Executive Summary of LACRO Audit

icon

7

pages

icon

English

icon

Documents

Écrit par

Publié par

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

icon

7

pages

icon

English

icon

Documents

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

INTERNATIONAL DEVELOPMENT RESEARCH CENTRE Audit of the Latin America and Caribbean Regional Office – May 2007 Executive Summary International Development Research Centre Audit of the Latin America and Caribbean Regional Office E X E C U T I V E S U M M A R Y In accordance with the 2006-07 Internal Audit plan based on a cyclical rotation, the regional office for Latin America and the Caribbean (LACRO) was audited. An audit was originally planned to be conducted in 2005, but was postponed due to the change in internal audit resourcing. The audit was conducted from January 2 to February 16, 2007 and covered the operations of LACRO over the 2005-2006 and 2006-2007 fiscal years (up to the time of the fieldwork). The audit objectives were to provide assurance that the LACRO office efficiently and effectively conducts its operations to: manage risk; ensure appropriate controls are in place to adequately safeguard Centre assets; to comply with Centre policies and procedures and to report accurate, reliable and relevant information to management on the results of its operations. The audit specifically addressed the following six areas of Centre operations: 1. Financial Accounting 2. Grants Administration 3. Locally Engaged Staff 4. Information Technology 5. Office Administration 6. Information Management For an outline of the methodology used for this audit and the detailed list of audit criteria, please refer to Appendix A and ...
Voir icon arrow

Publié par

Langue

English

I
NTERNATIONAL
D
EVELOPMENT
R
ESEARCH
C
ENTRE
Audit of the Latin America and Caribbean Regional Office – May 2007
Executive Summary
International Development Research Centre
Audit of the Latin America and Caribbean Regional Office
Page 1
E X E C U T I V E S U M M A R Y
In accordance with the 2006-07 Internal Audit plan based on a cyclical rotation, the regional
office for Latin America and the Caribbean (LACRO) was audited.
An audit was originally
planned to be conducted in 2005, but was postponed due to the change in internal audit
resourcing.
The audit was conducted from January 2 to February 16, 2007 and covered the
operations of LACRO over the 2005-2006 and 2006-2007 fiscal years (up to the time of the
fieldwork).
The audit objectives were to provide assurance that the LACRO office efficiently and
effectively conducts its operations to: manage risk; ensure appropriate controls are in place to
adequately safeguard Centre assets; to comply with Centre policies and procedures and to
report accurate, reliable and relevant information to management on the results of its
operations. The audit specifically addressed the following six areas of Centre operations:
1.
Financial Accounting
2.
Grants Administration
3.
Locally Engaged Staff
4.
Information Technology
5.
Office Administration
6.
Information Management
For an outline of the methodology used for this audit and the detailed list of audit criteria,
please refer to Appendix A and B.
In our opinion, the LACRO office is mostly effective and efficient in the management of its
operations, with some areas for improvement noted.
We used a four point rating scale to
assess the level of control effectiveness.
Our opinion is based on our assessment of the six
main areas of audit focus:
Financial Accounting
We assessed the management controls over financial accounting to be mostly effective.
Many
of the controls that we would expect to see are in place, including appropriate segregation of
duties and processes to adequately record financial transactions.
Some areas of improvement
noted were:
Controls over Payments – We found that authorizations for operational expenditures
were not always documented in accordance with IDRC’s Operational Expenditures
International Development Research Centre
Audit of the Latin America and Caribbean Regional Office
Page 2
Authority Matrix nor were payments well supported by a certification that the goods
or services had been received satisfactorily.
Financial Authorizations - We found that the authorities and processes in place to sub-
delegate authorizations were not well understood in the region.
Bank Reconciliations - We found that monthly bank reconciliations were not approved
by the Regional Controller for a three month timeframe while he was travelling.
We
also noted that bank reconciliations do not always provide an explanation for
reconciling items.
Grants Administration
We assessed the management controls over grants administration to be mostly effective.
Many of the controls that we would expect to see are in place, including that Institutional Risk
Assessments are done using the tools provided, projects are appropriately approved and
documented, country agreements are monitored, contract templates are used, contracts are
appropriately signed, projects are appropriately committed in EPIK
1
and projects are
monitored regularly and adjusted in EPIK.
The area for improvement noted related to grant
accruals.
–The audit found that there is confusion over the accounting approach for accruing
monthly grant payments.
Some memorandums providing direction on grant accruals
introduced some confusion in the region and appeared to contradict procedural direction.
In
response to the corporate memorandums, LACRO changed its accounting approach in
January, resulting in a $449,070 difference in the January accrual.
Locally Engaged Staff
We assessed the management controls over locally engaged staff to be mostly effective.
The
audit reviewed the process for calculating pay and benefits for LES, as well as the procedures
for carrying out annual Performance Review Appraisals (PRAs).
Our audit found no errors in
compensation paid, payroll withholdings, as applicable, were being remitted on a regular
basis, payroll expenses are appropriately recorded and reported and PRAs were being
1
EPIK is IDRC’s corporate information system.
It is comprised of the Financial Management, and the Grants
& Projects Management (GPM) systems.
International Development Research Centre
Audit of the Latin America and Caribbean Regional Office
Page 3
performed.
The area for improvement noted related to calculating payroll.
The audit found
that the procedures and formula for calculating payroll for locally engaged staff were not well
documented.
Information Technology
We assessed the management controls over Information Technology to be mostly effective.
Many of the controls we would expect to see were in place including:
IT security and
acceptable use policies and procedures are in place, data is adequately backed up, user
accounts and privileges are managed to provide control over electronic data and physical
access to IT equipment is appropriately controlled.
Two areas for improvement noted were:
Policy Compliance and Monitoring - There is little monitoring or enforcement of the
IT security and acceptable use policies and procedures in place.
Business Continuity Planning - There is no formal business continuity plan for
LACRO.
Office Administration
We reviewed the Office Administration processes related to accommodation costs,
procurement, relocation expenses and fixed assets and found that the controls were effective
to ensure that:
accommodation costs align with lease agreements; competitive bids are
obtained when appropriate; fixed assets are adequately controlled and recorded; and
relocation expenses paid in LACRO are in accordance with the Centre’s policy.
No control
weaknesses were identified.
Information Management
We assessed the management controls over Information Management to be effective.
We
found that processes were effectively in place to ensure the following: records management
policies and processes are well defined and understood in LACRO for project records; users
were adequately trained in the Centre’s records management system; records are being
entered into IRIMS as per policy, but primarily as an archiving system; information is
International Development Research Centre
Audit of the Latin America and Caribbean Regional Office
Page 4
accessible and generally easy to find in the region; and project records are appropriately
archived and disposed according to policy.
No control weaknesses were identified.
R E C O M M E N D A T I O N S
We recommend that:
1.
The Regional Controller ensure that appropriate approvals for operational expenditures
are clearly documented in accordance with the IDRC Operational Expenditures
Authorities Matrix.
Original Management Response:
Management agrees with this recommendation.
The Regional Controller has
already communicated to his staff that invoices must bear certification that goods
or services have been received and that payment is authorized.
Completed
May 2007
2.
The Regional Director ensure that authorities delegated in the IDRC’s Authority Matrices
are sub-delegated as appropriate to specific individuals in the regions in accordance with
permitted levels of delegation.
Financial delegated authorities should be communicated
and understood by all staff involved in financial management activities.
Original Management Response:
Management agrees with this recommendation.
The Regional Controller has
already taken measures to delegate approvals to LACRO managers via the forms
made available by the Finance and Administration Division on the intranet.
A copy
of these delegation forms has been forwarded to headquarters Accounts Payables.
Completed
July 2007
3.
The Regional Controller review and sign all bank reconciliations.
Bank reconciliations
should include supporting details for all reconciling items to allow for completeness and
ease of review by the Regional Controller.
Original Management Response:
Management is pleased to note that no anomalies were identified in LACRO’s bank
reconciliations but acknowledges that the reconciliations were not always reviewed
and signed by the Regional Controller during those periods when he was on travel
status.
The Regional Controller has agreed that in the future, he will review and
sign bank reconciliations upon his return from travel whenever reconciliations were
done in his absence.
Completed
May 2007
4.
The Director, FAD clarify the intended interpretation for accruing monthly grant
payments with the Regional Controller.
The Regional Controller should then ensure that
grant payments are appropriately and consistently accrued at month end.
International Development Research Centre
Audit of the Latin America and Caribbean Regional Office
Page 5
Original Management Response:
The Finance and Administration Division issued a document during the year-end
process (on February 23rd and again on April 5th, 2007) synthesizing the existing
documentation on accruals (namely the Grant Administration Q-Tip 13 and the
GPM User Guide).
The procedures are documented in the same way everywhere
and there should be no misinterpretation left anywhere in IDRC.
Completed
May 2007
5.
The Regional Controller ensure that the procedures for calculating LES payroll, benefits
and related accruals, which support the payroll spreadsheet calculations, are formally
documented.
Original Management Response:
Management is pleased to note that LACRO’s payroll for Locally Engaged Staff is
accurately processed with no instance of improper calculations identified.
Management feels that with the Regional Controller capable of backing-up the
accountant to process payroll if necessary and with the availability of this expertise
in the local market, risk of not being able to process payroll is minimal.
Nevertheless, management agrees that documenting procedures for payroll
calculations at a reasonable level could be useful and as such undertakes to do so
by August 31, 2007.
Completed
Aug. 2007
6.
The Regional Director, together with ITMD, establish procedures and clearly define
responsibilities for monitoring and enforcing IT Security and Acceptable Use policies in
LACRO.
Original Management Response:
Processes relating to the security of Information Systems, Technical Infrastructure,
and Access Controls as identified in the IT Security Policy are being put in place in
Ottawa as resources permit and these are then being applied in the ROs as
appropriate.
Management acknowledges that there is a small risk that staff may access non-
work related Internet sites but is prepared to accept this risk given the safeguards in
place to minimize the impact to corporate systems by potentially associated
Malware. If staff productivity is affected by Internet abuse, or there is a suspicion
of unacceptable or unlawful usage, managers have the ability, through the
Acceptable Use Policy, to investigate and take the appropriate action. Nevertheless,
ITMD will re-communicate to IDRC staff the existence and nature of the IT usage
policies before June 30, 2007 and on an annual basis thereafter. As automated
monitoring tools become more accessible to the Centre, both in terms of
affordability and cost of operation, ITMD will consider their application both in
Ottawa and the regional offices.
Completed
July 2007
International Development Research Centre
Audit of the Latin America and Caribbean Regional Office
Page 6
7.
The Regional Director develop a Business Continuity Plan at the local level.
Original Management Response:
The IDRC identified some time ago the need to address Business Continuity
Planning and the need to include IT Service Continuity Management within the
planning exercise.
As such, a Business Continuity Plan applicable to headquarters
was developed in 2006.
Management agrees that the potential application of Business Continuity Planning
to regional offices should be examined but this should be done as a corporate
initiative rather than on an office-by-office basis.
As such, the issue will be
discussed at the next RB Directors / RC Controllers conference in November 2007
with the objective of informing a discussion at SMC during the last quarter of
2007-08.
In Progress
Voir icon more
Alternate Text