WIPO Internal Audit Strategy

(Revised for 2010/11)

Introduction

This paper sets out the strategy for Internal Audit in the World Intellectual Property Organization (WIPO). The audit strategy has been developed by the Internal Audit and Oversight Division (IAOD), with the comments of the Director General (DG) and the Audit Committee.

The Purpose of the Internal Audit Strategy

The purpose of the internal audit strategy is to put in place an approach which enables the Internal Audit and Oversight Division (IAOD) to provide the DG, the Member States and other stakeholders with an independent and objective assessment of the organizations business processes and systems, risk management, control and governance processes.

Audits are conducted in accordance with a detailed audit plans which are developed based on a bi-annual risk-based assessment of internal audit needs for the whole of WIPO. Risk based audit plans will be subject to regular revision in order to be able to align with the strategic objectives of the Organization. Due emphasis will be given to compliance with policies/procedures and efficiency and effectiveness of operations and resource utilization. Audit needs are estimated for an initial four year period. This will be based on a thorough review of WIPO business and other systems and processes. A risk assessment methodology/model has been developed (see the paragraph below) and is kept up-to-date as appropriate.

Know your Organization

In order to be able to produce value-adding audit reports, the Internal Audit Section will acquire a thorough knowledge of WIPO’s strategic goals, objectives, programs, systems, policies and procedures as well as its management structure. Furthermore, knowledge of major business processes, IT systems will be kept up-to-date. 

The information gathered on an ongoing basis shall constitute one of the major sources for internal audit in identifying risks in auditable units, processes and systems which will be included in the audit plans. 

Strategic Goals of Internal Audit in WIPO 

The primary objective of internal audit in WIPO is to provide reasonable assurance and support the DG in his management responsibilities and to assist program managers in attaining the strategic objectives of the Organization. This is accomplished by providing objective, systematic and independent reviews of major business processes and systems as set out in the Internal Audit Charter as approved by the member states in 2005 and revised in 2007. 

In line with the set of strategic goals set for the Organization, the IAOD’s strategy and bi-annual work plans will be re-aligned to ensure that

• due emphasis is put on the “operational efficiency and effectiveness” aspect in the detailed work plans to the extent possible;
• main WIPO business processes are reviewed to identify strengths, good practices as well as gaps and deficiencies and cost-effective, feasible recommendations are made to assist management in addressing these issues;
• audit support is provided to key management and governance initiatives (ERP, FRR, Internal Controls Exercise etc), recognizing that the responsibility for such initiatives rests with the management;
• iIn case of strong indication of any fraudulent activity found during an audit, sufficient audit work is performed to gather factual evidence and the supporting documentation is handed over to the Investigation Section for further examination if need be.

Risk management and Audit Needs Assessment Process 

Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives. The establishment and maintenance of a sound risk management system is the responsibility of Senior Management in an organization which performs risk assessment activities as part of the ordinary course of business. Internal auditing professional standards require the audit function to monitor and evaluate the effectiveness of the organization's risk management processes. Internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board (General Assembly in WIPO’s case), to help identify emerging risks.

The management remains responsible for the determined level and extent of accepted risks which is one of the major parameters of the risk management process. Risk acceptance process needs to be appropriately justified and documented. IAOD has regularly reported with concern to the DG, with a copy to the Audit Committee, on the lack of full audit coverage of major risk areas, with emphasis on high risks, which results in a high level of risk acceptance by WIPO Senior Management.

WIPO has not yet established an organization-wide Enterprise Risk Management (ERM) process based on which Internal Audit work plans could be developed. In line with the Institute of Internal Auditors’ (IIA), standards and good practice, IAOD have therefore carried out its own risk assessment with a view to identifying an Audit Needs Assessment (ANA) to maximize the effective and efficient use of limited audit resources by focusing on operational areas of high risk. The risk model developed by IAOD is based on good practice advisory suggested by the IIA. The ANA establishes what are the audit requirements to enable Internal Audit to provide reasonable assurance for all WIPO activities over a period of time (4 years initially) and to provide adequate assurance to the DG, the Member States and other stakeholders that the system of internal controls in place is effective and operating as intended. 

All of the highest risks that have been identified should be audited at least annually to minimum defensible levels of assurance. For the purpose of identifying all high risk audit tasks, and the planning of assurance for lower levels of risk over a four year period, a reliable risk assessment process is undertaken to identify the level of audit coverage and the resources necessary to meet this objective in the annual audit plans and programs.
Internal Audit will help WIPO management in developing its own enterprise level risk registers at corporate and program level which should be linked to the strategic goals of WIPO and monitored by the management on an ongoing basis.

The annual risk assessment process will take into account the following criteria:

• Materiality - High monetary value and/or volume of transactions;
• Insufficient past audit coverage;
• Degree of Organizational and Management Change;
• Essential functions;
• Financial exposure of the area being audited;
• Inherent risk of the area being audited;
• Existence of Fall Back Arrangements.

The risk assessment criteria are applied to each operational area/process to develop a risk factor for each auditable unit. The criteria being used for risk ranking are assigned a value from 1 to 5 and then sorted by significance to identify high audit areas in order of risk.

In addition to the criteria used above, risk assessment process shall consider the below-mentioned factors in finalizing the annual audit plan:

• Audit requests mandated by the General Assembly;
• Specific requests by the Director General;
• Specific internal audit work on which the external auditors may place reliance;
• Specific areas of high risk identified by the Audit Committee which need priority attention;
• Follow up on External Audit Reports;
• The audit needs for audit activities supporting the development of important new business systems like the new FRR, IPSAS, ERP etc.

Audit Coverage Methodology and Cycle

IAOD adopted the method of full audit coverage of the “Audit Universe” within four-year cycle. It is worth underlining that in planning the time schedule for audits, the priority will be set in accordance with the ranking of each auditable area, the area of high audit concern being the top priority.

Based on the risk ranking, IAOD plans aim to cover all operational areas with the following frequency¹:

• High Risk Areas : Every year
• Medium Risk Areas: Every 2 years
• Low Risk Areas: Every 4 years 

As historical data pertinent to the audit planning cycle was not available, IAOD decided to determine a four-year cycle starting from the biennium 2008-2009 for covering the current Audit Universe. The decision was made based on the fact that no internal audits were performed for the majority of auditable units/entities in the past and as a result, it is required to speed up the audit coverage of the audit universe. 

The planned audit cycle will be reassessed and modified in the annual audit planning process to ensure that IAOD is in due course able to achieve the goal of auditing all operations at least once within the specific cycle. 

Audit Resources Planning and Budgeting

The Director of IAOD develops and maintains a bi-annual resource allocation plan so as to help ensure the adequate audit coverage of the identified high risk audit areas of the organization. In doing so, the exchange of information and coordination of audit plans with the organization’s external auditors helps better audit coverage and avoid any unnecessary duplication of work. Additionally, the Director may decide for the provision of services from external specialists where internal audit’s own resources do not suffice to provide effective and efficient audit coverage in the specific high risk areas. 

The strategy for cooperating with the External Auditors will be based on IIA Standards and Practice Advice relating to internal audit work on which the external auditors may rely. This cooperation will:

• Contribute to the Internal Audit plan
• Be more economic than having external audit perform the audit themselves
• Be at the written request of the External Auditor

Areas where it is likely that outsourcing for recourses will be used are:

• Information Systems (IS) audits
• Audit areas of high risk where in-house resources are insufficient
• Specialist advice for some of the developing system work.

A long term resource allocation plan based on a thorough needs assessment for the same period allows for an effective and reliable assessment of the number of permanent audit staff necessary to deliver adequate audit coverage. Consequently, the Director of Internal Audit develops medium to long term resource needs assessment including staffing, training and development aspects and submit them to the Audit Committee and Senior Management for their review and approval.

In estimating the audit days required to deliver an effective audit assignment, certain factors need to be taken into account;

• Supervision time - all audit work is subject to appropriate management review and supervision to ensure quality control
• Training time – adequate time for training ensuring that staff maintain and are equipped with requisite professional and other skills is essential.
• Follow-up time – Adequate time should be allocated for follow-up on whether management has acted on significant audit recommendations in a timely manner. This will be done in three ways:
  • At the start of each new audit, a review of the implementation of earlier recommendations will be undertaken.
  • Through the review and updating of the database set up for monitoring the “Implementation of Outstanding Oversight Recommendations.
  • As a specific annual exercise to inform reporting on implementation of the Open Oversight Recommendations Report to the DG and the General Assembly.
• Contingency time- a certain period of time should be allocated for any unexpected issues which may arise during the course of the year.
• Management and administrative time- Allow sufficient time for support to the WIPO governing bodies, including the Audit Committee.

Conducting Audits 

The WIPO Internal Audit Charter follows Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors (IIA) in performing audit assignments. Those standards were adopted at the 33rd meeting of Representatives of the Internal Audit Services of the United Nations Organizations and multilateral financial institutions (RIAS). Internal Audit Staff shall also abide by the Code of Ethics as established by the IIA, and generally accepted by the internal auditing profession. 

As stated by the IIA standards, each audit assignment is comprised of planning, fieldwork, reporting of audit results and after a reasonable period of time has passed follow up on the implementation of agreed upon recommendations by the Management.

Internal Audit and Oversight Division shall develop and amend as needed, in accordance with the IIA standards an internal audit manual and other detailed guidance that will set out the methodology with which audit assignments will be conducted. 

Types of Audits

The audit assignments which shall be undertaken by the IAOD include but not limited to:

• Operational audits
• Financial Audits
• IT Audits
• Compliance Audits
• Management Audits
  
• Performance Audits

Additionally, IAOD will proactively perform reviews and give reasonable professional advice on controls and risks pertaining to the development of or recently introduced systems and processes to ensure that effective systems of internal controls exists and it operates as intended with full audit trails. This could include inter alia the following ongoing/planned projects/systems:

• IPSAS Implementation and new annual financial reporting arrangements
• Enterprise Resource Planning (ERP)Project
• Implementation of Staff Rules and Regulations and New contractual structure and
  
• Review of Implementation of Financial Regulations and Rules
• Review of the System of Internal Controls and Governance Processes
• Controls Assurance Statement by Management
• New IT systems and IT outsourcing

Reporting of Audit Results 

Audit results are communicated to the auditee in a closing meeting after the completion of fieldwork. This meeting is intended to clarify any issues which may need further explanation and help avoid any misperception or inaccurate conclusion which could be reflected in the draft report. After the review and approval of the Director, IAOD, the draft report, made up of audit observations and recommendations, is sent to the program manager of the audited program or activity for receiving his/her responses within a reasonable deadline. In principle, final audit reports shall include comments of the audited program or activity. However, in the event, audited program or activity fails to provide IAOD with their comments/feedback within the set deadline, audit reports are finalized without management responses and issued after having been reviewed and approved by the Director of the Internal Audit and Oversight Division. Final Audit report shall be submitted to the Director General and copied to the Audit Committee and External Auditors and to other WIPO officials as deemed appropriate. 

The Director of IAOD shall include in his annual summary report to the Director General with a copy to the Audit Committee and External Auditors, information on the Internal Audit Function’s activities, the schedule of audit work undertaken, progress on the implementation of recommendations including those made by External Auditors. The Summary Annual Report (SAR) will also include a reference to the major risk factors identified during the reporting period facing the organization. The SAR (July 1 to June 30) report on the Internal Audit’s activities shall be submitted to the General Assembly on an annual basis. 

The Director of Internal Audit and Oversight Division will also make regular progress reporting and/or presentations, to the Director General, Audit Committee and Program and Budget Committee, the internal audit function’s activities.

Quality Control and Assurance 

The Director of IAOD shall ensure that all audit staff are equipped with necessary knowledge and technical skills in discharging their duties and responsibilities and that audit work is carried out in line with the professional practice of international auditing standards accepted by the UN System Organizations. To this end the development of a WIPO audit manual and detailed guidance, and standard documentation and procedures have been developed and used since 2007. 

In addition, internal quality control measures such as the adequate direction, supervision and review of each audit assignment will take place once the size of the Internal Audit Section will allow for a two level review and a separation between direction and audit management. Internal Audit Function was evaluated by independent External Auditors in accordance with the IIA professional standards of internal auditing. Feedback received by this evaluation will be used by IAOD completing its quality self assessment exercise within three years. It is the strategic aim of Internal Audit to follow the procedures for Quality Assurance set out by the IIA and to now have another an external quality review in (and every such period thereafter) five years. This exercise will be undertaken in accordance with the IIA standards for quality self assessment as well as the Internal Audit Capability Model for the public sector organizations (IA-CM), developed by the IIA.

 

_______________________

¹ Given the current staffing and the number of unaudited high risk areas, in line with the recommendation by the External Auditors, IAOD have decided to suspend the implementation of the cyclical approach for full audit coverage until staffing situation will be improved. IAOD will continue to outsource some of the high risk areas to third party service providers to be able to more effectively cover as many high audit risks as possible in “the audit universe”.