Risk Internal Controls - Analytical Framework Version: 31 October 2024 Element Deliverable Integrated Coordinated Independent Responsible Approver(s) if relevant Target Date Status Status Notes Challenges for integration Risk and internal controls framework Refining of the codeveloped global risk framework, risk appetite and risk policy drafts to reflect agreed ICI way forward A framework will be adopted across the partnership to harmonize how risks are identified, assessed, and managed, ensuring consistency and alignment for risk management and internal controls. The risk management and internal control frameworks will outline the purpose and objectives of risk and internal controls and how CGIAR will utilize internationally accepted standards and frameworks like the ISO 31000 International Standard. The ICI Forum's Risk Management Working Group. Centers Boards and the IPB, with endorsement from AFRC's and the AOC. By 1 March 2025 Under development Draft global risk framework co-developed by Risk CoP It is necessary to review the materials that are currently available and adapt them to the reality of the partnerships; the approval of the boards of directors is necessary. Risk Appetite model Centers/SO Executive Management and Center Boards present global risk framework, risk appetite model and set appetite levels (thresholds) for the Center/SO using the global model and different categories defined. A Integrated Partnership’s risk appetite will be defined, ensuring that risk management and internal controls are aligned with the level of risk the partnership is willing to accept, guiding decision-making and control prioritization. It is proposed that entities adopt a co- developed risk appetite model Centers may then customize their specific risk appetite thresholds and tolerance across various domains commonly agreed, thereby fine-tuning their risk appetite statements using the commonly agreed model. The Risk Management Function (comprised of the Risk Management Executive and Center Leads of Risk) Centers Boards and the IPB, with endorsement from AFRC's and the AOC. By 1 March 2025 Under development Draft global Risk Appetite co-developed by Risk CoP Resources needed to implement, train and support. Currently available on voluntary basis Risk and Internal Controls Policies CGIAR’s global risk policy presented to IPB for approval (Centers’/SO risk appetite models as appendix) - Comprehensive high-level policies based on international standards are proposed to outline roles, responsibilities, and processes for managing risks and implementing controls, providing clear direction for both functions to operate cohesively. Entities are expected to adopt global risk and internal control policies while allowing flexibility for local adaptation. This will create alignment across the different entities while respecting the local operational context. The development of the common Risk Management policy will be inclusive, transparent, and consultative with all members of the Integrated Partnership invited to participate and contribute. Centers may then develop supplemental policies, procedures, and guidelines which prescribe in more detail local adaptation processes respecting the local operational context. Risk Management Function Centers Boards and the IPB, with endorsement from AFRC's and the AOC. By 30 April 2025 Under development Draft global Risk policy co-developed by Risk CoP Resources needed to implement, train and support. Currently available on voluntary basis Issuance of Risk Management and Risk Assessment Guidelines Risk Management Function IPB AFRC - Center AFRC By 31 December 2024 Under development Work in progress for Risk. Resources needed to as well as implement, train and support. Currently available on voluntary basis Development of training material Risk Management Function N/A By 25 April 2025 Under development Work in progress for Risk. Resources needed to as well as implement, train and support. Currently available on voluntary basis Delivery of training on global guidelines Risk Management Function N/A By 31 May 2025 Under development Work in progress for Risk. Develop harmonized controls standards (HMCS) to use as a benchmark across al entities to manage critical business cycle risks (i.e. for procurement, grants, project management, financial reporting and other) Risk Management Function IPB AFRC - Center AFRC By 31 October 2025 Under development Work in progress for Risk. Resources needed to as well as implement, train and support. Currently available on voluntary basis Develop harmonized controls standards (HMCS) to use as a benchmark across al entities to manage critical business cycle risks (i.e. for procurement, grants, project management, financial reporting and other) Risk Management Function IPB AFRC - Center AFRC By 31 October 2025 Under development Work in progress for Risk. The Risk CoP has already developed a template as minimum standards Work had started with 3 Centers that volunteered to be a pilot to understand key risks and business cycles but stopped due to lack of resources. Resources needed to design an Internal Controls and compliance Matrix for Reporting implement, train and support Entities align own processes to global framework, policies and internal control matrix Risk Management Function IPB AFRC - Center AFRC By 31 December 2026 Under development As above Resources needed to design an Internal Controls and compliance Matrix for Reporting implement, train and support Monitoring and Reporting Entities to agree on reporting arrangements *Set Monitoring Objectives * Define Monitoring Activities (Control Testing, Regular Risk Assessments, KRIs, Incident Log) * Define Frequency and Responsibility * Define Review Procedures * Develop Report formats and escalation procedures Dynamic risk and controls monitoring and reporting through standardized processes and tools to provide real-time insights into risk exposure and control effectiveness. This is necessary to ensure that we focus on the most relevant risks in a prioritized manner at CGIAR partnership level. Aggregate reporting of information will be compiled by the Integrated Partnership Risk Management Function. Centers/SO maintain the independence to report to their AFRCs risks that are specific to their centers and that respond to operational and local realities. Risk Management Function IPB AFRC - Center AFRC BY 28 February 2025 Under development Risk reports are aggregated at summary level by the Centers for reporting to the relevant AFRC. 13 risk categories have been aligned to facilitate interpretation and harmonized reporting by the Centers. Budget for risk and assurance tool needed Resources needed to implement, train and support Automation, data analytics and tools Risk and assurance tool selected (based on agreed scope of automation) Risk Management Function By 1 April 2025 Not Started Draft request for proposal developed by Risk, IC, IA and D&D workgroup Budget for risk and assurance tool needed Resources needed to implement, train and support Automation, data analytics and tools Implementation of harmonized risk management and risk assessment process supported by the risk and assurance tool Risk Management Function By 31 December 2025 Not Started Draft request for proposal developed by Risk, IC, IA and D&D workgroup Budget for risk and assurance tool needed Resources needed to implement, train and support Budgetary Considerations *Separate fixed and variable costs *Classify estimated expenses by category * Review budget allocation and availability Cost sharing across entities (for people, processes, tools). Shift to a model where entities operate through formal risk function rather than the current voluntary approach. This would ensure each legal entity contributes to an aggregated capacity, allowing for shared resources and standardized tools. All CGIAR members contribute staff time resources and associated operational costs to support the activities of the Risk Management Function. Center will continue to cover the costs of their risk management functions which may be undertaken by risk leads, finance, quality assurance, or compliance officers. EMD & DG's EMD & DG's 6 to 9 months, following or in parallel with the approval of the framework. Not Started Not started Roles & Responsibilities *Develop a RACI Matrix The aim would be to maintain a light team responsible for coordination at the partnership level, with a focus on quality assurance and compliance, ensuring strong connections to the Integrated Partnership Board and other governing bodies. Not Started Not started Leverage automation and data analytics to enhance the efficiency of risk management and internal control activities through the implementation of a common risk and assurance tool across the partnership. Automated dashboards can track changes in risk metrics and provide appropriate alerts. Leveraging automation and data analytics will enhance the efficiency and effectiveness of risk management and internal control activities. The Centers/SO will maintain databases of their own risks and their mitigation actions. Risk and internal Controls Guidelines Detailed guidelines will be established to translate policies into actionable steps and support the consistent application of risk management and internal control processes across all Centers/SO. Develop harmonized controls standards (HMCS) to use as a benchmark across al entities to manage critical business cycle risks (i.e. for procurement, grants, project management, financial reporting and other) The guidelines detail key requirements, while a certain degree of tailoring is expected to occur, considering entities’ specific circumstances concerning their operations and the risks they face. Risk and Internal Controls Assessment A consistent assessment process is proposed for identifying risks and evaluating control effectiveness will capture risks at the partnership level under the leadership of the GLT. The identification process, strategy, and assessment will be standardized across the Integrated Partnership, ensuring consistency in the information reported. The main elements for the identification and assessment are taken from ISO 31000. For any major risk that may affect the partnership, the IPB, as the governing body supported by the partnership AFRC, is responsible for ensuring that CGIAR has in place appropriate risk management and internal control systems and practices and for determining the nature and extent of risk it is willing to take for CGIAR to achieve its strategic objectives. For internal controls, the Internal Control function should review key business processes, identify key risks, and design control standards that each entity should follow to ensure effective mitigation of risks. A targeted Internal Control Framework is designed for CGIAR. Management of risk and controls remains the responsibility of the Centers/SO. Centers’ AFRCs will oversee the efficiency and effectiveness of risk management, internal compliance, and control systems and make recommendations to the Center Boards as required. Still, each entity will conduct its internal control analysis and assessment and use the Global Internal Control Risk Matrix as a standard for comparison. A periodically integrated independent assessment of key controls will be implemented. Entities commit to developing a continuous improvement program where deficiencies and significant deviations from global standards are noted. Ethics Business Conduct - Analytical Framework Version: 31 October 2024 Element Deliverable Integrated Coordinated Independent Responsible Approver(s) if relevant Target Date Status Status Notes Challenges for integration - All centers/SO to engage a common service provider for external reporting hotline (whistleblower mechanism) All Centers and the SO currently use Lighthouse services as a provider for an external reporting hotline. EBC leads at Centers/SO Centers Boards Completed Completed Existing reporting hotlines provide a basis for further harmonization & integration All Centers and the SO have internal reporting mechanisms for EBC Compliance reporting All Centers provide multiple pathways to report misconduct, including but not limited to through supervisors, HR Managers, legal counsel, compliance officers, and confidential reporting hotlines. These cases are managed by Center/SO compliance committees (or equivalent), and periodic reports provided to the relevant AFRC. EBC leads at Centers/SO AFRC Completed Completed Existing reporting structures provide a basis for further harmonization and integration. - All centers to engage a common service provider expanding external report intake to include triage and case management. - Dashboard for restricted access aggregate reporting developed. Common EBC Policies will indicate that reports can be made through various confidential channels, which are outlined in the Reporting Mechanisms section of the policies (to supervisors, HR Managers, Legal Officers, Compliance Officers, and External Reporting Hotlines). Aggregate summaries of reports will be compiled by the IP-EBC function through a dashboard available to Senior Leaders and Governance Officials. Common Policies will continue to provide for reporting external to the relevant member organization (such as to the IP-EBC Executive) if the reporter has reasonable grounds to believe that reporting internally would not address imminent public harm or legal violations. Use of Lighthouse will be expanded to include triaging of reports, and a common case management system. Reporting of misconduct will be managed through the relevant CGIAR members designated internal processes and systems, protecting confidentiality, legal remedy, and due process. The IP-EBC Function (comprised of the IP- EBC Executive and Center Heads of EBC) Centers Boards and the IPB with endorsement from AFRC's. No later than 31 July 2025. 6 to 9 months to implement triaging and case management through lighthouse services (or a similar provider) following the adoption of common policies. All centers currently using lighthouse services as an external reporting hotline option. EBC reports are aggregated at the summary level by Centers and the SO for reporting to the relevant AFRC. This will continue to help identify trends and manage partnership-level issues, and a common understanding will be ensured through the development of the escalation framework. Center/SO management and governing bodies will retain disciplinary capacities as the legal and employing entities, as such there can be no higher level decision authority or escalation mechanism for appeal. EBC issues have a high probability of litigation - as such confidentiality must be protected and information shared with secure guardrails to avoid transfer or creation of liabilities for System Council Members. CGIAR SO and all Centers review existing EBC Policies All Centers and the SO have existing EBC related policies guiding the expected behaviors of their organizations and identifying misconduct, avenues to report is, and consequences. EMD and DG's Boards Completed Completed The existing policies will form the basis for harmonized policies that provide for objectivity, transparency, and confidentiality in how investigations are undertaken and cases are managed. EBC Policies working group to review and revise EBC- related policies for submission to all Boards Fit-for-purpose system/partnership-wide Ethics & Business Conduct policies will be submitted to the Boards for approval by the end of 2024, enabling the harmonization, standardization and consistent operationalization of processes, procedures, and guidelines. The policies will reflect global standards and best practices and apply to all CGIAR Center and System Organization staff. The 4 policies prioritized for revision and adoption are: - Code of conduct - Whistleblowing and Protection from Retaliation - Protection Against and Prevention of Harassment and Discrimination - Safeguarding Policy - Protection Against and Prevention of Sexual Misconduct, Exploitation and Abuse, and Human Trafficking. The development of Common EBC related policies will be inclusive, transparent, and consultative with all members of the Integrated Partnership invited to participate and contribute. Centers may then develop supplemental policies, procedures, and guidelines which prescribe in more detail local processes as well as country and Center level regulatory compliance obligations The ICI Forum's Ethics & Business Conduct related policies Working Group. Centers Boards and the IPB, with endorsement from AFRC's and the AOC. No later than 31 December 2024. A maximum of 3 months to review and revise the existing policies and submit them for endorsement and the consideration of all Boards for approval, and subsequently the System Council. Working Group convened and policies reviewed in October to identify key issues and concerns for revision. Policies have been approved by the SC and have been adopted by some centers, but these were not developed in consultation with all centers and no process was in place for them to be reviewed and adopted by all Centers. The existing policies offer an excellent starting point for developing policies that can be adopted by all governing bodies. There is a need to review the existing CGIAR EBC policies and compare them with existing policies and then identify the modification required to ensure the CGIAR policies can become common policies adopted by all. Escalation and Monitoring EBC Policies to develop escalation and categorization framework for submission to all Boards (with endorsement from AFRC & AOC) The ICI Forum will develop a CGIAR Integrated Partnership Ethics & Business Conduct Categorization and Escalation Framework, in parallel with ethics related policies, specifying what types of matters are escalated by whom, to which levels (including the AOC), what information is to be included to ensure the protection of confidentiality, human rights, the appropriate legal remedies within each legal entity, and due process. The CGIAR Integrated Partnership Ethics & Business Conduct Escalation Framework will describe how compliance reports related to Senior Leaders and Members of Governing Bodies (SC, IPB, Center Boards, IPB-AFRC, Center AFRC, and AOC) Governance Officials will be investigated, reported, and overseen. The escalation framework will be submitted for approval by Center Boards, and the IPB, with endorsement from the IP-AFRC and AOC. Aggregate reporting of summary information will be compiled by the Integrated Partnership EBC Function Databases of incident reports, triaging, assigning investigators, and detailed findings reports will be maintained by Centers. The IP-EBC Function (comprised of the IP- EBC Executive and Center Heads of EBC) The escalation framework will be submitted for approval by Center Boards, and the IPB, with endorsement from the IP-AFRC and AOC. No later than 31 December 2024. 3 months, in parallel with the approval of common policies. Under development Building on existing governance reporting mechanisms on EBC allegations through Center AFRC's to the IP AFRC - IPB and finally to the AOC-SC It is necessary to develop a framework that can be agreed to by all to provide a common understanding, describing how and when issues or information are escalated and to what level of detail. The information must be kept confidential, so limited details, aggregated reporting that protects anonymity, particularly of the person reporting the incident, and those who claims have been made against (that may not be substantiated), must be carefully incorporated into any system. Centers and the SO allocate sufficient resources for EBC costs specific to their organizations The SO and Centers all have resources allocated to cover the cost of EBC roles and costs relevant to their organization, so some sharing capacity and co- financing based on their size and needs. EMD & DGs AFRC / Boards Completed Completed Considerable resources are invested across the integrated partnership to manage EBC related issues - which will support implementation of the R&O Plan. R&O Plan budget incorporated cost estimates approved for funding to recruit new required roles. At the Integrated Partnership Level, resource requirements will be defined by the roles indicated in the final approved policies, but will include an EBC Executive to set quality standards, support the Integrated Partnership EBC Function, organize training and continuous improvement, and conduct quality control of EBC processed. The Integrated function will also be responsible for maintaining a list of pre-approved service providers for third-party independent investigations in jurisdictions where the partnership operates to manage serious allegations including those made against management or governance officials. All CGIAR members contribute staff time resources and associated operational costs to support the activities of the EBC Function Center will continue to cover the costs of internal EBC functions which may be undertaken by EBC Heads, HR, Legal, or compliance officers. EMD & DG's EMD & DG's No Later than 31 December 2024. Budget must be available 1 Jan 2025 to initiate recruitment and onboarding of staff (if needed). The Partnership EBC Executive ToR to be developed and recruitment initiated following approval of the R&O Plan An existing CGIAR EBC office is currently resourced to provide advisory services, support investigations, develop policy, conduct training, support research ethics, and ESG issues. These services can be evolved Availability of approved budget in relation to estimated costs. EBC Heads of Focal Points identified for Centers and the SO Each entity identifies focal points for managing EBC EMD & DG's EMD & DG's Completed Completed External Expert Consultants, and Independent law firms identified by each member of the Integrated Partnership to undertake EBC related investigations External Expert Consultants, and Independent law firms identified by each member of the Integrated Partnership to undertake EBC related investigations Completed Completed Develop the ToRs and recruit/select/appoint the: -EBC Executive -EBC Function -EBC Assurance Expert Consultants -Third-part Law Firms for independent investigations At the Integrated Partnership Level, develop the ToR for the EBC Executive in accordance with the Risk & Oversight Plan, as well as the TOR for the EBC Function comprised of the EBC Executive & Center EBC Heads. Once the EBC Executive and EBC Function are in place, develop a roster of external EBC expert consultants as well as third-party/independent law firms to conduct escalated investigations of misconduct - drawing from capacities already identified across the Integrated Partnership and building out where there are gaps. Center EBC Heads which may be specific EBC staff, legal counsel, HR Managers, or other compliance officers, supported by compliance committees. EMD & DG's AFRC (For EBC Executive) EMD for EBC Function ToR TOR Complete no later than 31 December 2024, recruitment complete and EBC function convened no later than 30 April 2025. The foundation exists with EBC focal points and compliance committees already operating within Center, and the CGIAR EBC team operating under the SO. Existing roles and ToR's will be reviewed and refined to align with the Risk & Oversight Plan. Common policies are being revised to ensure adoption be all parties - which will enable the EBC function to operate in a standard, consistent, and transparent manner. The EBC policies WG is aligning well on revisions to existing policies, in order to ensure they are adoptable by all Boards to enable harmonization and integration of the EBC function at the partnership level. The escalation framework is seen as a key challenge to overcome the lack of common understanding of what issues constitute partnership level risks, who they are escalated to, what information is shared, and how confidentiality, due process, and legal remedies are protected to avoid the transfer of liabilities to the SO, IPB, or SC. Reporting Mechanisms Ethics Policies Budgetary Considerations Roles & Responsibilities External Audit - Analytical Framework Version: 31 October 2024 Element Deliverable Integrated Coordinated Independent Responsible Approver(s) if relevant Target Date Status Status Notes Challenges for integration All centers use the current version of FG3 as their basis for drafting their letters of engagement for auditors. All of the current auditors are compliant with IFAC. They are either big4 or one of the top 10 auditors All centers currently use the current version of FG3 as their basis for drafting their letters of engagement and the type of auditors they choose. All of the current auditors are compliant with IFAC. They are either big4 or one of the top 10 auditors Directors of Finance AFRCs endorsing to Boards for approval Completed Completed FG3 is currently in use by all Centers and was established in 2001. All Centers prepare annual financial statements based on IFRS (with exception of IFPRI who is required to prepare according to US GAAP). A common TOR has been developed that will be shared with the CSEs and AFRCs for comments. Approval and adoption of revised FG-3 (financial guideline 3) on selection/conduct of audits Financial Guideline 3 (FG3) to be revised to incorporate the latest International Standards on Auditing for EA - including the section on selection/conduct of audits by the Corporate Service Executive (CES) Community of Practice (CoP), for adoption by all CGIAR Members The CSE COP will support the IPB- AFRC to update, rollout and achieve adherence for FG3. The IPB and IPB- AFRC remain responsible at the system level. The Board and the center level AFRC is responsible to implement in each center. AFRCs endorsing to Boards for approval No later than 30 June 2025 - The TORs can be accepted and rolled out before the second quarter 2025 ensuring that all centers have a common TOR from 2025 audits To be completed Current FG3 guidelines will be the basis, revision in accordance with applicable global standards Audit Terms of Engagement Approval and adoption of a standard letter of engagement for auditors A common Terms of Engagement will be used by all centers. The development will involve the CSE COP, and discussion with other stakeholders including Center and Partnership AFRC. The common terms can have additional clauses for some centers if required by local legal requirements or operational requirements. Each of the centers may have specific needs due to local regulations. They will be added to the common letter of engagement without making any changes to the common terms. Boards of the centers and the IPB The Board of the centers and recommended by the Center AFRC. IPB for the system and IP- AFRC will recommend for the system No later than 30 June 2025- Ready for annual financial statements in 2025 Each of the centers currently use letters of engagement that are quite different from each other. They are more center specific rather than driven by legal requirements. This was one of the challenges that stopped the system from getting a single auditor in 2023. A common letter of engagement in draft form has been created and will be reviewed by the CSE COP to standardize the documents. Some specificities required to respond to Center- specific risks/previous audit recommendations, but ~80% of template could easily be adhered to Contracting of audit firms by Centers using a common policy and terms of engagement All existing External Auditors of the centers will adopt the common letter of engagement All center Auditors will change their audit plans based on the requirements of the new letter of engagement. There may be some additional requirements that the center may have based on local regulations. These will be added as an addition in the letter of engagement Boards of the centers and the IPB The Boards of the centers and recommended by the Center AFRC. IPB for the system and IP- AFRC will recommend for the system No later than 30 June 2025 The centers will have standardized TORs and engagements for 2025 Audit All centers currently contract the audit firms based on their own letters of engagement Aggregation of Financial statements Centers will prepare financial statements in a common format to be audited by the external Auditors in addition to the Center Financial statements. The audited common format numbers will be used for aggregation at the system level. A common format for Financial statement will be prepared and shared with all centers. IP AFRC and IP IA executive No later than 31 March 2026 Common financial statements were prepared earlier and was later discontinued once IFRS was implemented and OneCGIAR was initiated. The common formats used at that time can be used as the basis for the new statement structure and details. There may be differences in how IFRS has been implemented or the use of GAAP in IFPRI. This may create challenges in aggregation of information. The challenges identified will help in identifying alternative approaches to undertake the aggregation data as well as the roll out single audit firm for the system. Tri-Center pilot of use of single firm - completion of procurement The common letter of engagement and FG 3 will help in creating the RFP. A common auditor will be chosen based on the quotes received by the three centers. Board of IRRI/IWMI/WorldFish Board of IRRI/IWMI/WorldFish No later than September 30, 2025 All the three centers share a Chief Operating Officer and has a process of integrating policies and systems currently underway The three centers currently have three different external audit firms. A RFP will be done in 2024 to move to a single audit firm Cost and cost sharing and the differences in impact on each center. This experience will help inform the model for the single audit firm procurement for the whole system Single Audit firm for Alliance Alliance uses a single audit firm for the two entities. Board of Alliance Board of Alliance already underway The centers have a common management structure. Alliance has a common auditor for the two entities. The way the audits are managed will help the process of single auditor for the system Preparing the Procurement documents for Procurement of single auditor based on lessons learned Based on the lessons learned from the 2023 RFP, the Tri- center Pilot. and the Alliance single audit firm experience, as well as lessons from the aggregation of financial statements, a RFP or a procurement process will be designed. A common procurement process will be prepared using the updated FG-3, and common letter of engagement. A system-wide procurement team will work to undertake this process. DGs of Centers Boards of Centers No later than 31 August 2026 Change in External Audit markets, sanctions on auditors in some countries and differential costs impacting different centers. Overall there will be an increase in cost. Contracting of single audit firm for the whole system Procurement process for single firm for all Centers/SO based on lessons from pilot approaches A common procurement is undertaken by all centers using FG-3 and the letters of engagement as the basis of the engagement. Depending on the lessons learned from the tri-party pilot, the negotiation may happen at the regional level like - e.g. for Asia, Americas and Africa separately. There may be some additional requirements that the center may have based on local regulations. These will be added as an addition in the letter of engagement AFRC of each center along with the IP-AFRC Boards of the centers and the IPB for system. No later than 31 March 2027 There will be increase in cost of operations. There needs to be centralized funding for these cost increase otherwise there will be an increase in OH cost which will be detrimental for funders, system and the centers. Budgetary Considerations There will be a budget increase for the center with differing impact for each center. There needs to be a process by which the OH of centers do not increase A budget method will have to be developed where increase in cost faced by the centers are addressed in order to not create additional OH costs for the centers leading to lack of efficiency and competitive capacity. No later than March 31 2026 - A mechanism will be created by which the budgetary impacts will be managed Each legal entity is required to produce its own financial statements and contract an auditor - that contracting cannot be undertaken by one entity on behalf of another Roles & Responsibilities CSE COP reporting the ICI forum will prepare the updated FG3 and the Letters of engagement. Each Board and IPB will ensure that the External Auditors are hired based on the FG-3 and the Letter of engagement and then by 2026 ensure that by 2027 a single external audit firm for the whole system is hired. Contracts and TORs for auditing firms will be made consistent using templates, with the ability to add additional Center/location specific requirements to comply with local regulations. The Contracting of Audit firms have to be done by each center. Therefore each center will sign their own contracts using similar audit policy, and Terms of Engagement. CSE CoP AFRC's endorse for Board Approval The process will start immediately with the single auditor hired by 31 March 2027 Each legal entity is required to produce its own financial statements and contract an auditor - that contracting cannot be undertaken by one entity on behalf of another Testing and Piloting of single auditor in the centers Audit Guidelines Internal Audit - Analytical Framework Version: 31 October 2024 Element Deliverable Integrated Coordinated Independent Responsible Approver(s) if relevant Target Date Status Status Notes Challenges for integration Integrated Partnership Assurance System wide thematic audit engagements as approved through the IPB-AFRC by the IPB, managed by the Chief Audit Executive ai, and are conducted as an integrated team of CGIAR Internal Audit professionals lead by experts drawn from the Internal Audit Functions. Completed This is the current practice for System wide Internal Audit Engagements Determining the resource allocation between the Internal Audit functions to ensure a balanced work load across the system CGIAR Internal Audit Community of Practice , consisting of the heads of Internal Audit from across the system that report on the system wide trends, overall audit universe, risk assessments from across the partnership. Completed The community of practices of Heads of Internal Audit has been an active group in the CGIAR for over 20 years. The formalization of the Integrated Internal Audit Function System wide internal Audit Function, consisting of the heads of Internal Audit from across the system that report on the system wide trends, overall audit universe, risk assessments from across the partnership. IP-Internal Audit Executive Q3 2025 Further strengthened of Internal Audit Function to ensure accountability Various internal audit functions have existed across the CGIAR going back more than 20 years. Currently there are 3 shared service models of delivering Internal Audit services exist including Audit Asia (IRRI, IWMI, WorldFish, and World Vegetable Center), Audit TRA (CIP, Alliance, IFPRI), Shared Audit services for IITA and AfricaRice. System Office, CIMMYT, ILRI, ICARDA, and ICRISAT all have independent Internal Audit Functions Center AFRCs and IPB-AFRC Completed Internal audit shared services already exist across the CGIAR and have existed for over at least 20+ years Optimization of Internal Audit Service Delivery Review opportunities to integrate more of the internal audit technical experts into a shared service delivery model at the CGIAR level Continue to optimize Internal Audit Shared Services across the CGIAR to align more centers to the shared service model Center and SO Management Center AFRCs and IPB-AFRC Q4 2025 Further strengthened and optimization of delivery model will take place by December 2025. Optimization of existing internal audit teams and designing the optimal structure. Provide knowledge, learning, and capacity building guidance, to support the CGIAR's goal of operating in an environment of continuing learning and improvement regarding the reliability, consistency and effectiveness of center internal audit activities. Completed The Professional Practice Unit was established in 2014 followed up by the Internal Audit support Service in 2018 Optimization of Integrated Internal Audit Support Services Provide knowledge, learning, and capacity building guidance, to support the CGIAR's goal of operating in an environment of continuing learning and improvement regarding the reliability, consistency and effectiveness of center internal audit activities. Integrated Partnership Internal Audit Function Q4 2025 Further strengthened and optimization of delivery model will take place by December 2025. Optimization of existing internal audit teams and designing the optimal structure. Integrated Planning & Methodology Integrated Internal Audit Support Services develops and provide training for use of best practices for planning and methodologies for providing Internal Audit Services across all the CGIAR Audit Functions. This team leads on risk-based planning, developing audit strategies for engagements (risk assessments, planning, work plans). Completed These serviced are currently provided but at a smaller scale. Further strengthened by Q2 2025. Determining the return on investment for a dedicated team vs. utilizing experts across the Internal Audit Functions of the CGIAR to supplement this area. Internal Audit Function Technology The Integrated Internal Audit Support Service has supported the CGIAR Internal Audit Function with the use of technology and data to upgrade audit delivery. Since 2014 the CGIAR has been using the same Audit Management Software across Internal Audit Functions along with data management software and knowledge management software through Gartner. Completed These serviced are currently provided but upgrades maybe necessary. Further upgrades to audit software and data management tools using AI and the latest technology Q4 2025 Determining the return on investment for new software and technology platforms. Integrated Strategic Advisory The System wide Internal Audit Function, lead by the Chief Audit Executive ai of the CGIAR provides advisory services and engaging with strategic initiatives as approved through the Integrated Partnership Board AFRC by the IPB. Completed The current practice is for the CGIAR Chief Audit Executive ai manage the advisory audits conducted by expert members of the center Internal audit functions. Determining the resource allocation between the Internal Audit functions to ensure a balanced work load across the system Collaboration with other Assurance Functions Internal Audit Functions of the CGIAR actively collaborates with other functions within the CGIAR to strengthen the level of assurance it delivers. This includes partnering with the Risk Management Function, Ethics and Business Conduct team, and the Independent Evaluation and Advisory Services. Completed The current practice is for the Internal Audit Functions across the CGIAR to collaborate with other internal and external assurance functions. Further strengthened by Q2 2025. Integrated Quality Assurance Function Supports and coordinates the Quality Assurance and Improvement Program (QAIP), including establishment of methodology for internal assessments and coordinates external quality assessments in coordination with Heads of Internal Audit for the centers. Provides routine updates and support to the Internal Audit Community of Practice. A shared service across the CGIAR will continue to develop the Quality Assurance Improvement Program (QAIP). This function assesses conformance with the International Internal Audit Standards across all Internal Audit Functions. They establish system wide KPIs and report on the KPI, and ensure changes in the standards are monitored. It provides additional assurance on the Independence and Objectivity of the CGIAR Internal Audit Functions. CGIAR Internal Audit Support Services Completed The Professional Practice Unit was established in 2014 and later the Internal Audit Support Service in 2018 provides Quality Assurance Functions to the CGIAR. Further strengthened by Q2 2025 with the authority to escalate issues to the Center AFRCs and IPB-AFRC One of the challenges for full integration is that some of the entities receiving internal audit services are outside of the CGIAR so additional negotiations will be required to bring into effect this integration. Quality Assessment and Improvement Plan A Quality Assessment and Improvement Program for the CGIAR Internal Audit function has been established. Completed The Quality Assessment and Improvement Plan for each Internal Audit Function has been established. International Internal Audit Standards The Quality Assurance Function of the CGIAR established the monitoring and KPIs for the Internal Audit Functions across the CGIAR to complete both the internal and external assessments on the International Internal Audit Standards. The Quality Assurance Function coordinated with Internal Audit Functions to complete their self- assessment and external assessment in conformance with the International Internal Audit Standards. All centers have been assessed both internally and externally in conformance to the International Internal Audit Standards. IP-Internal Audit Executive/Internal Audit Heads Completed Assessment both internally and externally are necessary for all Internal Audit Functions and have been conducted. Global Internal Audit Standards Internal Assessment, validation of self-assessment In 2024, an internal self-assessment to evaluate compliance with the new GIAS (Global Internal Audit Standards) and to identify any gaps and areas for improvement was conducted. The findings from the self-assessment conducted in 2024, along with a corresponding improvement program, will be communicated to the Center Audit and Financial Review Committee (AFRC). The Quality Assurance Function will coordinate with Internal Audit Functions to complete their self-assessment and validation in conformance with the Global Internal Audit Standards Each individual Internal Audit Function must complete their own self-assessment on conformance to the Global Internal Audit Standards IP-Internal Audit Executive/Internal Audit Heads 01 September 2025 Validation of self-assessment is scheduled for completion by September 2025. Global Internal Audit Standards external Assessment, Completion of external assessment The Quality Assurance Function will monitor and work with Internal Audit Functions across the CGIAR to complete the external assessment on conformance to the Global Internal Audit Standards. This is planned to start in late 2025 and go through 2026, which will cover all internal audit functions across the CGIAR. The Quality Assurance Function will coordinate with Internal Audit Functions to select the external assessment organization. Each individual Internal Audit Function must complete their own external assessment on conformance to the Global Internal Audit Standards is planned to start in late 2025 and go through 2026 IP-Internal Audit Executive/Internal Audit Heads 01 September 2026 Once the validation of the self-assessment is completed the external assessments will begin and is scheduled for completion by September 2026. Finalize job description The job description for the new role of Integrated Partnership Internal Audit Executive will be created to take into account the new elevated position within the CGIAR. EMD/DEMD IPB-AFRC 01 December 2024 Appointment of the IP-Internal Audit Executive EMD/DEMD IPB-AFRC 01 March 2025 Internal Audit Charter Harmonize Internal Audit Charters across CGIAR A harmonized version of the a Internal Audit Charters was created and shared across all Center AFRCs. The Centers are in the process of approving new AFRC charters. Center AFRCs and IPB-AFRC Center Board and Integrated Partnership Board 01 December 2024 Integrated Partnership Internal Audit Executive Integrated Internal Audit Support Services Integrated Internal Audit Function Internal Audit Shared Services Conformance to Internal Audit Standards Risk & IC Analytical Framework - Risk & Oversight Plan - EBC.pdf EBC Analytical Framework - Risk & Oversight Plan - EA.pdf EA Analytical Framework - Risk & Oversight Plan - IA.pdf IA