SlideShare a Scribd company logo

Department Charter Risk & Audit

MOHAMMAD ABDUL JALIL JEWEL
MOHAMMAD ABDUL JALIL JEWEL

Terms of References for the Assurance and Risk Management Department of Save the Children USA, Bangladesh Country Office

1 of 14
Download to read offline
SAVE THE CHILDREN, USA BANGLADESH COUNTRY OFFICE Department Charter ASSURANCE & RISK MANAGEMENT DEPARTMENT 2010
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office PREFACE Internal control is a process, affected by an entity's governing body, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories: a) effectiveness and efficiency of operations; b) reliability of financial reporting; and c) compliance with applicable laws and regulations. Therefore, a directorate within the organization should provide governing members with valuable assistance by giving objective assurance on governance, risk management, and control processes. The Terms of Reference (TOR) establishes the mission and fiduciary responsibilities of the risk management and internal audit functions (called the Assurance and Risk Management Department, ARMD) under the oversight of the Country Director of Save the Children, USA, Bangladesh Country Office; as well as set out the operating environment and mandate to generate an understanding of ARMD’s role, approach, relationships and reporting. MISSION The mission of the Assurance and Risk Management Department, ARMD is to provide independent, objective assurance and consulting services designed to add value and improve the organization's operations. It assists Bangladesh Country Office in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control, and governance processes. SCOPE OF WORKS The scope of ARMD work encompasses a systematic, disciplined approach to evaluating and improving the adequacy and effectiveness of risk management, control, and governance processes and the quality of performance in carrying out assigned responsibilities. The purpose of evaluating the adequacy of the organization's existing risk management, control, and governance processes is to provide reasonable assurance that these processes are functioning as intended and will enable the organization's objectives and goals to be met, and to provide recommendations for improving the organization's operations, in terms of both efficient and effective performance. Senior management and the CD might also provide general directions as to the scope of work and the activities to be audited. The Assurance and Risk Management Department works independently to provide objective assurance through methodically review and verify all of the organization's operations, resources, services, programs and processes in place to:  Establish and monitor the achievement of organization’s objectives;  Facilitate policy and decision making;  Ensure the economical, effective and efficient use of resources;  Ensure compliance with established policies, procedures, laws and regulations;  Safeguard assets, interests and reputations of organization;  Ensure the integrity, reliability and quality of information, accounts and data Based on engagement, nature and purpose of the functional activities, scope of works of ARMD are outlined in three broader categories as A) Assurance Services B) Risk Management and C) Advisory Services. Page 1 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office A. ASSURANCE SERVICES Assurance services are independent professional services that improve the value of information or its context through evaluations and assessments that focus on identifying the quality of processes, procedures, and general operations for decision makers. Often associated with the evaluation of accounting records and procedures, the main focus of assurance services is to confirm the accuracy and proper maintenance of the accounting records, and thus assure all interested parties that there are no irregularities in the records themselves. This same general approach will also be applied to the evaluation of procedures within various departments and functions of the organization. The explicit purpose of assurance services is to provide independent and professional opinions on the quality and reliability of information to the Country Director as well as other SMT members within Save the Children - USA, Bangladesh Country Office. Project Assurance ARMD provides assurance that the agency delivers quality services (program quality) to the targeted beneficiaries and stakeholders at the level of donor’s intention (purpose of funds) and implements projects using the resources efficiently and cost effectively (usage of funds) within set terms and conditions (compliance). Internal Audit Internal auditing is an independent appraisal activity established within an organization to verify and certify its activities as a service to the organization. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. Internal audit functions provide assurance relating to:  Compliance with legislation, regulations, policies, procedures, and terms and conditions;  Safeguarding of assets;  Reliability and integrity of financial and operational information; and  Effectiveness and efficiency of programs operations The work of internal audit forms part of the assurance framework, however, the existence of ARMD does not diminish the responsibility of management to establish systems of internal control to ensure that activities are conducted in a secure, efficient and well-ordered manner. Performance Audit It is also distinguished as ‘operation audit; an objective and systematic examination of evidence for the purpose of providing an independent assessment of the performance of the organization, program, activity, or function in order to provide information to improve accountability and facilitate decision-making by parties with responsibility to oversee or initiate corrective action. A report of management's abilities is typically prepared to meet particular goals. Included in the report are measures of the effectiveness of internal controls and efficiency of procedures and processes. The performance audit may be initiated by the organization or by external interested parties. However, the performance audit is not performed as a means to attest to the financial records and statements of the organization. Page 2 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Internal Audit and Review Process Generally ARMD follows the following process while review or audit any entity:  Select audit engagement from Internal Audit Calendar  Notify audit / review engagement to the auditable unit, department, project or partner  Evaluate, test and verify adequacy of controls in the system at on-site visit  Identify control concerns, risks and alternative control improvement recommendations;  Discuss observations with management and reach agreement in principal to the audit issues;  Prepare formal audit / review report noting findings and recommendations and share;  Receive management responses from audited entity;  Issue final report to the CD, with management response Sampling – Identify Control or Transactions to be Tested Sampling involves testing less than 100 percent of a population and then utilizing the results to draw a conclusion about the entire population. This process saves the time, effort, and expense that may be involved in comprehensive testing. Audit sampling is a method by which an auditor can draw conclusions about the whole of a group of items (the "population") by examining some of them ("the sample"). Sampling is most effective for populations in which a large number of similar transactions are processed in a similar manner. The extent of testing a sample of controls or transactions may vary depending on a variety of factors including complexity, population size, transaction frequency, importance, type of activity (manual or automated), and level of comfort desired from a test. ARMD members determine sample sizes, based on population and risk, and to draw conclusions as to what is happening in a population of audited items. Systematic Sampling: A random approach of selecting items at intervals. The first item in the selection process must be picked at random. Often used in financial auditing to test for understatement. Dollar Unit Sampling: A unique statistical approach based on a probability proportional to size. The probability of any one item being selected for detailed verification is proportional to the size of the item. Often used in financial auditing to test for overstatement. Judgmental Sampling: A nonrandom approach of selecting sample items based on the auditor’s reasoning or suspicions. Often used to select examples of deficiencies to support the auditors’ contention that the system is weak. It can not statistically extrapolate sample results to the entire population. Sampling Documentation The selection of sample sizes should be documented in the work papers. The following items should be documented each time a sample is chosen:  population  sample size  sampling unit  sample design (e.g., random, haphazard, systematic)  definition/explanation of an error  errors detected and/or error rate Page 3 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Testing Financial Transactions In transaction tests, a selected number of sample transactions are tested to see if controls are performing properly within a certain population. Based on the rate of error, auditors determine if they can rely on the information developed from posting or recording transactions. The test helps auditors determine the scope of audit work. Performing risk identification and reduction activities in a detective approach, ARMD on a quarterly basis tests the accounting vouchers and support documents of financial transactions selected through a Judgmental Sampling from a periodic list of transactions or general ledgers. Compliance Verification ARMD conducts compliance verification on sample transactions to ensure that the standards are implemented in a uniform manner according to the set guidelines, conditions and specifications of:  Donor  Local Government (Bangladesh Government’s laws and regulations)  SC USA Home Office  SC USA Bangladesh Country Office Audit and Review Reports Formal audit and review reports are designed to:  Identify control weaknesses noted during audit engagements;  Explain risk implications that result from control weaknesses;  Present alternative procedures to correct deficiencies;  Include management responses of the audited entity The audit report is typically divided into the following sections:  Audit Scope, Objectives and Background  Audit Procedures, Resources and Methodology  Audit Findings, Risk Implications and Recommendations Implementation of Audit Recommendations Audit follow-up is an integral part of good management, and is a shared responsibility of agency management and ARMD. Corrective actions taken by management on resolved findings and recommendations is essential to improving the effectiveness and efficiency of CO operations. CO management establishes systems to assure the prompt and proper resolution and implementation of audit recommendations. These systems shall provide for a complete record of action taken on both monetary and non-monetary findings and recommendations. ARMD conducts further review to provide assurance that management has adequately implemented recommendations of previous audit or review and resolved previous problems. These reviews also ensure that the upper management is informed of non-resolution of previous problems. Page 4 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office ARMD Roles and Responsibilities in Internal Audit Services The Internal Audit unit under ARMD supports the Country Director (CD) by providing independent and objective assurance assessments of the organizations management control framework, systems and practices, and governance processes. Followings are the key responsibilities of ARMD under its internal audit and review functions:  Prepare a rolling three-year strategic risk-based internal audit plan which will be translated into an annual plan for formal agreement and ratification by the CD;  Carry out certain reviews on a cyclical basis (e.g. CO, IAO, DTO and Partners), however, audit resources will, increasingly, be allocated on the principle of continuous planning which takes in to account key risks as they emerge;  Review, appraise and report to management on the soundness, adequacy and application of internal controls; the extent to which the assets and interests are accounted for and safeguarded; the suitability and reliability of financial and other management data, including aspects of performance measurement;  Work with the external auditors to ensure that the nature and quality of internal audit coverage assists them in the discharge of their duties;  Report annually, to the CD on the annual audit coverage, providing an overall assessment of internal control environment on key financial and operational systems;  Review and certify grant / funding claims as required; Compliance Assurance ARMD provides regular validation and certification that Bangladesh Country Office meets strategic and reporting requirements of different entities (home office, donor, local government) relating to their accepted practices, laws, legislation, prescribed rules and regulations, policies, specified standards, or the terms of a contract.  Identification of Compliance Obligations  Assess the extent of compliance with BdCO and/or other relevant policies, guidelines and procedures  Assists in promoting a culture of compliance and takes an active interest in ethical issues associated with the BdCO’s dealing activities  Assists implementing Compliance Chart that reflects the key activities performed by an operating unit to understand and manage its compliance risks  Compliance report on the outcomes from the annual legal compliance certification process completed by CD Offices  Compliance Risk Reporting, Monitoring and Mitigation Investigation ARMD performs its responsibilities to investigate allegations of fraud or irregularity through detailed inquiry or systematic examination of discovering facts.  Investigate allegations of fraud or irregularity to help safeguard public funds  Investigate all reported irregularities in accordance with established strategies and protocols; by its very nature fraud-related work is unpredictable in terms of its timing and extent.  Conducting ad hoc and confidential investigations at the request of SMT or CD Page 5 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Ombudsmen An ombudsmen committee addresses concerns (such as administrative abuse or maladministration) that employees, public, or groups have about organizations or bureaucracies. In these situations, the ombudsperson acts as an impartial mediator between the two parties, providing a less threatening type of dispute resolution. The Head of ARMD, as an active member of the Ombudsmen Committee, to help reduce friction between staffs, related local public, and the organization, he/she must be viewed as trustworthy and neutral; the process will not work if one party believes that the ombudsperson is taking the side of the other party. A complaint to the Ombudsmen Committee must be made in writing through the CD. The correspondence must include full details of the matter/issue and provide full details of the complainant including a signature. And also the person raise compliant must be assured by the committee that his/her personal information will be kept confidential. The power of the ombudsperson lies in his ability to investigate complaints of wrongdoing and then notify the staff or the relevant department of the organization, or both, of the findings. However, an ombudsperson cannot change or make laws, enforce any recommendations, or change administrative actions or decisions. B. RISK MANAGEMENT Risk is the uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk management is a central part of any organization's strategic management. It is a process methodically addresses the risks across the portfolio of all activities attaching the goal. ARMD team members assist both management and the CD by examining, evaluating, reporting, and recommending improvements on the adequacy and effectiveness of management’s risk processes. Management and the CD are responsible for their organization’s risk management and control processes. However, ARMD acting in a consulting role can assist the organization in identifying, evaluating, and implementing risk management methodologies and controls to address those risks. This ToR provides guidance on the major risk management objectives that ARMD considers in formulating an opinion on the adequacy of the organization’s risk management framework. Risk management framework The risk management framework is a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the organization. ARMD determines the methodology is understood by key groups or individuals involved in governance, including the SMT and CD. Formulating an opinion on the overall adequacy of the risk management framework in Bangladesh Country Office, ARMD substantiate that existing risk management processes address following key objectives: Page 6 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office  Risks are identified and prioritized.  Management has determined the level of risks acceptable to the organization  Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk at levels that were determined to be acceptable to management.  Ongoing monitoring activities are conducted to periodically reassess risk and the effectiveness of controls to manage risk.  Management receives periodic reports of the results of the risk management processes. Risk assessment Risk assessment is a systematic process for assessing and integrating professional judgments about probable adverse conditions and / or events. Developing assessments and reports on the organization’s risk management processes is normally a high audit priority. Evaluating management’s risk processes is different than the requirement that ARMD use risk analysis to plan audits. However, information from a comprehensive risk management process, including the identification of management and board concerns, can assist the internal auditor in planning audit activities. Risk treatment Risk treatment involves a cyclical process of assessing a risk treatment; deciding whether residual risk levels are tolerable or not; if not tolerable generating a new risk treatment; and assessing the effect of that treatment until the residual risk reached complies with the organization’s risk criteria. Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances.  Treat or Manage - management controls—proactive  Take or Accept - Low likelihood and impact provides low exposure—inactive  Transfer or Insure - Obtain a policy to cover for loss—reactive  Terminate or Avoid - Stop all activity related to undesirable risk—non-active Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived having regard to legal, regulatory, and other requirements, social responsibility and the protection of the natural environment. A number of treatment options can be considered and applied either individually or in combination. ARMD justifies and provides objective assurance to the appropriateness of the decisions for risk treatments. ARMD Roles and Responsibility in Risk Management ARMD’s core role with regard to Risk Management (RM) is to provide objective assurance to the Country Director on the effectiveness of organization's RM activities to help ensure key business risks are being managed appropriately and that the system of internal control is operating effectively. The main factors should take into account when determining ARMD's role are whether the activity raises any threats to the internal auditors' independence and objectivity, and whether it is likely to improve the organization's risk management, control, and governance processes. Page 7 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Core roles in regard to Risk Management:  Giving assurance on risk management processes.  Giving assurance that risks are correctly evaluated.  Evaluating risk management processes.  Evaluating the reporting of key risks.  Reviewing the management of key risks. Legitimate roles with safeguards:  Facilitating identification and evaluation of risks.  Coaching management in responding to risks.  Coordinating RM activities.  Consolidating the reporting on risks.  Maintaining and developing the RM framework.  Championing establishment of RM.  Developing risk management strategy for management approval. Roles internal auditing should NOT undertake:  Setting the risk appetite.  Imposing risk management processes.  Management assurance on risks.  Taking decisions on risk responses.  Implementing risk responses on management's behalf.  Accountability for risk management. ARMD emphasizes that Bangladesh Country Office should fully understand that management remains responsible for risk management. Internal auditors should provide advice, and challenge or support management's decisions on risk, as opposed to making risk management decisions. C. ADVISORY SERVICES ARMD maintain a dynamic, team oriented environment which encourages personal and professional growth; provide consulting and advisory services for management, programs and program supports units. ARMD contributes advisory services in the following areas:  Risk and control assessment (including control self-assessment);  Performance management and related systems;  Financial and business analysis to assist in problem solving; and,  Monitoring and evaluation systems of program implementations. Page 8 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office ARMD provides routine consultation and advisory services to BdCO management. This may include, but is not limited to, interpreting policies and procedures, participation on standing committees, limited-life projects, ad-hoc meetings, and routine information exchange. Included but not limited, the objectives of the advisory function are to:  Support the PSMS units to discharge their regular duties efficiently and effectively;  Support the finance & assets directorate’s objective of ensuring the provision of sound financial systems;  Perform systems and business process ‘As-Is’ reviews;  Recommend Minimum Operating Standards (MOS) for the Country Office operations and services As part of its consulting role ARMD may be asked to provide input into the development of new policies, procedures, systems or processes. ARMD may provide such input provided it does not impair audit independence. Ultimately, management is responsible for making the final decisions on changes to policies, procedures, systems, or processes. Ethics Advocate All people associated with the organization share some responsibility for the state of its ethical culture. Because of the complexity and dispersion of decision-making processes, each individual should be encouraged to be an ethics advocate, although the role is merely conveyed informally. Codes of conduct and statements of vision and policy are important declarations of the organization s values and goals, the behavior expected of its people, and the strategies for maintaining a culture that aligns with its legal, ethical, and societal responsibilities. ARMD takes an active role in support of the organization s ethical culture. They possess a high level of trust and integrity within the organization and the skills to be effective advocates of ethical conduct. They have the competence and capacity to appeal to the organizations leaders, managers, and other employees to comply with the legal, ethical, and societal responsibilities of the organization. Assessment of the Organization s Ethical Climate ARMD evaluates the effectiveness of an enhanced, highly effective ethical culture.  Frequent communications and demonstrations of expected ethical attitudes and behavior by the influential leaders of the organization  Several, easily accessible ways (like ombudsmen committee) for people to confidentially report alleged violations of the Code, policies, and other acts of misconduct  Practice of regular declarations by employees, suppliers, and customers that they are aware of the requirements for ethical behavior in transacting the organization s affairs  Easy access to learning opportunities to enable all employees to be ethics advocates.  Positive personnel practices that encourage every employee to contribute to the ethical climate of the organization  Regular surveys of employees, suppliers, and customers to determine the state of the ethical climate in the organization Page 9 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office ACCESS AND AUTHORITY ARMD staff members are authorized (in accordance with local laws and regulations) to have full, free and unrestricted access to all functions, premises, assets, personnel, records, and information which are necessary to execute their responsibilities effectively. ARMD representatives must have the opportunity to attend relevant committee meetings (e.g. Ombudsmen Committee meetings, Senior Management Team meetings) to raise any matters (either orally or in writing) that are reasonable and necessary. All employees and directorates of the BdCO, or partners / agents contracted to provide services on its behalf, are required to give complete co-operation to ARMD staff for the expedient fulfillment of the audit and verification process. ARMD representatives have the authority to request CD for inviting GARS to perform a specific in- depth audit. The ARMD Director and staff are not authorized to:  Perform operational duties for the CO or its affiliates.  Initiate or approve accounting transactions external to the internal auditing department.  Approve changes to accounting processes or systems.  Direct the activities of any employee not employed in ARMD, except to the extent such employees have been appropriately assigned to ARMD teams or to otherwise assist the internal auditors. CONFIDENTIALITY All documentation, systems (e.g. complaints register, reports and files), management, and information accessed by the ARMD in the course of undertaking any internal audit or review activities, are to be used solely for the conduct of these activities. The Head of ARMD and other individual staff are responsible and accountable for maintaining the confidentiality of information they received during the course of their works. INDEPENDENCE To avoid potential conflicts of interests ARMD staffs must be independent of the business activities of program and support units and report functionally to the Country Director through their next higher level ARMD supervisor. ARMD staff members are independent when they can carry out their work freely and objectively. Independence permits ARMD staff to render the impartial and unbiased judgments essential to the proper conduct of engagements. It is achieved through organizational status and objectivity. Page 10 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Organizational Independence Internal auditors should have the support of senior management and of the CD so that they can gain the cooperation of engagement clients and perform their work free from interference. The Head of ARMD have direct communication protocol with the SMT and Country Director. Regular communication with management helps assure independence and provides a means for the CD to keep each other informed on matters of mutual interest. Disclosing Reasons for Information Requests At times, an ARMD staff may be asked by the engagement client or other parties to explain why a document that has been requested is relevant to an engagement. Disclosure or nondisclosure during the engagement of the reasons why documents are needed should be determined based on the judgment that is made by the Head of ARMD in light of the specific circumstances. INDIVIDUAL OBJECTIVITY ARMD members’ essentially have an impartial, unbiased attitude and unfetter from conflicts of interest. Objectivity requires ARMD members to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. ARMD members are not to be placed in situations in which they feel unable to make objective professional judgments. It is unethical for an ARMD member to accept a fee or gift from an employee, client, customer, supplier, or associate. Accepting a fee or gift may create an appearance that the person's objectivity has been impaired. ARMD members report to the Head of ARMD any situations in which a conflict of interest or bias is present or may reasonably be inferred. A scope limitation along with its potential effect should be communicated, preferably in writing, to the Country Director. ARMD members are not assumed operating responsibilities. If senior management directs ARMD members to perform non-ARMD work, it should be understood that they are not functioning as internal auditors. Moreover, objectivity is presumed to be impaired when internal auditors perform an assurance review of any activity for which they had authority or responsibility within the past year. INVESTIGATE AND CHALLENGE When ARMD perceive a compliance risk or when a management decision may give or has given rise to a significant financial or reputational risk for the organization, it must investigate and challenge any actions or concerns without influence from the operation. If the matter is not promptly resolved, the ARMD and relevant management must follow the escalation process. Page 11 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office REPORTING ARMD must report at least annually to Country Director and relevant committees on the effectiveness of implementation and embedding of the TOR and framework and policies against donor / Home Office guidelines in addition to other relevant compliance and risk management topics that may be required by SC USA BdCO. Head of ARMD must ensure reports are accurate, current, and on-time. In addition, the ARMD must also report incidents and issues to the Country Director and the next higher level ARMD staff, as necessary or required. The ARMD, upon completion of an audit, will discuss the audit findings with the member of management responsible for the area audited or reviewed. A written report of the review findings / observations and the manager's response will be sent to the Country Director (CD) within three weeks of the review completion. Follow-up procedures will vary depending on the severity of the audit findings, but will be within six months at the latest. PLANNING ARMD establishes risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals. The internal audit plan should be designed based on an assessment of risk and exposures that may affect the organization. The degree or materiality of exposure can be viewed as risk mitigated by establishing control activities. PROFESSIONAL STANDARD ARMD adheres to the Standards for the Professional Practice of Internal Auditing and the Code of Ethics adopted by the Institute of Internal Auditors (IIA). As well as, relevant rules and regulations issued by Bangladesh Government are also considered as standard to comply with. ARMD as a department,  comply with relevant auditing standards, for example, ‘International Standard for Professional Practice of Internal Auditing’;  comply and promote compliance throughout the organization with all BdCO rules and policies;  be expected at all times to adopt a professional, reliable, independent and innovative approach RELATIONSHIP AND LIASON Internal relations: The main contact is with other employees of Save the Children – USA, Bangladesh Country Office. ARMD staffs ensure that they explain to the person/s concerned the purpose of the audit or review and the various stages that the audit or review process will follow. Page 12 of 13
TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office External relations:  External Auditors (From local Institutes, donors, SC Home Office or Regional Offices)  Partner NGOs’ and other organization’s staffs.  Vendors, Consultants or other relevant third party  Members of the public CAPACITY DEVELOPMENT The Head of ARMD is responsible for continuing educational development to enhance professional and personal growth of the team members as well as other staff members of the country office. He ensures that all ARMD staffs have received appropriate training to perform their jobs efficiently and effectively. A yearly training program shall be developed and approved by the Country Director. ARMD promotes:  Strengthening and professionalization of the internal audit function through the establishment of, and adherence to stringent professional standards and the application of internationally recognized internal auditing practices;  The recruitment of skilled and qualified professionals STAFFING AND SUPERVISION Direct supervisor The Head of Assurance and Risk Management Department is the direct supervisor of the staff members of ARMD under administrative and functional supervision. Content and methodology of supervision The ARMD works directly under the CD’s Section. This department includes director, manager and senior officer designations. The Job Descriptions and Key Performance Indicators (KPI) are developed in collaboration with the CD, director and senior staffs of ARMD and serve as a benchmark for the yearly performance appraisal. REVIEW OF THE TERMS The Terms of Reference shall be reviewed and updated annually. __________END__________ Page 13 of 13

Recommended

Vendor risk management 2013
Vendor risk management 2013Vendor risk management 2013
Vendor risk management 2013Rahul Bhan (CA, CIA, MBA)
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHTommy Seah
 
Leveraging Corporate Integrity Agreements for Healthcare Compliance
Leveraging Corporate Integrity Agreements for Healthcare ComplianceLeveraging Corporate Integrity Agreements for Healthcare Compliance
Leveraging Corporate Integrity Agreements for Healthcare CompliancePolsinelli PC
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunitiesManoj Agarwal
 
Risk Management1
Risk Management1Risk Management1
Risk Management1Henry H L Lim
 
Governance, Risk, and Control Knowledge Elements
Governance, Risk, and Control Knowledge ElementsGovernance, Risk, and Control Knowledge Elements
Governance, Risk, and Control Knowledge ElementsIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
IESBA Kelompok 2 ENGLISH
IESBA Kelompok 2 ENGLISHIESBA Kelompok 2 ENGLISH
IESBA Kelompok 2 ENGLISHNita Anny
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal AuditManoj Agarwal
 

Recommended

Vendor risk management 2013
Vendor risk management 2013Vendor risk management 2013
Vendor risk management 2013Rahul Bhan (CA, CIA, MBA)
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHTommy Seah
 
Leveraging Corporate Integrity Agreements for Healthcare Compliance
Leveraging Corporate Integrity Agreements for Healthcare ComplianceLeveraging Corporate Integrity Agreements for Healthcare Compliance
Leveraging Corporate Integrity Agreements for Healthcare CompliancePolsinelli PC
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunitiesManoj Agarwal
 
Risk Management1
Risk Management1Risk Management1
Risk Management1Henry H L Lim
 
Governance, Risk, and Control Knowledge Elements
Governance, Risk, and Control Knowledge ElementsGovernance, Risk, and Control Knowledge Elements
Governance, Risk, and Control Knowledge ElementsIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
IESBA Kelompok 2 ENGLISH
IESBA Kelompok 2 ENGLISHIESBA Kelompok 2 ENGLISH
IESBA Kelompok 2 ENGLISHNita Anny
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal AuditManoj Agarwal
 
Handbook of the code.pptx ppt
Handbook of the code.pptx pptHandbook of the code.pptx ppt
Handbook of the code.pptx pptKarima Afifah
 
Sox compliance services brochure 2013
Sox compliance services brochure 2013Sox compliance services brochure 2013
Sox compliance services brochure 2013Rahul Bhan (CA, CIA, MBA)
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementManoj Agarwal
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Nidhi Gupta
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlErwin Morales
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Reportessbaih
 
Identify and Manage Critical Risks on HR Audit
Identify and Manage Critical Risks on HR AuditIdentify and Manage Critical Risks on HR Audit
Identify and Manage Critical Risks on HR AuditTrainHR (Human Resources Trainings)
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditingTunde Elijah Kelani
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingAmar Deep Ghimire
 
Lecture slide ,chapter 2, Governance and the Auditor
Lecture slide ,chapter 2, Governance and the AuditorLecture slide ,chapter 2, Governance and the Auditor
Lecture slide ,chapter 2, Governance and the AuditorSazzad Hossain, ITP, MBA, CSCA™
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSOJesús Gándara
 
DMI Finance - Risk management policy
DMI Finance - Risk management policyDMI Finance - Risk management policy
DMI Finance - Risk management policydmifinance
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards JasonSchupp1
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Operational resilience presentation 1 (1)
Operational resilience presentation 1 (1)Operational resilience presentation 1 (1)
Operational resilience presentation 1 (1)Ebere Ikerionwu
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practicesPamela Mantone
 
ERM Presentation.final
ERM Presentation.finalERM Presentation.final
ERM Presentation.finalAnna Cuson, CPA, CFE, CRMA, CGMA, CICP, CICA
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
StrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingStrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingNathan Ives
 
Control Self-Assessment article
Control Self-Assessment articleControl Self-Assessment article
Control Self-Assessment articleDeepika Menon
 

More Related Content

What's hot

Handbook of the code.pptx ppt
Handbook of the code.pptx pptHandbook of the code.pptx ppt
Handbook of the code.pptx pptKarima Afifah
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementManoj Agarwal
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Nidhi Gupta
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlErwin Morales
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Reportessbaih
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingAmar Deep Ghimire
 
DMI Finance - Risk management policy
DMI Finance - Risk management policyDMI Finance - Risk management policy
DMI Finance - Risk management policydmifinance
 
The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards JasonSchupp1
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Operational resilience presentation 1 (1)
Operational resilience presentation 1 (1)Operational resilience presentation 1 (1)
Operational resilience presentation 1 (1)Ebere Ikerionwu
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practicesPamela Mantone
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 

What's hot (20)

Handbook of the code.pptx ppt
Handbook of the code.pptx pptHandbook of the code.pptx ppt
Handbook of the code.pptx ppt
 
Sox compliance services brochure 2013
Sox compliance services brochure 2013Sox compliance services brochure 2013
Sox compliance services brochure 2013
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk Management
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and control
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Report
 
Identify and Manage Critical Risks on HR Audit
Identify and Manage Critical Risks on HR AuditIdentify and Manage Critical Risks on HR Audit
Identify and Manage Critical Risks on HR Audit
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditing
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based Auditing
 
Lecture slide ,chapter 2, Governance and the Auditor
Lecture slide ,chapter 2, Governance and the AuditorLecture slide ,chapter 2, Governance and the Auditor
Lecture slide ,chapter 2, Governance and the Auditor
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
DMI Finance - Risk management policy
DMI Finance - Risk management policyDMI Finance - Risk management policy
DMI Finance - Risk management policy
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal Audit
 
Operational resilience presentation 1 (1)
Operational resilience presentation 1 (1)Operational resilience presentation 1 (1)
Operational resilience presentation 1 (1)
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practices
 
ERM Presentation.final
ERM Presentation.finalERM Presentation.final
ERM Presentation.final
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 

Similar to Department Charter Risk & Audit

StrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingStrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingNathan Ives
 
Control Self-Assessment article
Control Self-Assessment articleControl Self-Assessment article
Control Self-Assessment articleDeepika Menon
 
Adr calculating the_right_audit_coverage_part_2_rationalizing_audit_activities
Adr calculating the_right_audit_coverage_part_2_rationalizing_audit_activitiesAdr calculating the_right_audit_coverage_part_2_rationalizing_audit_activities
Adr calculating the_right_audit_coverage_part_2_rationalizing_audit_activitiesGaiani (CarnCorpAudit)
 
Assurance engagement and prospective financial information 2
Assurance engagement and prospective financial information 2Assurance engagement and prospective financial information 2
Assurance engagement and prospective financial information 2EMAC Consulting Group
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraJenard Wachira
 
Internal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governananceInternal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governananceBrowne & Mohan
 
Designing Effective Financial Controls
Designing Effective Financial ControlsDesigning Effective Financial Controls
Designing Effective Financial ControlsStephen G. Lynch
 
Process Level Auditing Presentation
Process Level Auditing PresentationProcess Level Auditing Presentation
Process Level Auditing PresentationVernon Benjamin
 
Audit planning and risk assessment
Audit planning and risk assessmentAudit planning and risk assessment
Audit planning and risk assessmentcasahiljain1992
 
A Sharper Focus By Ahmar Azam Iia 70 Years Celebration Magazine
A Sharper Focus By Ahmar Azam Iia 70 Years Celebration MagazineA Sharper Focus By Ahmar Azam Iia 70 Years Celebration Magazine
A Sharper Focus By Ahmar Azam Iia 70 Years Celebration Magazineahmarazam
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
Solution Manual For Auditing and Assurance Services 9th Edition by Timothy Lo...
Solution Manual For Auditing and Assurance Services 9th Edition by Timothy Lo...Solution Manual For Auditing and Assurance Services 9th Edition by Timothy Lo...
Solution Manual For Auditing and Assurance Services 9th Edition by Timothy Lo...marcuskenyatta275
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit GovernanceAswin Kumar
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co... The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co...inventionjournals
 

Similar to Department Charter Risk & Audit (20)

StrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingStrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance Mapping
 
Control Self-Assessment article
Control Self-Assessment articleControl Self-Assessment article
Control Self-Assessment article
 
Adr calculating the_right_audit_coverage_part_2_rationalizing_audit_activities
Adr calculating the_right_audit_coverage_part_2_rationalizing_audit_activitiesAdr calculating the_right_audit_coverage_part_2_rationalizing_audit_activities
Adr calculating the_right_audit_coverage_part_2_rationalizing_audit_activities
 
Assurance engagement and prospective financial information 2
Assurance engagement and prospective financial information 2Assurance engagement and prospective financial information 2
Assurance engagement and prospective financial information 2
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo Wachira
 
Internal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governananceInternal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governanance
 
Designing Effective Financial Controls
Designing Effective Financial ControlsDesigning Effective Financial Controls
Designing Effective Financial Controls
 
Process Level Auditing Presentation
Process Level Auditing PresentationProcess Level Auditing Presentation
Process Level Auditing Presentation
 
Audit planning and risk assessment
Audit planning and risk assessmentAudit planning and risk assessment
Audit planning and risk assessment
 
A Sharper Focus By Ahmar Azam Iia 70 Years Celebration Magazine
A Sharper Focus By Ahmar Azam Iia 70 Years Celebration MagazineA Sharper Focus By Ahmar Azam Iia 70 Years Celebration Magazine
A Sharper Focus By Ahmar Azam Iia 70 Years Celebration Magazine
 
Audit
AuditAudit
Audit
 
How Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party RisksHow Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party Risks
 
Role of internal audit
Role of internal auditRole of internal audit
Role of internal audit
 
Internal control
Internal controlInternal control
Internal control
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
Solution Manual For Auditing and Assurance Services 9th Edition by Timothy Lo...
Solution Manual For Auditing and Assurance Services 9th Edition by Timothy Lo...Solution Manual For Auditing and Assurance Services 9th Edition by Timothy Lo...
Solution Manual For Auditing and Assurance Services 9th Edition by Timothy Lo...
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit Governance
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
 
The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co... The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co...
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit Framework
 

Department Charter Risk & Audit

  • 1. SAVE THE CHILDREN, USA BANGLADESH COUNTRY OFFICE Department Charter ASSURANCE & RISK MANAGEMENT DEPARTMENT 2010
  • 2. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office PREFACE Internal control is a process, affected by an entity's governing body, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories: a) effectiveness and efficiency of operations; b) reliability of financial reporting; and c) compliance with applicable laws and regulations. Therefore, a directorate within the organization should provide governing members with valuable assistance by giving objective assurance on governance, risk management, and control processes. The Terms of Reference (TOR) establishes the mission and fiduciary responsibilities of the risk management and internal audit functions (called the Assurance and Risk Management Department, ARMD) under the oversight of the Country Director of Save the Children, USA, Bangladesh Country Office; as well as set out the operating environment and mandate to generate an understanding of ARMD’s role, approach, relationships and reporting. MISSION The mission of the Assurance and Risk Management Department, ARMD is to provide independent, objective assurance and consulting services designed to add value and improve the organization's operations. It assists Bangladesh Country Office in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control, and governance processes. SCOPE OF WORKS The scope of ARMD work encompasses a systematic, disciplined approach to evaluating and improving the adequacy and effectiveness of risk management, control, and governance processes and the quality of performance in carrying out assigned responsibilities. The purpose of evaluating the adequacy of the organization's existing risk management, control, and governance processes is to provide reasonable assurance that these processes are functioning as intended and will enable the organization's objectives and goals to be met, and to provide recommendations for improving the organization's operations, in terms of both efficient and effective performance. Senior management and the CD might also provide general directions as to the scope of work and the activities to be audited. The Assurance and Risk Management Department works independently to provide objective assurance through methodically review and verify all of the organization's operations, resources, services, programs and processes in place to:  Establish and monitor the achievement of organization’s objectives;  Facilitate policy and decision making;  Ensure the economical, effective and efficient use of resources;  Ensure compliance with established policies, procedures, laws and regulations;  Safeguard assets, interests and reputations of organization;  Ensure the integrity, reliability and quality of information, accounts and data Based on engagement, nature and purpose of the functional activities, scope of works of ARMD are outlined in three broader categories as A) Assurance Services B) Risk Management and C) Advisory Services. Page 1 of 13
  • 3. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office A. ASSURANCE SERVICES Assurance services are independent professional services that improve the value of information or its context through evaluations and assessments that focus on identifying the quality of processes, procedures, and general operations for decision makers. Often associated with the evaluation of accounting records and procedures, the main focus of assurance services is to confirm the accuracy and proper maintenance of the accounting records, and thus assure all interested parties that there are no irregularities in the records themselves. This same general approach will also be applied to the evaluation of procedures within various departments and functions of the organization. The explicit purpose of assurance services is to provide independent and professional opinions on the quality and reliability of information to the Country Director as well as other SMT members within Save the Children - USA, Bangladesh Country Office. Project Assurance ARMD provides assurance that the agency delivers quality services (program quality) to the targeted beneficiaries and stakeholders at the level of donor’s intention (purpose of funds) and implements projects using the resources efficiently and cost effectively (usage of funds) within set terms and conditions (compliance). Internal Audit Internal auditing is an independent appraisal activity established within an organization to verify and certify its activities as a service to the organization. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. Internal audit functions provide assurance relating to:  Compliance with legislation, regulations, policies, procedures, and terms and conditions;  Safeguarding of assets;  Reliability and integrity of financial and operational information; and  Effectiveness and efficiency of programs operations The work of internal audit forms part of the assurance framework, however, the existence of ARMD does not diminish the responsibility of management to establish systems of internal control to ensure that activities are conducted in a secure, efficient and well-ordered manner. Performance Audit It is also distinguished as ‘operation audit; an objective and systematic examination of evidence for the purpose of providing an independent assessment of the performance of the organization, program, activity, or function in order to provide information to improve accountability and facilitate decision-making by parties with responsibility to oversee or initiate corrective action. A report of management's abilities is typically prepared to meet particular goals. Included in the report are measures of the effectiveness of internal controls and efficiency of procedures and processes. The performance audit may be initiated by the organization or by external interested parties. However, the performance audit is not performed as a means to attest to the financial records and statements of the organization. Page 2 of 13
  • 4. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Internal Audit and Review Process Generally ARMD follows the following process while review or audit any entity:  Select audit engagement from Internal Audit Calendar  Notify audit / review engagement to the auditable unit, department, project or partner  Evaluate, test and verify adequacy of controls in the system at on-site visit  Identify control concerns, risks and alternative control improvement recommendations;  Discuss observations with management and reach agreement in principal to the audit issues;  Prepare formal audit / review report noting findings and recommendations and share;  Receive management responses from audited entity;  Issue final report to the CD, with management response Sampling – Identify Control or Transactions to be Tested Sampling involves testing less than 100 percent of a population and then utilizing the results to draw a conclusion about the entire population. This process saves the time, effort, and expense that may be involved in comprehensive testing. Audit sampling is a method by which an auditor can draw conclusions about the whole of a group of items (the "population") by examining some of them ("the sample"). Sampling is most effective for populations in which a large number of similar transactions are processed in a similar manner. The extent of testing a sample of controls or transactions may vary depending on a variety of factors including complexity, population size, transaction frequency, importance, type of activity (manual or automated), and level of comfort desired from a test. ARMD members determine sample sizes, based on population and risk, and to draw conclusions as to what is happening in a population of audited items. Systematic Sampling: A random approach of selecting items at intervals. The first item in the selection process must be picked at random. Often used in financial auditing to test for understatement. Dollar Unit Sampling: A unique statistical approach based on a probability proportional to size. The probability of any one item being selected for detailed verification is proportional to the size of the item. Often used in financial auditing to test for overstatement. Judgmental Sampling: A nonrandom approach of selecting sample items based on the auditor’s reasoning or suspicions. Often used to select examples of deficiencies to support the auditors’ contention that the system is weak. It can not statistically extrapolate sample results to the entire population. Sampling Documentation The selection of sample sizes should be documented in the work papers. The following items should be documented each time a sample is chosen:  population  sample size  sampling unit  sample design (e.g., random, haphazard, systematic)  definition/explanation of an error  errors detected and/or error rate Page 3 of 13
  • 5. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Testing Financial Transactions In transaction tests, a selected number of sample transactions are tested to see if controls are performing properly within a certain population. Based on the rate of error, auditors determine if they can rely on the information developed from posting or recording transactions. The test helps auditors determine the scope of audit work. Performing risk identification and reduction activities in a detective approach, ARMD on a quarterly basis tests the accounting vouchers and support documents of financial transactions selected through a Judgmental Sampling from a periodic list of transactions or general ledgers. Compliance Verification ARMD conducts compliance verification on sample transactions to ensure that the standards are implemented in a uniform manner according to the set guidelines, conditions and specifications of:  Donor  Local Government (Bangladesh Government’s laws and regulations)  SC USA Home Office  SC USA Bangladesh Country Office Audit and Review Reports Formal audit and review reports are designed to:  Identify control weaknesses noted during audit engagements;  Explain risk implications that result from control weaknesses;  Present alternative procedures to correct deficiencies;  Include management responses of the audited entity The audit report is typically divided into the following sections:  Audit Scope, Objectives and Background  Audit Procedures, Resources and Methodology  Audit Findings, Risk Implications and Recommendations Implementation of Audit Recommendations Audit follow-up is an integral part of good management, and is a shared responsibility of agency management and ARMD. Corrective actions taken by management on resolved findings and recommendations is essential to improving the effectiveness and efficiency of CO operations. CO management establishes systems to assure the prompt and proper resolution and implementation of audit recommendations. These systems shall provide for a complete record of action taken on both monetary and non-monetary findings and recommendations. ARMD conducts further review to provide assurance that management has adequately implemented recommendations of previous audit or review and resolved previous problems. These reviews also ensure that the upper management is informed of non-resolution of previous problems. Page 4 of 13
  • 6. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office ARMD Roles and Responsibilities in Internal Audit Services The Internal Audit unit under ARMD supports the Country Director (CD) by providing independent and objective assurance assessments of the organizations management control framework, systems and practices, and governance processes. Followings are the key responsibilities of ARMD under its internal audit and review functions:  Prepare a rolling three-year strategic risk-based internal audit plan which will be translated into an annual plan for formal agreement and ratification by the CD;  Carry out certain reviews on a cyclical basis (e.g. CO, IAO, DTO and Partners), however, audit resources will, increasingly, be allocated on the principle of continuous planning which takes in to account key risks as they emerge;  Review, appraise and report to management on the soundness, adequacy and application of internal controls; the extent to which the assets and interests are accounted for and safeguarded; the suitability and reliability of financial and other management data, including aspects of performance measurement;  Work with the external auditors to ensure that the nature and quality of internal audit coverage assists them in the discharge of their duties;  Report annually, to the CD on the annual audit coverage, providing an overall assessment of internal control environment on key financial and operational systems;  Review and certify grant / funding claims as required; Compliance Assurance ARMD provides regular validation and certification that Bangladesh Country Office meets strategic and reporting requirements of different entities (home office, donor, local government) relating to their accepted practices, laws, legislation, prescribed rules and regulations, policies, specified standards, or the terms of a contract.  Identification of Compliance Obligations  Assess the extent of compliance with BdCO and/or other relevant policies, guidelines and procedures  Assists in promoting a culture of compliance and takes an active interest in ethical issues associated with the BdCO’s dealing activities  Assists implementing Compliance Chart that reflects the key activities performed by an operating unit to understand and manage its compliance risks  Compliance report on the outcomes from the annual legal compliance certification process completed by CD Offices  Compliance Risk Reporting, Monitoring and Mitigation Investigation ARMD performs its responsibilities to investigate allegations of fraud or irregularity through detailed inquiry or systematic examination of discovering facts.  Investigate allegations of fraud or irregularity to help safeguard public funds  Investigate all reported irregularities in accordance with established strategies and protocols; by its very nature fraud-related work is unpredictable in terms of its timing and extent.  Conducting ad hoc and confidential investigations at the request of SMT or CD Page 5 of 13
  • 7. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Ombudsmen An ombudsmen committee addresses concerns (such as administrative abuse or maladministration) that employees, public, or groups have about organizations or bureaucracies. In these situations, the ombudsperson acts as an impartial mediator between the two parties, providing a less threatening type of dispute resolution. The Head of ARMD, as an active member of the Ombudsmen Committee, to help reduce friction between staffs, related local public, and the organization, he/she must be viewed as trustworthy and neutral; the process will not work if one party believes that the ombudsperson is taking the side of the other party. A complaint to the Ombudsmen Committee must be made in writing through the CD. The correspondence must include full details of the matter/issue and provide full details of the complainant including a signature. And also the person raise compliant must be assured by the committee that his/her personal information will be kept confidential. The power of the ombudsperson lies in his ability to investigate complaints of wrongdoing and then notify the staff or the relevant department of the organization, or both, of the findings. However, an ombudsperson cannot change or make laws, enforce any recommendations, or change administrative actions or decisions. B. RISK MANAGEMENT Risk is the uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk management is a central part of any organization's strategic management. It is a process methodically addresses the risks across the portfolio of all activities attaching the goal. ARMD team members assist both management and the CD by examining, evaluating, reporting, and recommending improvements on the adequacy and effectiveness of management’s risk processes. Management and the CD are responsible for their organization’s risk management and control processes. However, ARMD acting in a consulting role can assist the organization in identifying, evaluating, and implementing risk management methodologies and controls to address those risks. This ToR provides guidance on the major risk management objectives that ARMD considers in formulating an opinion on the adequacy of the organization’s risk management framework. Risk management framework The risk management framework is a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the organization. ARMD determines the methodology is understood by key groups or individuals involved in governance, including the SMT and CD. Formulating an opinion on the overall adequacy of the risk management framework in Bangladesh Country Office, ARMD substantiate that existing risk management processes address following key objectives: Page 6 of 13
  • 8. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office  Risks are identified and prioritized.  Management has determined the level of risks acceptable to the organization  Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk at levels that were determined to be acceptable to management.  Ongoing monitoring activities are conducted to periodically reassess risk and the effectiveness of controls to manage risk.  Management receives periodic reports of the results of the risk management processes. Risk assessment Risk assessment is a systematic process for assessing and integrating professional judgments about probable adverse conditions and / or events. Developing assessments and reports on the organization’s risk management processes is normally a high audit priority. Evaluating management’s risk processes is different than the requirement that ARMD use risk analysis to plan audits. However, information from a comprehensive risk management process, including the identification of management and board concerns, can assist the internal auditor in planning audit activities. Risk treatment Risk treatment involves a cyclical process of assessing a risk treatment; deciding whether residual risk levels are tolerable or not; if not tolerable generating a new risk treatment; and assessing the effect of that treatment until the residual risk reached complies with the organization’s risk criteria. Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances.  Treat or Manage - management controls—proactive  Take or Accept - Low likelihood and impact provides low exposure—inactive  Transfer or Insure - Obtain a policy to cover for loss—reactive  Terminate or Avoid - Stop all activity related to undesirable risk—non-active Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived having regard to legal, regulatory, and other requirements, social responsibility and the protection of the natural environment. A number of treatment options can be considered and applied either individually or in combination. ARMD justifies and provides objective assurance to the appropriateness of the decisions for risk treatments. ARMD Roles and Responsibility in Risk Management ARMD’s core role with regard to Risk Management (RM) is to provide objective assurance to the Country Director on the effectiveness of organization's RM activities to help ensure key business risks are being managed appropriately and that the system of internal control is operating effectively. The main factors should take into account when determining ARMD's role are whether the activity raises any threats to the internal auditors' independence and objectivity, and whether it is likely to improve the organization's risk management, control, and governance processes. Page 7 of 13
  • 9. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Core roles in regard to Risk Management:  Giving assurance on risk management processes.  Giving assurance that risks are correctly evaluated.  Evaluating risk management processes.  Evaluating the reporting of key risks.  Reviewing the management of key risks. Legitimate roles with safeguards:  Facilitating identification and evaluation of risks.  Coaching management in responding to risks.  Coordinating RM activities.  Consolidating the reporting on risks.  Maintaining and developing the RM framework.  Championing establishment of RM.  Developing risk management strategy for management approval. Roles internal auditing should NOT undertake:  Setting the risk appetite.  Imposing risk management processes.  Management assurance on risks.  Taking decisions on risk responses.  Implementing risk responses on management's behalf.  Accountability for risk management. ARMD emphasizes that Bangladesh Country Office should fully understand that management remains responsible for risk management. Internal auditors should provide advice, and challenge or support management's decisions on risk, as opposed to making risk management decisions. C. ADVISORY SERVICES ARMD maintain a dynamic, team oriented environment which encourages personal and professional growth; provide consulting and advisory services for management, programs and program supports units. ARMD contributes advisory services in the following areas:  Risk and control assessment (including control self-assessment);  Performance management and related systems;  Financial and business analysis to assist in problem solving; and,  Monitoring and evaluation systems of program implementations. Page 8 of 13
  • 10. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office ARMD provides routine consultation and advisory services to BdCO management. This may include, but is not limited to, interpreting policies and procedures, participation on standing committees, limited-life projects, ad-hoc meetings, and routine information exchange. Included but not limited, the objectives of the advisory function are to:  Support the PSMS units to discharge their regular duties efficiently and effectively;  Support the finance & assets directorate’s objective of ensuring the provision of sound financial systems;  Perform systems and business process ‘As-Is’ reviews;  Recommend Minimum Operating Standards (MOS) for the Country Office operations and services As part of its consulting role ARMD may be asked to provide input into the development of new policies, procedures, systems or processes. ARMD may provide such input provided it does not impair audit independence. Ultimately, management is responsible for making the final decisions on changes to policies, procedures, systems, or processes. Ethics Advocate All people associated with the organization share some responsibility for the state of its ethical culture. Because of the complexity and dispersion of decision-making processes, each individual should be encouraged to be an ethics advocate, although the role is merely conveyed informally. Codes of conduct and statements of vision and policy are important declarations of the organization s values and goals, the behavior expected of its people, and the strategies for maintaining a culture that aligns with its legal, ethical, and societal responsibilities. ARMD takes an active role in support of the organization s ethical culture. They possess a high level of trust and integrity within the organization and the skills to be effective advocates of ethical conduct. They have the competence and capacity to appeal to the organizations leaders, managers, and other employees to comply with the legal, ethical, and societal responsibilities of the organization. Assessment of the Organization s Ethical Climate ARMD evaluates the effectiveness of an enhanced, highly effective ethical culture.  Frequent communications and demonstrations of expected ethical attitudes and behavior by the influential leaders of the organization  Several, easily accessible ways (like ombudsmen committee) for people to confidentially report alleged violations of the Code, policies, and other acts of misconduct  Practice of regular declarations by employees, suppliers, and customers that they are aware of the requirements for ethical behavior in transacting the organization s affairs  Easy access to learning opportunities to enable all employees to be ethics advocates.  Positive personnel practices that encourage every employee to contribute to the ethical climate of the organization  Regular surveys of employees, suppliers, and customers to determine the state of the ethical climate in the organization Page 9 of 13
  • 11. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office ACCESS AND AUTHORITY ARMD staff members are authorized (in accordance with local laws and regulations) to have full, free and unrestricted access to all functions, premises, assets, personnel, records, and information which are necessary to execute their responsibilities effectively. ARMD representatives must have the opportunity to attend relevant committee meetings (e.g. Ombudsmen Committee meetings, Senior Management Team meetings) to raise any matters (either orally or in writing) that are reasonable and necessary. All employees and directorates of the BdCO, or partners / agents contracted to provide services on its behalf, are required to give complete co-operation to ARMD staff for the expedient fulfillment of the audit and verification process. ARMD representatives have the authority to request CD for inviting GARS to perform a specific in- depth audit. The ARMD Director and staff are not authorized to:  Perform operational duties for the CO or its affiliates.  Initiate or approve accounting transactions external to the internal auditing department.  Approve changes to accounting processes or systems.  Direct the activities of any employee not employed in ARMD, except to the extent such employees have been appropriately assigned to ARMD teams or to otherwise assist the internal auditors. CONFIDENTIALITY All documentation, systems (e.g. complaints register, reports and files), management, and information accessed by the ARMD in the course of undertaking any internal audit or review activities, are to be used solely for the conduct of these activities. The Head of ARMD and other individual staff are responsible and accountable for maintaining the confidentiality of information they received during the course of their works. INDEPENDENCE To avoid potential conflicts of interests ARMD staffs must be independent of the business activities of program and support units and report functionally to the Country Director through their next higher level ARMD supervisor. ARMD staff members are independent when they can carry out their work freely and objectively. Independence permits ARMD staff to render the impartial and unbiased judgments essential to the proper conduct of engagements. It is achieved through organizational status and objectivity. Page 10 of 13
  • 12. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office Organizational Independence Internal auditors should have the support of senior management and of the CD so that they can gain the cooperation of engagement clients and perform their work free from interference. The Head of ARMD have direct communication protocol with the SMT and Country Director. Regular communication with management helps assure independence and provides a means for the CD to keep each other informed on matters of mutual interest. Disclosing Reasons for Information Requests At times, an ARMD staff may be asked by the engagement client or other parties to explain why a document that has been requested is relevant to an engagement. Disclosure or nondisclosure during the engagement of the reasons why documents are needed should be determined based on the judgment that is made by the Head of ARMD in light of the specific circumstances. INDIVIDUAL OBJECTIVITY ARMD members’ essentially have an impartial, unbiased attitude and unfetter from conflicts of interest. Objectivity requires ARMD members to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. ARMD members are not to be placed in situations in which they feel unable to make objective professional judgments. It is unethical for an ARMD member to accept a fee or gift from an employee, client, customer, supplier, or associate. Accepting a fee or gift may create an appearance that the person's objectivity has been impaired. ARMD members report to the Head of ARMD any situations in which a conflict of interest or bias is present or may reasonably be inferred. A scope limitation along with its potential effect should be communicated, preferably in writing, to the Country Director. ARMD members are not assumed operating responsibilities. If senior management directs ARMD members to perform non-ARMD work, it should be understood that they are not functioning as internal auditors. Moreover, objectivity is presumed to be impaired when internal auditors perform an assurance review of any activity for which they had authority or responsibility within the past year. INVESTIGATE AND CHALLENGE When ARMD perceive a compliance risk or when a management decision may give or has given rise to a significant financial or reputational risk for the organization, it must investigate and challenge any actions or concerns without influence from the operation. If the matter is not promptly resolved, the ARMD and relevant management must follow the escalation process. Page 11 of 13
  • 13. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office REPORTING ARMD must report at least annually to Country Director and relevant committees on the effectiveness of implementation and embedding of the TOR and framework and policies against donor / Home Office guidelines in addition to other relevant compliance and risk management topics that may be required by SC USA BdCO. Head of ARMD must ensure reports are accurate, current, and on-time. In addition, the ARMD must also report incidents and issues to the Country Director and the next higher level ARMD staff, as necessary or required. The ARMD, upon completion of an audit, will discuss the audit findings with the member of management responsible for the area audited or reviewed. A written report of the review findings / observations and the manager's response will be sent to the Country Director (CD) within three weeks of the review completion. Follow-up procedures will vary depending on the severity of the audit findings, but will be within six months at the latest. PLANNING ARMD establishes risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals. The internal audit plan should be designed based on an assessment of risk and exposures that may affect the organization. The degree or materiality of exposure can be viewed as risk mitigated by establishing control activities. PROFESSIONAL STANDARD ARMD adheres to the Standards for the Professional Practice of Internal Auditing and the Code of Ethics adopted by the Institute of Internal Auditors (IIA). As well as, relevant rules and regulations issued by Bangladesh Government are also considered as standard to comply with. ARMD as a department,  comply with relevant auditing standards, for example, ‘International Standard for Professional Practice of Internal Auditing’;  comply and promote compliance throughout the organization with all BdCO rules and policies;  be expected at all times to adopt a professional, reliable, independent and innovative approach RELATIONSHIP AND LIASON Internal relations: The main contact is with other employees of Save the Children – USA, Bangladesh Country Office. ARMD staffs ensure that they explain to the person/s concerned the purpose of the audit or review and the various stages that the audit or review process will follow. Page 12 of 13
  • 14. TERMS OF REFERENCE Assurance & Risk Management Department Save the Children USA, Bangladesh Country Office External relations:  External Auditors (From local Institutes, donors, SC Home Office or Regional Offices)  Partner NGOs’ and other organization’s staffs.  Vendors, Consultants or other relevant third party  Members of the public CAPACITY DEVELOPMENT The Head of ARMD is responsible for continuing educational development to enhance professional and personal growth of the team members as well as other staff members of the country office. He ensures that all ARMD staffs have received appropriate training to perform their jobs efficiently and effectively. A yearly training program shall be developed and approved by the Country Director. ARMD promotes:  Strengthening and professionalization of the internal audit function through the establishment of, and adherence to stringent professional standards and the application of internationally recognized internal auditing practices;  The recruitment of skilled and qualified professionals STAFFING AND SUPERVISION Direct supervisor The Head of Assurance and Risk Management Department is the direct supervisor of the staff members of ARMD under administrative and functional supervision. Content and methodology of supervision The ARMD works directly under the CD’s Section. This department includes director, manager and senior officer designations. The Job Descriptions and Key Performance Indicators (KPI) are developed in collaboration with the CD, director and senior staffs of ARMD and serve as a benchmark for the yearly performance appraisal. REVIEW OF THE TERMS The Terms of Reference shall be reviewed and updated annually. __________END__________ Page 13 of 13