Internal Auditing Consultative Forum

Establishing Effective Internal Audit – Principles of Good Practice

Gert van der Linde

Safari Park, Nairobi, Kenya

2 March 2004

Working for a world free of poverty

Poverty Reduction: Global Challenge

Of the 4.7 billion people who live in the 100 World Bank client countries:

3 billion live on less than $2 a day and 1.2 billion on less than $1 a day.

Nearly 3 million children in developing countries die each year from vaccine-preventable diseases.

113 million children are not in school.1.5 billion have no clean drinking water

Poverty Reduction: Africa Challenge

• 300 of 600 million people are in absolute poverty

• Low HD Indicators• HIV/AIDS: 20 million have

died, 30 million are infected and 12 million children orphaned

• Relatively Small Economies• 200 million directly affected by

conflict and violence• Heavily Aid Dependent• Limited Capacity

Callisto E. Madavo, RVP, Africa, January 2003

Four Pillars of AFR Strategy

Source: Can Africa Claim the 21st Century?

IMPROVE DEMANDFOR GOOD

GOVERNANCEAND

TRANSPARENCY

POST-CONFLICTASSISTANCE

MODELS(DRC, LICUS)

HIV/AIDS AND MAP

EDUCATION FOR ALL(13 OF 23

COUNTRIES)

DECENTRALIZEDSERVICE

PRODUCTION ANDTRACKING

BUSINESS CLIMATE,AGRIBUSINESS,SUPPLY CHAINS

INFRASTRUCTURE

TRADE AND EXPORT FOCUS

BUILD ON NEWPROCESSESS

(HIPC, CDF/PRSP,NEPAD)

GET RESOURCESTO PEOPLE(CDD AND

EXPENDITURETRACKING)

SLASH TRANSACTIONCOSTS OF AID!

IMPROVEGOVERNANCEAND RESOLVE

CONFLICTS

INVESTIN PEOPLE

IMPROVECOMPETIVENESSAND DIVERSIFY

ECONOMIES

REDUCE AIDDEPENDENCE

& STRENGTHENPARTNER-

SHIPS

Benchmark Description

"Close-fit or better" to GFS definition of general governmentExtra (or off) budget expenditure is not substantialLevel and composition of outturn is "quite close" to budgetBoth capital and current donor funded expenditures included

Functional and/or program information providedIdentified through use of classification system(e.g., a virtual poverty fund)

Projections are integrated into budget formulation

Low-level of arrears accumulatedInternal audit function (whether effective or not)Tracking used on regular basis

Reconciliation of fiscal and monetary data carried out on routine basis

Monthly expenditure reports provided within four weeks of end of month

Timely functional reporting derived from classification system

Accounts closed within two months of year endAudited accounts presented to legislature within one year

Comprehensiveness1. Composition of the budget entity2. Limitations to use of off-budget transactions3. Reliability of budget as guide to outturn4. Data on donor financingClassification

5. Classification of budget transactions6. Identification of poverty-reducing expenditure

Projection7. Quality of multi-year expenditure projections

Internal Control8. Level of payment arrears9. Quality of internal audit10. Use of tracking surveysReconciliation

11. Quality of fiscal/banking data reconciliation

Reporting12. Timeliness of internal budget reports

13. Classification used for budget trackingFinal Audited Accounts14. Timeliness of accounts closure15. Timeliness of final audited accounts

For

mu

lati

onE

xecu

tion

Rep

orti

ng

Budget Management

The HIPC Assessment Questionnaire

Source: “Actions to Strengthen the Tracking of Poverty Related Public Spending in Heavily Indebted Poor Countries (HIPCs), World Bank and IMF, March 22, 2002. See http://www.worldbank.org/hipc/hipc-review/tracking.pdf

(Percent of 24 countries not meeting each benchmark)

Conclusions & Results, March 2002 Board Paper

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15Benchmark

number:

Clo

se f

it o

r b

ette

r to

GF

S d

efin

itio

n

Dat

a on

don

or f

inan

cin

g

Cla

ssif

icat

ion

of

bu

dge

t

Pov

. Red

. Exp

. Id

enti

fied

Pro

ject

ion

s in

tegr

ated

into

bu

dg.

for

mu

lati

on

Low

leve

l of

arre

ars

Qu

alit

y of

inte

rnal

au

dit

(ef

fect

ive

or n

ot)

Reg

ula

r tr

ack

ing

Fis

cal &

mon

etar

y d

ata

reco

nci

led

Mon

th r

epor

ts

Tim

ely

fun

ctio

nal

rep

orti

ng

from

cla

ss s

yste

m

Acc

oun

ts c

lose

d w

ith

in t

wo

mon

ths

of y

/e

Au

dit

ed a

ccou

nts

to

legi

slat

ure

wit

hin

1 y

ear

Ou

ttu

rn c

lose

?

Ext

ra (

off)

bu

dge

t ex

pen

d.

ReportingExecutionFormulation

Effectiveness Considerations

True independence Have a good understanding of issues facing the organization Be responsive to management’s needs Be able to assess, advise and assure on the management of

key business risks Contribute to performance improvement Be proactive in communication with management Follow through on implementation of recommendations Match the skill set to the needs Use enabling technology and work smarter

Internal Audit Processes

• Annual Audit Coverage Planning

• Assignment Planning

• Risk Assessment

• Control Identification

• Control Assurance

• Reporting

Annual Audit Coverage Planning

• Determine audit universe

• Compile audit coverage plan

– Prioritisation and rating of areas

– Type of assignment e.g. Business process, Product, Branch audit, etc.

• Contract with line manager & SBU Exco

• Approval by Group Exco

• Approval by GACC

• Deliverable: Annual Audit Coverage Plan

Assignment Planning

• Preliminary review– Obtain background information of audit area

• Determine assignment scope & objectives– Risk Management Plan, Control Adequacy Evaluation,

Control Effectiveness Evaluation• Develop Assignment Planning Memorandum

– Sign-off by Line manager– Notification to / Sign-off by SBU Exco member– Sign-off by Audit Services Section Head

• Deliverable: Assignment Planning Memorandum

Risk Assessment

• Identify functional areas• Identify risk areas• Identify risks• Identify risk elements• Prioritisation of risks & risk elements

• Deliverable: Risk Profile

A “Risk Profile”

1314151617181920212223242526293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788

Probability0 1 2 3 4 5 6 7 8 9 10 11

1

2

3

4

5

6

7

8

9

10

11

0

Ser

iou

snes

s

TREASURY - AGRIS

Control Profile

6

13

2

1

4

5

3

9

8

Risk areas

12

107

11

Low Risk AreasMedium Risk Areas

High Risk Areas

1 - Implementation of trading strategy

2 - Marketing of products / services

3 - Market / product liquidity

4 - Obtaining of credit approvals

5 - Security documentation

6 - Management of counterparty exposures

7 - Dealing and pricing systems

8 - Quoting of rates9 - Trading10 - Income generation11 - Fee / commission

structure12 - Position revaluation13 - VaR / Sensitivity

Analysis

Control Identification

• Identify preventative controls• Identify contingent controls• Determine responsibility for controls

• Deliverable: Risk Management Plan

Control Assurance• Perform control adequacy evaluation

– Ensure existence of controls– Evaluate economy and efficiency of application

• Perform control effectiveness evaluation– Provide an opinion on the level of effectiveness

of adequate controls• Perform substantive testing

– To substantiate the impact where no controls exist

• Deliverable: Audit Findings

Reporting and follow-up• Present findings and recommendations• Obtain management responses• Rank findings, using standard rating tables• Compile an Executive Summary

– Critical and significant findings– Audit opinion on area audited

• Risk Management Plan– Detailed findings

• GACC reporting– Critical findings– Unacceptable audit opinion

• Follow up actions– Together with risk owners, monitored by SBU Exco

• Deliverable: Audit Assignment Report

Reporting Challenges

• 800+ audit assignments

• 5 Audit Committee meetings per year

• Different views and needs– Risk owners– SBU Management / Exco– Audit Committee

• The past, present and future

Security documentation: Controls to ensure timely collection of security documentation were found to be ineffective as a result of a inadequate information. (Rating: Significant)

Challenge – Maintain a “Control Profile”

1314151617181920212223242526293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788

Probability0 1 2 3 4 5 6 7 8 9 10 11

1

2

3

4

5

6

7

8

9

10

11

0

Ser

iou

snes

s

TREASURY - AGRIS

Control Profile

6

13

2

1

4

5

3

9

8

= Risk area6

12

107

11

Low Risk AreasMedium Risk Areas

High Risk Areas

1 - Implementation of trading strategy

2 - Marketing of products / services

3 - Market / product liquidity

4 - Obtaining of credit approvals

5 - Security documentation

6 - Management of counterparty exposures

7 - Dealing and pricing systems

8 - Quoting of rates9 - Trading10 - Income generation11 - Fee / commission

structure12 - Position revaluation13 - VaR / Sensitivity

Analysis

Fig.1 - CUMULATIVE % AUDIT ASSIGNMENTS RATED "ACCEPTABLE"

0%

50%

100%

150%

DIVISIONS

% A

CC

EP

TAB

LE

% ACCEPTABLE TARGET 75% 75% 75% 75% 75% 75% 75%

% ACCEPTABLE 2002/2003 97% 91% 97% 88% 0% 75% 100%

% ACCEPTABLE 2001/2002 97% 91% 100% 100% 90% 64% 100%

% ACCEPTABLE 2000/2001 69% 87% 63% 100% 100% 56% 100%

RETAIL BANKING

WHOLESALE BANKING

COMMERCIAL BANKING

FINANCIAL SERVICES

OTHER SUBSIDIARIES

GROUP ITGROUP

SPECIALIST SERVICES

Reporting to Audit Committees

Root Cause Analysis

0%

20%

40%

60%

80%

100%TOTAL

COMMERCIAL BANKING DIVISIONS

FINANCIAL SERVICES

GROUP IT

GROUP SPECIALIST SERVICES

OTHER SUBSIDIARIES

RETAIL BANKING DIVISIONS

WHOLESALE BANKING DIVISIONS

Policy Standards People Procedure Information Technology

Effectiveness Considerations

True independence Have a good understanding of issues facing the

organization Be responsive to management’s needs Be able to assess, advise and assure on the

management of key business risks Contribute to performance improvement Be proactive in communication with management Recommendations are implemented Match the skill set to the needs Use enabling technology and work smarter