Internal Auditing Consultative Forum Establishing Effective Internal Audit

1
Internal Auditing Consultative ForumEstablishing
Effective Internal Audit Principles of Good
Practice

• Gert van der Linde
• Safari Park, Nairobi, Kenya
• 2 March 2004

2

• Working for a world free of poverty

3
Poverty Reduction Global Challenge

• Of the 4.7 billion people who live in the 100
  World Bank client countries
• 3 billion live on less than 2 a day and 1.2
  billion on less than 1 a day.
• Nearly 3 million children in developing countries
  die each year from vaccine-preventable diseases.
• 113 million children are not in school.
• 1.5 billion have no clean drinking water

4
Poverty Reduction Africa Challenge

• 300 of 600 million people are in absolute poverty
  
• Low HD Indicators
• HIV/AIDS 20 million have died, 30 million are
  infected and 12 million children orphaned
• Relatively Small Economies
• 200 million directly affected by conflict and
  violence
• Heavily Aid Dependent
• Limited Capacity
• Callisto E. Madavo, RVP,
• Africa, January 2003

5
Four Pillars of AFR Strategy
IMPROVE GOVERNANCE AND RESOLVE CONFLICTS
INVESTIN PEOPLE
IMPROVE COMPETIVENESS AND DIVERSIFY ECONOMIES
IMPROVE DEMAND FOR GOOD GOVERNANCE AND TRANSPAREN
CY POST-CONFLICT ASSISTANCE MODELS (DRC, LICUS)
HIV/AIDS AND MAP EDUCATION FOR ALL (13 OF
23 COUNTRIES) DECENTRALIZED SERVICE PRODUCTION
AND TRACKING
BUSINESS CLIMATE, AGRIBUSINESS, SUPPLY
CHAINS INFRASTRUCTURE TRADE AND EXPORT FOCUS
BUILD ON NEW PROCESSESS (HIPC,
CDF/PRSP, NEPAD) GET RESOURCES TO PEOPLE (CDD
AND EXPENDITURE TRACKING) SLASH
TRANSACTION COSTS OF AID!
REDUCE AID DEPENDENCE STRENGTHEN PARTNER- SHIPS
Source Can Africa Claim the 21st Century?
6
The HIPC Assessment Questionnaire
Benchmark Description
"Close-fit or better" to GFS definition of
general government
Extra (or off) budget expenditure is not
substantial
Level and composition of outturn is "quite close"
to budget
Both capital and current donor funded
expenditures included
Functional and/or program information provided
Identified through use of classification system
(e.g., a virtual poverty fund)
Projections are integrated into budget formulation
Low-level of arrears accumulated
Internal audit function (whether effective or not)
Tracking used on regular basis
Reconciliation of fiscal and monetary data
carried out
on routine basis
Monthly expenditure reports provided within four
weeks of
end of month
Timely functional reporting derived from
classification system
Accounts closed within two months of year end
Audited accounts presented to legislature within
one year
7
Conclusions Results, March 2002 Board Paper
(Percent of 24 countries not meeting each
benchmark)
100
90
80
70
60
50
40
Timely functional reporting from class system
Audited accounts to legislature within 1 year
Projections integrated into budg. formulation
Quality of internal audit (effective or not)
Accounts closed within two months of y/e
Close fit or better to GFS definition
30
Fiscal monetary data reconciled
Extra (off) budget expend.
Pov. Red. Exp. Identified
20
Data on donor financing
Classification of budget
Low level of arrears
Regular tracking
Month reports
Outturn close?
10
0
Benchmark number
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Execution
Formulation
Reporting
Source Actions to Strengthen the Tracking of
Poverty Related Public Spending in Heavily
Indebted Poor Countries (HIPCs), World Bank and
IMF, March 22, 2002. See http//www.worldbank.org
/hipc/hipc-review/tracking.pdf
8
Effectiveness Considerations

• True independence
• Have a good understanding of issues facing the
  organization
• Be responsive to managements needs
• Be able to assess, advise and assure on the
  management of key business risks
• Contribute to performance improvement
• Be proactive in communication with management
• Follow through on implementation of
  recommendations
• Match the skill set to the needs
• Use enabling technology and work smarter

9
Internal Audit Processes

• Annual Audit Coverage Planning
• Assignment Planning
• Risk Assessment
• Control Identification
• Control Assurance
• Reporting

10
Annual Audit Coverage Planning

• Determine audit universe
• Compile audit coverage plan
• Prioritisation and rating of areas
• Type of assignment e.g. Business process,
  Product, Branch audit, etc.
• Contract with line manager SBU Exco
• Approval by Group Exco
• Approval by GACC
• Deliverable Annual Audit Coverage Plan

11
Assignment Planning

• Preliminary review
• Obtain background information of audit area
• Determine assignment scope objectives
• Risk Management Plan, Control Adequacy
  Evaluation, Control Effectiveness Evaluation
• Develop Assignment Planning Memorandum
• Sign-off by Line manager
• Notification to / Sign-off by SBU Exco member
• Sign-off by Audit Services Section Head
• Deliverable Assignment Planning Memorandum

12
Risk Assessment

• Identify functional areas
• Identify risk areas
• Identify risks
• Identify risk elements
• Prioritisation of risks risk elements
• Deliverable Risk Profile

13
A Risk Profile
Risk areas
1 - Implementation of trading strategy 2
- Marketing of products / services 3 - Market /
product liquidity 4 - Obtaining of credit
approvals 5 - Security documentation 6
- Management of counterparty exposures 7
- Dealing and pricing systems 8 - Quoting of
rates 9 - Trading 10 - Income generation 11 - Fee
/ commission structure 12 - Position
revaluation 13 - VaR / Sensitivity Analysis
TREASURY - AGRIS
Control Profile
13
14
15
16
17
18
19
20
21
22
23
24
25
26
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
Seriousness
High Risk Areas
2
6
1
4
13
9
10
8
7
3
12
11
5
Medium Risk Areas
Low Risk Areas
Probability
14
Control Identification

• Identify preventative controls
• Identify contingent controls
• Determine responsibility for controls
• Deliverable Risk Management Plan

15
Control Assurance

• Perform control adequacy evaluation
• Ensure existence of controls
• Evaluate economy and efficiency of application
• Perform control effectiveness evaluation
• Provide an opinion on the level of effectiveness
  of adequate controls
• Perform substantive testing
• To substantiate the impact where no controls
  exist
• Deliverable Audit Findings

16
Reporting and follow-up

• Present findings and recommendations
• Obtain management responses
• Rank findings, using standard rating tables
• Compile an Executive Summary
• Critical and significant findings
• Audit opinion on area audited
• Risk Management Plan
• Detailed findings
• GACC reporting
• Critical findings
• Unacceptable audit opinion
• Follow up actions
• Together with risk owners, monitored by SBU Exco
• Deliverable Audit Assignment Report

17
Reporting Challenges

• 800 audit assignments
• 5 Audit Committee meetings per year
• Different views and needs
• Risk owners
• SBU Management / Exco
• Audit Committee
• The past, present and future

Security documentation Controls to ensure timely
collection of security documentation were found
to be ineffective as a result of a inadequate
information.
(Rating Significant)
18
Challenge Maintain a Control Profile
19
Reporting to Audit Committees
20
Root Cause Analysis
21
Effectiveness Considerations

• True independence
• Have a good understanding of issues facing the
  organization
• Be responsive to managements needs
• Be able to assess, advise and assure on the
  management of key business risks
• Contribute to performance improvement
• Be proactive in communication with management
• Recommendations are implemented
• Match the skill set to the needs
• Use enabling technology and work smarter