European Commission IAS Conference 2011 Internal Audit Strategies and Successful Practices Brussels, 3 October 2011 Carman L. Lapointe Under-Secretary-General for Internal Oversight, United Nations

Outline Your United Nations at work Office of Internal Oversight Services Six Strategies for internal audit success OIOS Vision

Your United Nations at work

Your United Nations at Work Unique platform for international action and global engagement. Universal membership and inclusive decision-making of 193 member states. Unequalled reach. Provides critical services essential to peace, security, stability & prosperity.

United Nations Peacekeepers at work in Liberia (L) Ivory Coast (R) 99.6K uniformed; 19.5K civilians (14K local); 2.4K volunteers 2,914 Fatalities since 1948 in 65 operations Budget 2011 $7.8 Billion

WFP school feeding program in East Timor WFP food assistance 2010: 109 million people in 75 countries, Including Haiti (post-earthquake); Pakistan (post-flooding)

UN landmine assistance Kosovo 110 Million Landmines in 68 countries, and as many stockpiled 2,000 fatalities or serious injuries every month For every mine cleared, 20 are laid Used for terrorism and denying access to land, water, roads, utilities

UNHCR Refugee Camp Line-ups for UNHCR services

UN Election observers Côte dIvoire (L); Global youth sensitizing UN Security Council (R)

UN Development Programs Health care facility in Mongolia SG: Microfinance program for women in Bahrain

Emergency Operations in Haiti Cholera Vaccination for displaced families UNICEF/Danish Red Cross temporary school

UNICEF supported schools for Afghan girls

United Nations Office of Internal Oversight

Office of Internal Oversight Under- Secretary- General Internal Auditing Investigations Division Inspection & Evaluation 175 Posts (NY, Vienna, Nairobi, Peacekeeping Missions) 100 Posts (NY, Geneva, Nairobi, Peacekeeping Missions) 30 Posts in NY Executive Office Front Office OIOS % of regular Budgets, excluding XB

OIOS Vision and Mission Vision : A strong and accountable United Nations fortified by world-class internal oversight. Mission : Delivering objective oversight results that make a difference. Tagline : Keep the Promise!

Six Strategies for Internal Audit Effectiveness

IIARF 2010 CBOK: Are we prepared for whats next? Top 5 IA activities Operational Auditing (89%) 2.Regulatory Compliance (75%) 3.Financial Risks (72%) 4.Fraud and Irregularities (71%) 5.Control Frameworks (69%) Top 5 in next five years 1.Corporate Governance (23%) 2.ERM Process (20%) 3.Strategy vs Performance (20%) 4.Ethics Reviews (19%) 5.Social/Sustainability (19%) More use expected of technology (CAATs, data mining, continuous auditing, electronic workpapers) and risk-based audit planning

Strategy 1: Plan for comprehensive, complementary coverage Balance between vertical and horizontal audits confirms, informs risk assessments –Process audits help identify units, programs at risk –Unit audits help identify riskier processes Coordinate with other oversight functions to minimize duplication (e.g. external audit, JIU, ethics office, investigations, evaluation)

Strategy 2: Plan based on high residual risks Inherent risk-based audits should be the exception, where periodic assurance is critical Leverage the output of Enterprise Risk Management and other monitoring processes to supplement internal audit risk assessments Reduce planning information requests by using organizational level documentation & validate

Strategy 3: Reduce, reuse, recycle Manage scope creep: dont squander scarce resourcesours or our clients! Park important issues for audit planning Examine significant results immediately to determine whether problems are isolated or systemic: e.g. Haiti (cholera), DRC (air safety) Leverage key projects that will feed, supplement other audits (e.g. control environment, IT security) Review completed audit results from an alternate perspective to produce systemic theme studies to compel mgmt responses

Strategy 4: Self Assess IA Capacity Use the IIARF Internal Audit Capability Model to assess your capacity and maturity (IA and organization) Commit to a climbing plan Benchmark (GAIN and others), measure and share your progress regularly with staff, colleagues, Board, Management, stakeholders

Strategy 5: Consistently apply IA processes with discipline Conclude against both operational and control objectives for each engagement Use technology to track audit results by risk category and objectives to facilitate roll-ups and analyses Target should be overall, organization-level opinions Requires diligent follow-up, targeted variable frequency by criticality of deficiencies, quality of results Remember: significant residual risks at the engagement level not necessarily significant organization-level risks

IA Capability Model Levels LEVEL 5 Optimizing LEVEL 4 Managed LEVEL 3 Integrated LEVEL 2 Infrastructure LEVEL 1 Initial No repeatable capabilities – dependent upon individual efforts Sustainable IA practices IA mgmt & professional practices uniform IA learning from inside and outside the organization for continuous improvement IA integrates information to improve governance/risk mgmt IA-CM

Internal Audit Capability Model Matrix Services and Role of IA People Management Professional Practices Performance Management Relationships organization Governance Structures Level 5 – Optimizing IA Recognized as Key Agent of Change Leadership Involvement with Professional Bodies Workforce Projection Continuous Improvement in Professional Practices Strategic IA Planning Public Reporting of IA Effectiveness Effective and Ongoing Relationships Independence, Power, and Authority of the IA Activity Level 4 – Managed Overall Assurance on Governance, Risk Management, and Control IA Contributes to Management Development IA Activity Supports Professional Bodies Workforce Planning Audit Strategy Leverages Organizations Management of Risk Integration of Qualitative and Quantitative Performance Measures CAE Advises and Influences Top-level Management Independent Oversight of the IA Activity CAE Reports to Top-level Authority Level 3 – Integrated Advisory Services Performance/Value- for-Money Audits Team Building and Competency Professionally Qualified Staff Workforce Coordination Quality Management Framework Risk-based Audit Plans Performance Measures Cost Information IA Management Reports Coordination with Other Review Groups Integral Component of Management Team Management Oversight of the IA Activity Funding Mechanisms Level 2 – Infra- structure Compliance Auditing Individual Professional Development Skilled People Identified and Recruited Professional Practices and Processes Framework Audit Plan Based on Management/ Stakeholder Priorities IA Operating Budget IA Business Plan Managing within the IA Activity Full Access to the Organizations Information, Assets, and People Reporting Relationship Established Level 1 – Initial Ad hoc and unstructured; isolated single audits or reviews of documents and transactions for accuracy and compliance; outputs dependent upon the skills of specific individuals holding the position; no specific professional practices established other than those provided by professional associations; funding approved by management, as needed; absence of infrastructure; auditors likely part of a larger organizational unit; no established capabilities; therefore, no specific key process areas

Strategy 6: Compelling,consumable reports Short, concise, compelling results with target audience in mind Include a rated, overall opinion to communicate significance of results, and follow up accordingly Eliminate irritating language Lead by example, (if the shoe fits…)

THANK YOU