External Quality Assessment of the Internal Audit Activity at the World Food Programme November 2016
Table of Contents Executive Summary... 3 Opinion as to conformance to the Standards... 3 Scope and methodology... 4 Observations and positive attributes... 4 Recommendations... 5 Attachment A Standards conformance evaluation summary... 6 Attachment B Comments... 9 2
EECUTIVE SUMMARY As requested by the chief audit executive (CAE), Deloitte conducted an external quality assessment (QA) of the Internal Audit (IA) activity at the World Food Programme of the United Nations (WFP). Internal Audit activity is carried out by the Office of Internal Audit (OIGA), which is part of the WFP Office of Inspector General (OIG). The principal objectives of the QA were to assess the internal audit (IA) activity s conformance to The IIA s International Standards for the Professional Practice of Internal Auditing (Standards), evaluate the IA activity s effectiveness in carrying out its mission (as set forth in its charter and expressed in the expectations of WFP s management), and identify opportunities to enhance its management and work processes, as well as its value to the World Food Programme. OPINION AS TO CONFORMANCE TO THE STANDARDS It is our overall opinion that the IA activity Generally Conforms (GC) to the Standards and Definition of Internal Audit. For a detailed list of conformance to individual Standards, please see Attachment A. The IIA s Quality Assessment Manual suggests a scale of three ratings, generally conforms, partially conforms, and does not conform. Generally Conforms is the top rating and means that an IA activity has a charter, policies, and processes that are judged to be in conformance with the Standards. Partially Conforms means deficiencies in practice are noted and are judged to deviate from the Standards, but these deficiencies did not preclude the IA activity from performing its responsibilities in an acceptable manner. Does Not Conform means deficiencies in practice are judged to be so significant as to seriously impair or preclude the internal audit activity from performing adequately in all or in significant areas of its responsibilities. SCOPE AND METHODOLOGY As part of the preparation for the QA, the IA activity prepared an advanced preparation document with detailed information and sent out surveys to IA staff and a representative sample of Audit Clients. A summary of the survey results (without identifying the individual survey respondents) has been presented to the IA activity. Before commencement of the onsite work by the QA team on October 10, 2016, the QA team conducted preliminary activities and meetings with the Inspector General, the Director of Internal Audit and selected OIGA staff to gather additional background information, select senior management for interviews during the onsite fieldwork, and finalize planning and administrative arrangements for the QA. As part 3
of the review, extensive interviews were held with the President of the Executive Board (Governing Body), Audit Committee representatives, WFP Executive Director (ED), other Senior Executives, external auditor and several IA activity staff. A review was also performed on the IA activity s risk assessment and audit planning processes, audit tools and methodologies, engagement and staff management processes, as well as, a representative sample of the IA activity s work papers and reports. OBSERVATIONS AND POSITIVE ATTRIBUTES The IA activity environment where we performed our review is well-structured and progressive, where IIA Standards are understood and management is endeavoring to provide valuable and useful audit tools and implement appropriate practices. There is strong commitment from WFP Management and a recognition that OIGA is a trusted and valuable partner. In addition to the conformance to the IIA standards, the WFP Internal Audit Activity demonstrates a high level of effectiveness and maturity. The IA activity has significantly evolved in the years in scope for this engagement, in defining, implementing, measuring and improving its processes and practices. The IA activity effectively integrates information from across the organization, and is currently engaged in learning from inside and outside of the organization for continuous improvement. Some successful practices observed were: Ongoing and recognized efforts by OIGA to provide added value to the Organization through the structured and transformative improvement of the Internal Audit Activity; Recognition and consideration by WFP Senior Management of the role of IA activity as a trusted and solid business partner; Identification of WFP Internal Audit 3 year Strategy to enhance the IA activity alignment and engagement with the Organisation to add value; Increase in provision of structured advisory services by the IA activity to the Organization, as well as, an augmented demand for advisory services by management; Articulated Risk Assessment process performed with constant involvement of management and fine-tuned on a year by year basis; Fostering a collaborative environment, knowledge sharing and consolidation of best practices with audit staff through brainstorming and peer review meetings on the results of audit engagements,; Effective development of IA staff, internal and external to OIGA, by structured efforts in addressing learning and development. 4
RECOMMENDATIONS None. Thank you for the opportunity to be of service to the World Food Programme. We will be pleased to respond to further questions concerning this report and furnish any desired information. Lorenzo Fersurella, Certified Auditor Partner and Team Leader, Deloitte Risk Advisory Team Members: Silvia Quartullo, CIA, CCSA William Hay, CPA 5
ATTACHMENT A STANDARDS CONFORMANCE EVALUATION SUMMARY WORLD FOOD PROGRAMME OVERALL EVALUATION ATTRIBUTE STANDARDS 1000 Purpose, Authority, and Responsibility 1010 Recognition of the Definition of Internal Auditing 1100 Independence and Objectivity 1110 Organizational Independence 1111 Direct Interaction with the Board 1120 Individual Objectivity 1130 Impairments to Independence or Objectivity 1200 Proficiency and Due Professional Care 1210 Proficiency 1220 Due Professional Care 1230 Continuing Professional Development 1300 1310 Quality Assurance and Improvement Program Requirements of the Quality Assurance and Improvement Program 1311 Internal Assessments 1312 External Assessments 1320 Reporting on the Quality Assurance and Improvement Program GC PC DNC 1321 Use of Conforms with the International Standards for the Professional Practice of Internal Auditing 1322 Disclosure of Noncompliance PERFORMANCE STANDARDS 2000 Managing the Internal Audit Activity 2010 Planning 2020 Communication and Approval 6
2030 Resource Management 2040 Policies and Procedures 2050 Coordination 2060 Reporting to Senior Management and the Board 2100 Nature of Work 2110 Governance 2120 Risk Management 2130 Control 2200 Engagement Planning 2201 Planning Considerations 2210 Engagement Objectives 2220 Engagement Scope 2230 Engagement Resource Allocation 2240 Engagement Work Program 2300 Performing the Engagement 2310 Identifying Information 2320 Analysis and Evaluation 2330 Documenting Information 2340 Engagement Supervision 2400 Communicating Results 2410 Criteria for Communicating 2420 Quality of Communications 2421 Errors and Omissions 2430 Use of Conducted in conformance with the 2431 Engagement Disclosure of Nonconformance 2440 Disseminating Results 2500 Monitoring Progress 2600 Management s Acceptance of Risks IIA Code of Ethics 7
GC Generally Conforms means the assessor has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the individual Standard or element of the Code of Ethics in all material respects. For the sections and major categories, this means that there is general conformity to a majority of the individual Standards or elements of the Code of Ethics, and at least partial conformity to the others, within the section/category. There may be significant opportunities for improvement, but these should not represent situations where the activity has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives. As indicated above, general conformance does not require complete/perfect conformance, the ideal situation, successful practice, etc. PC Partially Conforms means the evaluator has concluded that the activity is making good-faith efforts to comply with the requirements of the individual Standard or element of the Code of Ethics, section, or major category, but falls short of achieving some major objectives. These will usually represent significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the activity and may result in recommendations to senior management or the board of the organization. DNC Does Not Conform means the evaluator has concluded that the activity is not aware of, is not making good-faith efforts to comply with, or is failing to achieve many/all of the objectives of the individual Standard or element of the Code of Ethics, section, or major category. These deficiencies will usually have a significant negative impact on the activity s effectiveness and its potential to add value to the organization. These may also represent significant opportunities for improvement, including actions by senior management or the board. 8
ATTACHMENT B COMMENTS Please note that the comments below are proposed solely as improvement suggestions for OIGA and shall not be considered as a deviation from the IIA standards. Timeliness of audit reports has represented an area of considerable improvement since the past QA, with the implementation of recommendations and efforts by management to discipline the process in an appropriate manner, including the preparation of a specific manual on reporting of audit engagements. Notwithstanding the above, and being mindful of the thorough consultation required for reports which will be publicly disclosed, timeliness of audit reports may constitute an area for further development, achieving early issuance and effective management of engagement reporting throughout the year, avoiding effort concentration near year-end. Audit Planning, including risk assessment, has witnessed noteworthy enhancements in the most recent years, with the roll out of an articulated and structured process in line with updated best practices concerning its development and reporting. All the same, it could be possible to envisage an opportunity to refine the standard resources/time approach to audit planning by fine-tuning it based on more comprehensive estimates of effort and resource allocation; OIGA s objectivity and independence is clearly recognized across the Organisation. The functional reporting relationship to the Executive Board, through its Bureau, the Audit Committee and within the Organisation would benefit from further clarity and formalization to solidify this independence; Resources for the IA activity have been stable in the last years. In the context of the Organization s dynamic business model, field based operations and risk environment, leading to an overall increase in risks, resources need to be reagularly reassessed and discussed with the Executive Director and the Audit Committee to ensure satisfactory coverage of the risk universe, while maintaining the independence of IA; Prompt work paper uploading and archiving, if effectively accomplished, especially when working with co-sourced auditors, may allow an improved tracking of engagement progress and status, consolidating best practices internally in the OIGA. 9