CGIAR System Internal Audit Function
Purpose:  This document outlines a Quality Assurance and Improvements Program 
(QAIP) which is designed to provide reasonable assurance that the CGIAR System 
Internal Audit Function:
• Performs its work in accordance with its Terms of References, the Charter  and is 
consistent with the International Professional Practice Framework (IPPF) of the 
Institute of Internal Auditing (IIA)
• Operates in an effective and efficient manner, and
• Meets stakeholder expectations as to be adding value and continuously improving.
Version: April 2018
Approved by: Audit and Risk Committee of the CGIAR System Organization 27/4/2018
Next review: 2019
Quality Assurance and Improvements Program
Introduction
As per the IIA’s IPPF ‘The chief audit executive must develop and maintain a quality 
assurance and improvement program that covers all aspects of the internal audit activity’ 
(1300). It goes on to state that ‘A quality assurance and improvement program is designed 
to enable an evaluation of the internal audit activity’s conformance with the Standards and 
an evaluation of whether internal auditors apply the Code of Ethics. The program also 
assesses the efficiency and effectiveness of the internal audit activity and identifies 
opportunities for improvement. The chief audit executive should encourage board oversight 
in the quality assurance and improvement program.’
This document outlines the QAIP of the Internal Audit Function (IAF), including the 
elements in place and planned. The IPPF practice guide notes that ‘Quality should be built 
into, not onto, the way the activity conducts its business—through its internal audit 
methodology, policies and procedures, and human resource practices. Building quality into a 
process is essential to validate and continuously improve the internal audit activity, 
demonstrating value as defined by stakeholders.’
www.cgiar.org 2
This Quality Assurance and Improvement Program will be updated, at least every three years or earlier, 
guided by changes in the IAF ToR and/or Charter, the IIA Standards or Internal Audit Function’s operating 
environment. The next update will be carried out following an external quality assessment in 2019.
QAIP Summary
Together with IIA’s IPPF, the 
QAIP is also underpinned 
by stakeholder 
expectations. It consists of 
three groups of activities: 
on-going internal quality 
assurance activities; 
periodic self-assessments, 
and external assessments. 
Although, the Head, 
Internal Audit Function is 
ultimately responsible for 
the QAIP, which covers all 
types of internal audit 
work, all IAF staff have 
responsibility to maintain 
quality. 
The following slides unpack 
each of the elements of 
QAIP.
www.cgiar.org 3
Quality 
assurance 
activities are 
implemented 
through:
The 
standards are 
derived from:
Quality 
standards are 
used to set 
expectations 
of IAF
0. Q uality 
standards
1.1  IIA  IPPF and 
Code of Eth ics
2.1  O n-going 
m onitoring
Processes
People
O versight
1.2  Stakeholder 
expectations 
(value)
2.2  Period ic se lf-
assessm ent
A nnual se lf-
assessm ent 
exercise
2.3  External 
assessm ent
External se lf-
assessm ent every 
5  years
1.1 IIA IPPF and Code of Ethics
www.cgiar.org 4
1. Definition of internal auditing 
Internal auditing is an independent, objective assurance and consulting activity designed 
to add value and improve an organization's operations. It helps an organization 
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and 
improve the effectiveness of risk management, control, and governance processes. 
2. Core principles 
The core principles articulate internal audit effectiveness and they should all be present 
and operating effectively:
1. Demonstrates integrity.
2. Demonstrates competence and due professional care.
3. Is objective and free from undue influence (independent).
4. Aligns with the strategies, objectives, and risks of the organization.
5. Is appropriately positioned and adequately resourced.
6. Demonstrates quality and continuous improvement.
7. Communicates effectively.
8. Provides risk-based assurance.
9. Is insightful, proactive, and future-focused.
10. Promotes organizational improvement.
3. Code of ethics 
The internal audit profession is founded on the trust placed in its objective assurance 
about risk management, control, and governance. The code of ethics provides principles 
and rules of conduct relating to integrity, objectivity, confidentiality and competency. 
4. International Standards
The International Standards is an authoritative set of guidance consisting of statements of 
basic requirements for the practice of internal audit and interpretations that clarify terms 
or concepts within those statements. The Standards were last updated on 1 January 
2017.
1.2 Stakeholder expectations (value)
www.cgiar.org 5
Stakeholder 
expectations
Trusted
Cost-
effective
Non-
duplicative 
(coordinate 
with others)
Culture 
sensitive
Strategic, 
System-wide 
view
Respected
Building an effective QAIP is similar to establishing a 
total quality management program where products 
and services are analyzed to verify that they meet 
stakeholder expectations.
The stakeholder expectations reflected here are a 
distillation of what we have heard from ARC, SMB, 
various  managers and staff across CGIAR in the past 
year when the role of IAF was being defined:
• IAF should conduct itself in a consistent, objective 
and non-biased manner within its mandate to 
generate trust in its ability to create value for the 
organization
• For IAF to be effective it needs to be respected
and listened to 
• As it serves the CGIAR System, IAF should strive to 
provide strategic level insights to aid CGIAR 
System governing bodies and the organization as 
a whole
• The insights should be delivered in a way that is 
culturally appropriate within the organization
• Be aware of and work together with other 
assurance providers to avoid duplication of effort 
and assurance gaps
• Be able to demonstrate value for money and cost-
consciousness
6Activities Process People Oversight
1. Annual audit 
planning and 
monitoring
• Defined process aligned with the CGIAR 
System risk management framework
• Bi-weekly meetings IAF team to review 
the plan schedule and the progress
• Monthly monitoring of IAF budget
• Consultations with stakeholders 
• Coordination with other assurance 
providers ( assurance map)
• Annual objective setting and 
bi/annual performance reviews for 
IAF team
• Approval by ARC and SMB
• KPIs (TBD)
• Annual stakeholder 
feedback
• HIAF sign off of 
expenditure
2. Audit 
engagement 
• Defined engagement process (process 
description) for planning, execution, 
reporting and follow up;
• Audit manual
• Standard templates for an engagement 
ToR, planning document, start-up and exit 
presentations, audit report
• MK insight checklist from planning to 
reporting
• Time sheets
• Engagement performance form 
completed at the end of each 
engagement
• Bi-weekly supervisory meetings 
for the team
• Staff skills assessment and training 
records
• Audit file review by HIAF 
at key process milestones 
and key outputs i.e. ToR, 
planning document, work 
programs,  work papers, 
presentations, reports
• Client feedback at the end 
of each engagement 
3. Reports for 
ARC, SMB and 
SC
• IAF ToR and the Charter
• Standard format to be used for periodic 
IAF activity report to ARC
• Peer review by the team members • Stakeholder feedback
• Annual review of the 
Charter
2.1 On-going monitoring
On-going monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. 
Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses 
processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards 
(1311). The table below outlines on-going IAF activities ensuring that quality standards are met.
www.cgiar.org
72.2 Periodic self-assessment
• It is suggested that IAF undergo an annual self assessment to validate to what extent it is in conformance with the IIA 
Standards and Code of Ethics. The self-assessment would primarily address conformance with the following series of 
Standards:
1000: Purpose, Authority, and Responsibility
1100: Independence and Objectivity
1200: Proficiency and Due Professional Care
1300: Quality Assurance and Improvement Program
2000: Managing the Internal Audit Activity
2100: Nature of Work
2200: Engagement Planning
2300: Performing the Engagement
2400: Communicating Results
2500: Monitoring Progress
2600: Communicating the Acceptance of Risks
Code of Ethics
• The annual self-assessment may also include an evaluation of:
• IAF maturity against the IIA maturity model
• The quality and supervision of work performed
• The ways in which IAF adds value
• The achievement of KPIs
• The degree to which stakeholder expectations are met
• The self-assessment will be carried out in-house or through a peer review or be supported by the Internal Audit Support 
Service.  The results will be reported to the Audit and Risk Committee as part of IAF annual reporting
• The first such review for IAF will be carried out at the end of 2018. The results will be reported to the ARC of SMB 
together with an action plan to address any gaps identifies.  
www.cgiar.org
82.3 External Quality Assessment
• External assessments will appraise and express an opinion about Internal Audit’s conformance with the IIA Standards, the 
Definition of Internal Auditing, and the Code of Ethics and will include recommendations for continuous improvement as 
appropriate
• Timing: An external assessment will be conducted at least every five years
• The qualifications and considerations of External Assessor as noted in Standard 1312 will be considered when contracting 
with an outside party to conduct the review. Specifically, a qualified assessor or an assessment team will demonstrate 
competence in two areas: the professional practice of internal auditing and the external assessment process. 
Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in 
organizations of similar size, complexity, sector or industry, and technical issues will be desirable
• The appointment of the External Assessor and scope of the External Assessment will be approved by the Audit and Risk 
Committee of the System Management Board
• Results of external assessments will be provided to Audit and Risk Committee of the System Management Board, the 
Executive Director, CGIAR System Organization upon completion of the external assessment. The external assessment will 
be accompanied by a written action plan in response to significant comments and recommendations contained in the 
report
• The recommendations made will be followed up by the Head, IAF on an annual basis as part of the annual self-
assessment exercises. The results will be reported to the Audit and Risk Committee as part of IAF annual reporting
• The IAF may use the term “Conforms with the International Standards for the Professional Practice of Internal Auditing” 
when the results of the QAIP support this statement. The external audit assessment must have been conducted and the 
conclusion drawn that Internal Audit Function is operating generally in conformance with the Standards
• The first external quality assessment either through a full assessment or independent validation of the self-assessment 
(SAIV) is expected to be carried out in 2019 for IAF to be able to use the wording “Conforms with the International 
Standards for the Professional Practice of Internal Auditing”.
www.cgiar.org