Basil Woller, CIA, CRMA
Team Leader
Gina Eubanks, CIA, CRMA, CCSA, CISA
Vice President Professional Services
The Institute of Internal Auditors
Team Member:
Robert Riegel, CIA, CRMA, CISA, CRISC, CFSA, CFE
8
www.theiia.org
Successful Internal Audit Practices Noted
Successful Internal Audit Practice
Description
Standard 1220 – The Internal Audit methodology
requires the extensive use of checklists and
templates embedded within their electronic work
paper tool to ensure Internal Audit projects are
planned and executed consistent with the defined
methodology and that all required elements are
considered.
The checklists and templates used by Internal Audit are comprehensive and updated to address specific
requirements for the area under review. The use of checklists and templates to plan, execute, and
administer Internal Audit projects together with required supervisory review and approval ensures (1)
consistent application of the Internal Audit methodology, (2) contributes to a high level of quality
within Internal Audit projects, (3) provides a mechanism to document appropriate supervisory review
and approval for critical elements within the work papers, and (4) demonstrates due professional care
in conducting internal audits.
Standard 2010 – Internal Audit has a robust
annual risk assessment process that incorporates
input from stakeholders throughout the
organization, including the Director General, the
IAOC, and the various member states when
developing the audit universe, conducting risk
assessment, and preparing the annual audit plan.
Internal Audit generally, and the Director, IAOD specifically, have a “seat at the table” within the
organization to appropriately capture information related to emerging and/or changing risk profiles
while maintaining their independence and objectivity. This “seat at the table” is primarily ensured by
formal interaction with the senior leadership team and open and direct access to senior stakeholders
throughout the organization. The audit plan is the result of a risk assessment process that uses defined
risk factors and rating criteria that in combination derive residual levels of risk for prioritization of areas
for review. The plan is consistent with the entity-wide view of risk, and audits are focused to evaluate
specific objectives related to mitigation of risk. There is an appropriate balance between financial
reporting, compliance, and operational risk objectives in the annual audit plan.
Standard 2030 – Internal Audit effectively uses
third party resources to supplement audit staff
and to provide subject matter expertise.
Internal Audit uses third party resources primarily for technical skills associated with IT audit
requirements. This is especially appropriate given the rapidly changing technical requirements needed
to effectively audit technology risk. One of the challenges for a smaller internal audit activity is
ensuring that the appropriate skill sets are in place to perform audit from a proficiency perspective.
This effective and necessary use of third party resources is a successful internal audit practice for a
smaller internal audit activity.
9
www.theiia.org
Successful Internal Audit Practices Noted
Successful Internal Audit Practice
Description
Standard 2300 – Work papers supporting
individual audit engagements are of a consistent
high quality and generally exceed conformance
with Standards requirements.
This is especially noteworthy given the relative small size of Internal Audit. Observations
communicated to senior management, the IAOC, and the external auditor were fully supported and
linked to the underlying work papers. Documentation of information within the work papers –
including planning, work programs, use of checklists, and supervisory review and approval – was
maintained consistently across the projects reviewed and in strict conformance with the defined
methodology. Opening and closing meeting materials were thorough and included the scope and
results of engagements. Significant client communications were routinely included and there was
appropriate evidence for supervisory review and approval of all work performed. The electronic work
paper software tool was used in a very effective manner to integrate annual risk assessment with
engagement level audit processes and tracking of results.
1
0
www.theiia.org
Opportunities for Improvement Noted
Opportunity for Improvement
Internal Audit Response
Standard 1000 – Update the WIPO Internal Oversight Charter for several technical adjustments
to align with the IIA Model Internal Audit Activity Charter (May 2013) which incorporates newly
required elements of the Standards.
Comment and Action Plan: IAOD agrees with the
recommendation and will make the necessary proposals
to the Independent Advisory Oversight Committee
(IAOC) for amendments to be considered to the Internal
Oversight Charter.
• Include language in Section E: Duties and Modalities of Work, Paragraph 14 that describes the
nature of consulting services provided by IAOD. Consider language such as “Perform consulting
and advisory services related to governance, risk management, and controls as appropriate for
the organization.” Describing the nature of consulting services in the WIPO Internal Oversight
Charter is a requirement of Standard 1000 C1.
• Include language in the WIPO Internal Audit Oversight Charter that recognizes the mandatory
nature of the Definition of Internal Auditing, the IIA Code of Ethics, and the Standards. The
WIPO Internal Oversight Charter is generally consistent with the Definition of Internal Auditing,
the IIA Code of Ethics, and the Standards, but does not include specific language that
recognizes their mandatory nature as required by Standard 1010.
Standard 1220 – Continue the IAOD strategy to enhance the use of data analytics in support of
Internal Audit risk assessment, planning, and engagement execution.
For individual engagements, data analytics can effectively identify observations and support rootcause analysis for those observations reported to management. Expanding data analytics
capability is consistent with successful internal audit practice and provides the opportunity to (1)
enhance the audit process so it is faster and more efficient and effective, (2) shorten the audit
cycle time to provide more timely risk and control assurance, (3) achieve greater audit coverage
without the need to expand Internal Audit resource requirements, (4) be able to conduct
selected audits on a periodic basis, (5) audit 100% of data populations rather than a sample, (6)
improve the quality of assurance through the use of data and transactional analysis, and (7)
enhance the value to audit clients and the organization as a whole. The use of data analytics is a
successful internal audit practice that is becoming more commonplace as technology and data
analytics become more embedded within the skill sets of internal auditors.
Responsible staff: T. Rajaobelina with the IAOC
Deadline: WIPO General Assembly 2015
Comment and Action Plan: IAOD agrees with the
recommendation. IAOD already uses data analytics in all
audits, to the extent possible. IAOD has already
acquired ACL licenses and went through training on ACL
as well as PeopleSoft. IAOD will further develop its use
of data analytics to effectively implement its continuous
auditing approach. The objective will be for IAOD not
only to systematically use data analytics in each
engagement but also to develop IAOD reports on
exceptions, anomalies, patterns and trends that will be
produced based on analysis of information within WIPO
systems.
Responsible staff: Tuncay Efendioglu - Sashidhar Boriah
Deadline: December 31, 2014
11
www.theiia.org
Opportunities for Improvement Noted
Opportunity for Improvement
Internal Audit Response
Standard 1300 – Document the QAIP in the Internal Audit Manual to fully describe all required
elements such as objectives, scope, internal and external assessment components, and
communication of results.
Comment and action plan: IAOD agrees with the
recommendation. As recognized in the EQA, required
elements of the Quality Assurance and Improvement
Program (QAIP) are in place and functioning and what
needs to be done is to formalize it. IAOD will prepare a
formal QAIP document to gather all the necessary
elements to ensure sustainability and consistency
While required elements of the QAIP are in place and functioning, documentation does not
currently support their sustainability and consistent execution. The IIA Practice Guide “Quality
Assurance and Improvement Program” (March 2012) provides strongly recommended guidance
on the topic of a QAIP. The scope of the QAIP should be the operation of Internal Audit as
described in the WIPO Internal Oversight Charter. Objectives for the QAIP should be consistent
with those described in Practice Advisory 1310-1 and include: (1) conformance with the
Definition of Internal Auditing, the Standards, and the IIA Code of Ethics; (2) adequacy of the
WIPO Internal Oversight Charter, goals, objectives, policies, and procedures; (3) contribution to
the organization’s governance, risk management, and control processes; (4) compliance with
applicable laws, regulations, and government or industry standards; (5) effectiveness of
continuous improvement activities and adoption of best practices; and (6) the extent to which
Internal Audit adds value and improves the organization’s operations. The processes used to
support on-going monitoring of Internal Audit performance, internal periodic assessment,
external assessment, and communication of internal and external assessment results should be
documented in sufficient detail to consistently guide their execution.
Responsible staff: Tuncay Efendioglu
Deadline: July 15, 2014
12
www.theiia.org
Opportunities for Improvement Noted
Opportunity for Improvement
Internal Audit Response
Standard 1311 – Consider enhancing the periodic internal assessment process by using a
combination of vertical and horizontal reviews of completed projects to support evaluation of
conformance with the Standards and the Internal Audit methodology as well as efficiency and
effectiveness of the underlying processes.
Comment and action plan: IAOD agrees with the
recommendation. IAOD will prepare annual reports on
the outcome of vertical and horizontal assessments.
Vertical and horizontal reviews are the two generally accepted methods to perform quality
reviews of completed audit projects. A vertical review provides an evaluation of conformance
with the Standards and examines a specific project from a top-down approach (e.g., an
assessment of individual audit steps performed for a specific project work plan, e.g., planning
steps, fieldwork steps and reporting steps). A horizontal review allows for an evaluation across all
project engagements (e.g., use of the risk assessment matrix, supervisory review and approval
process, or consistency in applying report ratings) from an efficiency and effectiveness
perspective. A combination of these two methods is consistent with successful internal audit
practice and contributes to continuous improvement of internal audit processes.
Standard 2000 – Consider updating the 2012-2015 Strategic Plan for IAOD that supports the
dynamic nature of WIPO and that guides activities of Internal Audit in a proactive, thoughtful,
systematic, and practical manner.
Ensure strategies in the multi-year plan support (1) the robust risk assessment and annual
planning process to focus on emerging high risk areas to WIPO including coverage of technology,
strategic, and business risks; (2) alignment and coordination between Internal Audit as a third line
of defense and other assurance activities associated with the second line of defense including
ERM, (3) alignment of Internal Audit resources with the annual plan requirements from an
organizational, staffing and on-boarding, and professional development perspective; and (4) the
deployment of technology within Internal Audit to support the expanded use of data analytics for
engagement planning and execution, and the implementation of continuous auditing protocols.
Strategy statements should be supported by specific actions to execute the defined strategy. The
IIA Practice Guide “Developing the Internal Audit Strategic Plan” (July 2012) might be considered
as a resource when developing this plan.
Responsible staff: Tuncay Efendioglu
Deadline: August 31, 2014
Comment and action plan: IAOD agrees with the
recommendation. IAOD will prepare a revised Internal
Audit Strategy/Policy in accordance with its Internal
Oversight Charter (paragraph 13).
Responsible staff: Thierry Rajaobelina in coordination
with Member States and the IAOC.
Deadline: June 30, 2015
13
www.theiia.org
Opportunities for Improvement Noted
Opportunity for Improvement
Internal Audit Response
Standard 2020 – Communicate the risk-based audit plan to the IAOC for both review and
approval.
Comment and action plan: IAOD takes note of the
recommendation. The issue was discussed with the
IAOC at its March 2014 session and it was decided that
the IAOC would review the draft of the plan before its
issuance. This new practice will begin at the end of
2014. To have the IAOC approve the plan will need a
revision of the Internal Oversight Charter, on which
IAOD can work with the IAOC.
While the risk-based audit plan and associated resource requirements including significant
interim changes is communicated to the IAOC for review, the risk-based audit plan is not formally
approved as required by Standard 2020 – Communication and Approval. Formal approval of the
risk-based plan and the associated resource plan is a successful internal audit practice that
demonstrates independent functional reporting and supports organizational independence and
objectivity of Internal Audit.
Responsible staff: T. Rajaobelina with the IAOC.
Deadline: WIPO General Assembly 2015
Standard 2040 – Consider updating the Internal Audit Manual to align with the current Internal
Audit methodology that incorporates the effective use of an electronic work paper software tool.
The manual was last updated in 2011 and does not currently include procedures that document
the Internal Audit methodology in place and operating through the electronic work paper
software tool. Procedures should be updated for (1) the annual risk assessment and planning
process, (2) the engagement planning process, including work program development, (3) the
engagement fieldwork process, (4) the engagement reporting process, and (5) the monitoring of
reported observations process. In addition, as described in Standard 1300 – Quality Assurance
and Improvement Program, the QAIP should be more fully documented to include objectives,
scope, and procedures to implement internal and external assessment requirements and
communication of results. Reviewing and updating the manual as a component of the periodic
internal assessment process is a means to ensure the manual is current with professional
guidance.
Comment and action plan: IAOD agrees with the
recommendation. IAOD will prepare a revision of its
audit manual and will submit it to the IAOC for its
review in accordance with paragraph 13 of the Internal
Oversight Charter.
Responsible staff: Tuncay Efendioglu and Alain Garba
Deadline: December 31, 2014
14
www.theiia.org
Opportunities for Improvement Noted
Opportunity for Improvement
Internal Audit Response
Standard 2060 – Consider adopting a Required Communications with the IAOC Checklist to
ensure that all requirements are met and documented in the appropriate time frames.
Comment and action plan: IAOD agrees with the
recommendation. IAOD will discuss the checklist with
the IAOC and prepare any required list for the IAOC’s
consideration.
This checklist should be integrated into the IAOC agenda as appropriate and should be updated
as changes to Standards become effective. This checklist, when combined with IAOC minutes,
provides documentation that all required communications are considered and take place in the
appropriate time frames. An example of this checklist in included as Attachment B to this report.
Standard 2110 – Consider incorporating an evaluation of the effectiveness of the organization’s
ethics-related objectives, programs, and activities as well as information technology governance
in support of the organization’s strategies and objectives into the annual audit planning process.
Implementation Standards 2110.A1 and 2110.A2 adopted in 2009 require that the ethics and
compliance program and information technology governance be evaluated as part of the
evaluation of governance activities required by the nature of work Standards. Each of these
items should be included in the audit universe, evaluated as part of the annual risk assessment,
and incorporated into the annual audit plan as appropriate.
Responsible staff: Thierry Rajaobelina
Deadline: December 31, 2014
Comment and action plan: IAOD agrees with the
recommendation. IAOD notes that audits of the
organizations’ ethics-related objectives and of
information technology governance were done in
recent years (2010 in one case and from 2011 to 2013
for the second). In addition as regards ethics, IAOD also
notes that the organization’s framework is continuously
reviewed through investigations conducted by IAOD.
IAOD will nevertheless specifically incorporate the
ethics and compliance program and information
technology governance in its oversight universe, risk
assessment and annual plan as appropriate.
Responsible staff: Tuncay Efendioglu - Sashidhar Boriah
Deadline: 2015 annual plan exercise
15
www.theiia.org
Opportunities for Improvement Noted
Opportunity for Improvement
Internal Audit Response
Standard 2120 – Consider expanding the role of Internal Audit in support of the maturing and
evolving ERM process within WIPO.
Comment and action plan: IAOD takes note of the
recommendation. IAOD will continue advising the
organization on the implementation of its ERM process.
IAOD will also continue taking into account the entitylevel view of risk when conducting its annual riskassessment process.
Consider the IIA Position Paper “The Role of Internal Auditing in Enterprise-Wide Risk Assessment”
as guidance for the ongoing role. As the ERM process within WIPO continues to evolve, Internal
Audit can provide assurance into how the organization identifies risks, assigns ownership of those
risks, documents risk mitigation strategies and results, and monitors the residual levels of risk.
Internal Audit should appropriately link the entity-level view of risk into their annual risk
assessment process consistent with Standards requirements.
Standard 2410 – Consider enhancing the audit reporting process by providing more clarity with
regards to the relative significance of observations reported.
The current process describes the impact of observations but does not necessarily provide input
into significance of the issue. Several key stakeholders suggested this would help them focus on
those areas most critical to their operation while still being kept informed of other important
issues. Categorizing exceptions using pre-defined criteria can provide a consistent view of
significance across the organization and can provide insight into prioritization for management
response and action. Rating criteria should be developed in consultation with key stakeholders
consistent with the requirement of Standard 2410 A1.
Responsible staff: Thierry Rajaobelina
Deadline: on-going
Comment and action plan: IAOD agrees with the
recommendation. IAOD will continue working on the
clarity of its audit reports. IAOD will continue to
prioritize its observations and recommendations. Efforts
will be put in enhancing the process. Auditors have
already been registered on report writing courses and
collectively IAOD will organize a follow-up training in
January 2015 on report writing.
Responsible staff: Tuncay Efendioglu - Alain Garba Sashidhar Boriah
Deadline: next audit report
16
www.theiia.org
Attachment A
Conformance Rating Criteria
GC – “Generally Conforms” means the assessor has concluded the following:
• For individual standards, that the internal audit activity conforms to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or elements of the
Code of Ethics (both Principles and Rules of Conduct) in all material respects.
• For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity achieves general conformity
to a majority of the individual standards and/or elements of the Code of Ethics, and at least partial conformity to others, within the section/category.
• For the internal audit activity overall, there may be opportunities for improvement, but these should not represent situations where the internal audit activity
has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives.
PC – “Partially Conforms” means the assessor has concluded the following:
• For individual standards, the internal audit activity is making good faith efforts to conform to the requirements of the standard (e.g., 1000, 1010, 2000, 2010,
etc.) or element of the Code of Ethics (both Principles and Rules of Conduct) but falls short of achieving some major objectives.
• For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity partially achieves
conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics
• For the internal audit activity overall, there will be significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or
achieving their objectives. Some deficiencies may be beyond the control of the internal audit activity and may result in recommendations to senior
management or the board of the organization.
DNC – “Does Not Conform” means the assessor has concluded the following:
• For individual standards, the internal audit activity is not aware of, is not making good faith efforts to conform to, or is failing to achieve many/all of the
objectives of the standard (e.g., 1000, 1010, 2000, 2010, etc.) and/or elements of the Code of Ethics (both Principles and Rules of Conduct)
• For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity does not achieve
conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics
• For the internal audit activity overall, there will be deficiencies that will usually have a significant negative impact on the internal audit activity’s effectiveness
and its potential to add value to the organization. These may also represent significant opportunities for improvement, including actions by senior
management or the board.
17
www.theiia.org
Attachment B
Required Communications with the Internal Advisory Oversight Committee Checklist
Example of Documentation
Standard
Communication Requirement
Annual Communication Documentation
1000
The CAE must periodically review the Internal Audit Department Charter and present it to Senior
Management and the Audit Committee for review and Audit Committee approval.
The Internal Audit charter was amended and presented to senior management
and the Audit Committee for review and approval at the January XX, 20XX, Audit
Committee Meeting.
1010
The CAE should discuss the Definition of Internal Auditing, the Code of Ethics, and the IIA
Standards with Senior Management and the Audit Committee.
The Definition of Internal Auditing, the Code of Ethics, and the Standards were
discussed with senior management and the Audit Committee in conjunction with
the Internal Audit charter review at the January XX, 20XX, Audit Committee
meeting.
1110
The CAE must confirm to the Audit Committee, at least annually, the organizational
independence of the internal auditing activity.
As the CAE, I hereby confirm the organizational independence of the internal
audit activity as of May XX, 20XX.
1111
The CAE must communicate and interact directly with the Audit Committee.
As the CAE, I confirm that an appropriate level of communication and interaction
has taken place between me and the Audit Committee.
1312
The chief audit executive must discuss with the Audit Committee the form and frequency of
external assessment as well as the qualifications and independence of the external assessor or
assessment team, including any potential conflicts of interest.
Discussions were held at the November XX, 20XX, Audit Committee Meeting
related to the need for and the frequency of the periodic external assessments,
the form of the external assessment, and the qualification and independence of
the external assessor.
1320
The CAE must communicate the results of the quality assurance and improvement program to
senior management and the Audit Committee. The results of external and periodic internal
assessments are communicated upon completion of such assessments and the results of
ongoing monitoring are communicated at least annually. The results include the reviewer’s or
review team’s assessment with respect to the degree of conformance.
Results of the Continuous Monitoring and Annual Internal Quality Assessment
Review of Internal Audit was communicated to Executive Management on January
XX, 20XX, and to the Audit Committee on January XX, 20XX. The results of the
external quality assessment performed by XXXX was communicated to Executive
Management and the Audit Committee on February XX, 20XX.
2020
The CAE must communicate the internal audit activity’s plans and resource requirements,
including significant interim changes, to senior management and the Audit Committee for
review and approval. The CAE must also communicate the impact of resource limitations.
Communication of status of internal audit plans and resource requirements was
reported on at least a quarterly basis to the Audit Committee. At the November
XX, 20XX, Audit Committee Meeting, Internal Audit reported that there were no
audits below the resource cut line on the Proposed 20XX Audit Plan that Internal
Audit believed were necessary to be performed in 20XX. Accordingly, there were
no material impacts associated with resource limitations.
2060
The CAE must report periodically to senior management and the Audit Committee on the
internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.
Reporting must also include significant risk exposures and control issues, including fraud risks,
governance issues, and other matters needed or requested by senior management and the
Audit Committee.
Communication of Internal Audit’s purpose, authority, and responsibility was
reported to the Audit Committee on January XX, 20XX. On a periodic basis, the
CAE also reports significant risk exposures and control issues, including fraud risks,
governance issues, and other matters at the request of the Audit Committee.
www.theiia.org
18