Item 135 of the provisional agenda*
Review of the efficiency of the administrative and financial functioning of the United Nations
Activities of the Independent Audit Advisory Committee for the period from 1 August 2016 to 31 July 2017
Report of the Independent Audit Advisory Committee
The present report covers the period from 1 August 2016 to 31 July 2017. During the period, the Independent Audit Advisory Committee held four sessions, which were presided over by Maria Gracia Pulido Tan (Philippines) as Chair and
Section II of the report contains an overview of the activities of the Committee, the status of its recommendations, and its plans for 2018. Section III sets out the detailed comments of the Committee.
- The General Assembly, by its resolution 60/248, established the Independent Audit Advisory Committee as a subsidiary body to serve in an expert advisory capacity and to assist it in fulfilling its oversight responsibilities. By its resolution 61/275, the Assembly approved the terms of reference for the Committee, as well as the criteria for its membership, as contained in the annex to that resolution. In accordance with its terms of reference, the Committee is authorized to hold up to four sessions per year. To date, the Committee has held 39 sessions since its inception in January 2008.
- In accordance with its terms of reference, the Committee submits an annual report containing a summary of its activities and related advice to the General Assembly. The present tenth annual report covers the period from 1 August 2016 to 31 July 2017.
- The Committee is also required to advise the General Assembly, inter alia, on the compliance of management with audit and oversight bodies’ recommendations; the overall effectiveness of the risk management procedures and deficiencies in the internal control systems; the operational implications of the financial statements and the reports of the Board of Auditors; and the appropriateness of the accounting and disclosure practices in the Organization. The Committee also advises the Assembly on the steps necessary to facilitate cooperation among the oversight bodies.
- The present report addresses the issues identified during the reporting period as they pertain to the above-mentioned responsibilities of the Committee.
- Activities of the Independent Audit Advisory Committee
- Overview of the sessions of the Committee
- During the reporting period, the Committee held four sessions: from 28 to
30 November 2016 (thirty-sixth session), from 15 to 17 February 2017 (thirty-seventh session), from 19 to 21 April 2017 (thirty-eighth session) and from 24 to
26 July 2017 (thirty-ninth session). Three of the sessions were held at United Nations Headquarters. The thirty-eighth session was held at the United Nations Office at Vienna.
- The Committee functions under its adopted rules of procedure, as contained in the annex to its first annual report (A/63/328). To date, all members of the Committee have a 100 per cent attendance rate at its sessions. All the decisions of the Committee have been unanimous; however, its rules of procedure make provision for members to record their dissent with respect to decisions taken by the majority.
- During the thirty-sixth session, in November 2016, the members elected Maria Gracia Pulido Tan (Philippines) as Chair and J. Christopher Mihm, Jr. (United States of America) as Vice-Chair for 201 Additional information about the Committee can be found on its website (www.un.org/ga/iaac) in all the official languages of the United Nations.
- During the reporting period, the Committee issued three reports. They include the Committee’s annual report to the Assembly for the period from 1 August 2015 to 31 July 2016 (A/71/295); and reports to the Assembly, through the Advisory Committee on Administrative and Budgetary Questions, on the proposed budget of the Office of Internal Oversight Services (OIOS) under the support account for peacekeeping operations for the period from 1 July 2017 to 30 June 2018 (A/71/800) and on the proposed programme budget for internal oversight for the biennium 2018-2019 (A/72/85).
- Status of the recommendations of the Committee
- The Committee meets four times per year, typically for three days at each session. During the reporting period, several issues, particularly in relation to enterprise risk management and the operations of OIOS, were addressed. The Committee followed up on the implementation of its recommendations as a standard agenda item at each session. Some of the significant recommendations made by the Committee during the reporting period relate to:
- The need to continue to reduce the number of past due critical recommendations issued by OIOS;
- The need for OIOS to reach out to stakeholders to ensure that there is a clear understanding as to how audit reports and recommendations are developed;
- The need for senior managers to ensure that enterprise risk management becomes the standard way of doing business and that it is effectively implemented and sustained throughout the Organization;
- The need for the Organization to fully assess and manage the risks associated with extrabudgetary funding;
- The need for OIOS to finalize the guidelines and protocols when advising management and when making statements about situations that may be subject to audit or investigation;
- The need for a central intake system for investigations, which would help with the completeness and accuracy of reporting all allegations of wrongdoing, including fraud and presumptive fraud;
- The need for OIOS to pull together the work of its three divisions in identifying the specific set of management controls that need to be in place from the outset of a peacekeeping mission, which would better allow the Organization to stop sexual exploitation and abuse before it occurs;
- The need for a comprehensive review of OIOS, which would help, inter alia, to ensure that the widespread and significant concerns about the operations, internal working relationships and effectiveness of the Investigations Division would be resolved;
- The need for OIOS to ensure that the workplans of the respective divisions are guided by the Organization’s enterprise risk management strategy;
- The need for the Organization to develop the capacity to manage Umoja and use its outputs to make decisions;
- The need for management to continue to educate and provide guidance to managers and all affected staff on the importance of strong internal controls;
- The need for a coordinated strategy to bring together the collective work of the oversight bodies in one place so that decision makers have a complete picture of the contributions of the United Nations system towards the implementation of the 2030 Agenda for Sustainable Development.
- Overview of the plans of the Committee for 2018
- The Committee undertook its responsibilities, as set out in its terms of reference, in accordance with the scheduling of the sessions of the Advisory Committee on Administrative and Budgetary Questions and the General Assembly. The Committee will continue to schedule its sessions and activities to ensure coordinated interaction with intergovernmental bodies and the timely availability of its reports. In a preliminary review of its workplan, the Committee identified several key areas that will be the main focus for each of its four sessions for fiscal year 2018 (see the table below).
Workplan of the Committee from 1 August 2017 to 31 July 2018
Key focus area
Intergovernmental consideration of the report of the Committee
Review of the 2018 workplan of OIOS in the light of the workplans of other oversight bodies
Proposed budget of OIOS under the support account for peacekeeping operations for the period from 1 July 2018 to 30 June 2019
Operational implications of issues and trends in the financial statements and reports of the Board of Auditors
Coordination and cooperation among oversight bodies, including hosting a coordination meeting of oversight committees
Election of the Chair and Vice-Chair for 2018
Advisory Committee on Administrative and Budgetary Questions, first quarter 2018
General Assembly, second part of the resumed seventy-second session
Status of implementation of oversight bodies’ recommendations
Report of the Committee on the OIOS support account budget
Review of the enterprise risk management and internal control framework in the Organization
General Assembly, second part of the resumed seventy-second session
Operational implications of issues and trends in the financial statements and reports of the Board of Auditors
Coordination and cooperation among oversight bodies
Transformational projects and other emerging issues
General Assembly, second part of the resumed seventy-second session
Preparation of the annual report of the Committee
Review of the enterprise risk management and internal control framework in the Organization
Status of implementation of oversight bodies’ recommendations
Coordination and cooperation among oversight bodies
General Assembly, main part of the seventy-third session
- In planning its work, the Committee is mindful of the following relevant events that could have an impact on its work activities:
- The various reform/transformational initiatives on which the Organization has embarked, such as mobility, the global service delivery model and Umoja;
- The end of the terms of office of two of the five members of the Committee, whose three-year terms expire in December 2017.
- Detailed comments of the Committee
- Status of the recommendations of United Nations oversight bodies
- Under paragraph 2 (b) of its terms of reference, the Committee is mandated to advise the General Assembly on measures to ensure the compliance of management with audit and other oversight recommendations. During the reporting period, the Committee reviewed the status of the implementation by management of the recommendations of United Nations oversight bodies, as a standard practice.
Board of Auditors
- With respect to the financial report and audited financial statements for the year ended 31 December 2016 (A/72/5 (Vol. I)) (non-peacekeeping financial statements), the Board of Auditors reported that the percentage of implementation of its extant recommendations had increased from 9 per cent in 2015 to 18 per cent in 2016 and that preliminary steps had been taken towards the implementation of nearly 67 per cent of the outstanding recommendations. The Board noted, however, that that progress was not adequate. According to the Board, as at 31 December 2016, of the 98 extant recommendations, 17 (18 per cent) had been fully implemented, 66 (67 per cent) were under implementation, 10 (10 per cent) had not been implemented and 5 (5 per cent) had been overtaken by events.
- The Board also noted a difference in the status of implementation of its recommendations as reported by the Secretariat vis-a-vis the Board’s judgement of the status of implementation. This difference pertains to the Secretariat categorizing recommendations as “in progress” while the Board considers them as “not implemented”. The Administration indicated that it was taking steps to ensure the prompt implementation of all outstanding oversight recommendations.
- With respect to the financial report and audited financial statements for the 12‑month period from 1 July 2015 to 30 June 2016 (A/71/5 (Vol. II)) (peacekeeping financial statements), the Board of Auditors reported that the rate of implementation of recommendations for the 12-month period from 1 July 2014 to 30 June 2015 stood at 49 per cent, a slight decrease from the 52 per cent reported for the previous year.
- The Board reviewed the status of old recommendations for all United Nations entities under its purview and noted that the overall rate of implementation of the old recommendations had increased to 45 per cent in 2016 compared with 43 per cent in 2015. However, in paragraph 103 of its concise summary report (A/72/176), the Board expressed its concern about the number of recommendations pending for more than two years. Overall, the Board reported that 53 recommendations were pending for more than two years, which was 9 per cent of the total recommendations outstanding as at the year ended 31 December 2015. According to the Board, the administrations of all the United Nations entities concerned need to work more seriously towards implementing the old recommendations.
- The Committee urges the Administration to continue making efforts to ensure timely implementation of the Board’s recommendations.
Office of Internal Oversight Services
- All recommendations categorized as “critical” by OIOS are brought to the attention of the Management Committee for follow-up action, and special focus is placed on recommendations whose implementation is past due. The Committee receives quarterly updates from OIOS and the Department of Management on the status of implementation of critical recommendations. According to management, the total number of outstanding critical recommendations decreased from 49 at the end of the second quarter of 2016 to 38 as at the end of the first quarter of 2017.
- The Committee continues to follow up with management on the implementation of past due critical recommendations. As shown in figure I, of the 38 outstanding critical recommendations referenced above, 20 were past due. The largest share of OIOS past due critical recommendations continues to be in peacekeeping missions.
Trend analysis of critical recommendations of the Office of Internal Oversight Services the implementation of which is past due
Abbreviations: DFS, Department of Field Support; DM, Department of Management; PKO, peacekeeping operations; UNHCR, Office of the United Nations High Commissioner for Refugees; UNSOS, United Nations Support Office in Somalia.
- The Committee notes the progress made in reducing the number of past due critical recommendations. The Committee also notes that there has been a downward trend with respect to the number of outstanding critical recommendations issued by OIOS.
Joint Inspection Unit
- In its annual report for 2016 and programme of work for 2017 (A/71/34), the Joint Inspection Unit noted an improvement in the rates of acceptance and implementation of its system-wide recommendations by the 12 largest participating organizations, which reflected an average acceptance rate of 81 per cent and an average implementation rate of 88 per cent for the period 2008-2015.
- For the United Nations Secretariat, the average acceptance rate increased to 65 per cent for the period 2007-2014 compared with 63 per cent for the previous period. However, the implementation rate decreased to 80 per cent for the 2008-2015 period, compared with 86 per cent for the 2006-2013 period (see figure II).
Status of acceptance/implementation by the Secretariat of recommendations of the Joint Inspection Unit
- The Committee notes the importance and value that the recommendations of the Joint Inspection Unit have for the Organization and commends management for the effort it has made in improving the acceptance rate. While there has been progressive improvement in the implementation rate of the recommendations of the Joint Inspection Unit, the Committee notes that there has been a slight reduction and urges management to continue to implement the recommendations of the Unit in a timely manner.
- Risk management and internal control framework
- Paragraphs 2 (f) and (g) of the terms of reference of the Committee mandate the Committee to advise the General Assembly on the quality and overall effectiveness of risk management procedures and on deficiencies in the internal control framework of the United Nations.
Enterprise risk management
- The Committee continued to commend the Management Committee, which serves as the enterprise risk management committee, for its commitment in making enterprise risk management an integral and important management tool of the Organization and emphasized that top management was needed to continue to actively lead enterprise risk management efforts to ensure that identifying and managing risks became standard ways of doing business across the Organization. Moreover, in paragraph 37 of document A/71/295, the Committee noted that working groups together with risk treatment and response plans had been approved by the Management Committee to mitigate each of the six critical enterprise risks endorsed by the Secretary-General in September 2014.
- While progress had been made by the working groups in managing the six critical enterprise risks, the Board of Auditors, in paragraph 295 of document A/71/5 (Vol. I), noted that the progress was at a slower pace than the Administration had planned.
- The Committee agrees with the Board’s recommendation that the administration reassess the realism of the timelines set out in the risk action plans approved in June 2015. The timeliness of the risk treatment plans is all the more important given that enterprise risk assessments are living documents that continue to evolve. The action plans developed five years ago could now be in need of significant updating.
- Developing the capacity to effectively implement and sustain enterprise risk management has also been a long-standing issue of the Committee. To support the implementation of enterprise risk management, management informed the Committee that a guide for managers had been developed. The guide included tools and templates delineating how departments and offices could implement an effective enterprise risk management framework based on common policy and methodology. Additionally, the Committee was informed that enterprise risk management continued to be supported by a comprehensive communications programme, including an e-learning course available to all staff in Inspira (the personnel management system).
- In discussions with the Board, the Committee was informed that the Board was concerned that while progress was being made, there remained no firm plan or commitment to embed enterprise risk management at all levels of the Organization. Therefore, the Board noted that there was a growing risk that without concentrated action, the implementation of enterprise risk management across the United Nations could stall or fail.
- The Committee agrees with the recommendations of the Board that the Administration develop a detailed implementation plan for all elements of enterprise risk management that sets out a clear timetable, milestones, deliverables, resource requirements and accountability. Furthermore, the Committee reiterates its previous recommendations that top management actively lead enterprise risk management efforts and ensure that departments and offices have the capacity they need to effectively implement and sustain enterprise risk management. The Committee will continue to follow up on this as a major priority.
- During subsequent discussions with Management, the Committee was informed that resource constraints continued to be a challenge to the effective implementation of enterprise risk management given that there was only one dedicated post to coordinate enterprise risk management in the Secretariat. The Committee in its previous reports had supported an adequately resourced enterprise risk management function and continues to recommend that enterprise risk management be adequately resourced.
- In paragraphs 31 to 36 of document A/67/259, the Committee reported on various departments (risk champions) that had systematically embedded risk in their respective programmes, such as the Department of Field Support and the Office for the Coordination of Humanitarian Affairs. The Committee indicated that OIOS and the Department of Management (with the exception of some offices) did not have a systematic risk management system in place. The Committee reported in document A/69/304 that OIOS, in coordination with the Department of Management, had embarked on a risk management process for its own internal operations. As a follow-up, the Committee was informed that in early 2017, OIOS had convened its senior management team for a workshop to discuss the strategic goals of OIOS, with a corresponding action plan and time frame. According to OIOS, many of the key actions touched upon at the workshop were reflected in the OIOS risk assessment framework, and OIOS plans to revise the risk assessment in the third quarter of 2017 to reflect the most up-to-date objectives and status of each action item. During this process, the Office will also ensure that its enterprise risk management framework is consistent with the updated enterprise risk management guide for managers issued by the Department of Management in January 2017.
- The Committee notes that five years after the first recommendation was made, OIOS has not fully embedded enterprise risk management in the Office. The Committee remains concerned at the slow process by which OIOS is implementing enterprise risk management and calls upon the Office to lead by example.
Extrabudgetary funding and management
- In paragraph 42 of document A/70/284, the Committee stated that it planned to delve more deeply into one or more of the six enterprise risks identified by the Secretariat for a detailed assessment of what was being done and what could be done to better manage the risk. During the 2015-2016 reporting period, the Committee focused on extrabudgetary funding and management and noted in paragraph 57 of document A/71/295 that it would continue to monitor that risk.
- Previously, management had informed the Committee that its risk register defined the risk of extrabudgetary funding and management as follows:
- The inability to obtain extrabudgetary funding may have an impact on the ability of certain departments to achieve their objectives;
- Reliance upon extrabudgetary funding may jeopardize or appear to impact the independence of the United Nations because projects that obtain earmarked funding may be given higher priority;
- There is an inability to identify, establish and maintain the optimal structure and controls for trust funds, resulting in a loss or misuse of assets.
- Furthermore, the Committee was informed by the Controller, who is the risk owner, that a working group, which had been established in November 2014, initially focused on internal controls.
- As a follow-up, the Committee was informed that in order to comply with paragraph 5 of General Assembly resolution 70/255, the High-level Committee on Management had created a task force on common definitions relating to fraud and implementing partners. The task force, which consisted of members from across the entire United Nations system and was co-chaired by the Director of the Accounts Division of the Office of Programme Planning, Budget and Accounts and the Director of the Division of Financial and Administrative Management of the Office of the United Nations High Commissioner for Refugees, would also develop a common understanding with a view to establishing partnership arrangements with implementing partners.
- The Committee was informed that the task force had agreed on a common definition in March 2017. For the remainder of 2017, the Committee was informed that the task force, in coordination with the Finance and Budget Network, would also explore common internal control parameters and criteria for arrangements with implementing partners and recipients of grants, and best practice principles. The next stage in the process would be to develop sharing platforms for tracking and managing implementing partners (based on existing tools used by organizations).
- The Committee notes the progress made in managing the extrabudgetary risk of the Organization, especially as it relates to the inability to identify, establish and maintain the optimal structure and controls for trust funds, resulting in a loss or misuse of assets. The Committee reiterates its previous recommendation that given the reality of the need to rely on extrabudgetary funding, the Organization needs to fully assess and manage all three aspects of the risks associated with extrabudgetary funding. Part of that assessment should include new organizational arrangements and capacity within the Secretariat that may be needed and a clear delineation of the risk owners and their respective responsibilities.
Information and communication technology strategy, infrastructure and security
- According to the current Secretariat risk register, information and communication technology (ICT) strategy, infrastructure and security are considered a “very high risk”. The risk is defined as: “the ICT strategies … are not aligned with the overall strategy and operating objectives of the Organization, nor appropriately coordinated. Failure of information systems to adequately protect the critical data and infrastructure from theft, corruption, unauthorized usage, viruses, or sabotage”.
- In November 2016, the Committee hosted a meeting of the Chairs and Vice-Chairs of the United Nations system oversight committees. At that meeting, the representatives identified, inter alia, the risks associated with cybersecurity in a digitalized environment as an area of focus and agreed to challenge management on its understanding and readiness. Big data analysis, intelligent learning systems, data visualization techniques and increased data analytical capability were highlighted as critical areas. They also agreed that oversight committees had an important role to play in encouraging and assisting management in taking a forward look at how technological advances and other changes in the business or wider environment might impact an organization’s risk exposure and in identifying potential strategies for dealing with them.
- To gain a better idea of how the Organization was managing such risk, the Committee held discussions with the Chief Information Technology Officer. The Committee was informed that cybersecurity was not being given due attention. According to the Chief Information Technology Officer, most organizations spend about 8 per cent of their resources on cybersecurity, while the United Nations spends less than 1 per cent. The Committee inquired as to how the Office of Information and Communications Technology was actually mitigating the risk. In response, the Chief Information Technology Officer informed the Committee of the 10-point action plan to strengthen information security. The Officer noted a number of achievements under the plan to date, including:
- The development and deployment of a computer-based information security awareness course;
- The promulgation of policies and guidelines to ensure protection of the Organization’s ICT data and resources;
- The upgrade of firewalls and email filter systems;
- The expansion of intrusion detection monitoring.
- The Committee recognizes the potential scale and impact of the threat to cybersecurity and digitalization. The Committee plans to delve more deeply into this risk over the coming year.
- Effectiveness, efficiency and impact of the audit activities and other functions of the Office of Internal Oversight Services
- Under its terms of reference, the Committee has the responsibility to advise the General Assembly on aspects of internal oversight (resolution 61/275, annex, paras. 2 (c)-(e)). In undertaking to fulfil its mandate, the Committee has maintained its standard practice of meeting with the Under-Secretary-General for Internal Oversight Services and other senior OIOS officials during its sessions. The discussions have been focused on OIOS workplan and budget execution, with significant findings reported by OIOS, operational constraints (if any), post incumbency, the status of implementation by management of OIOS recommendations, including critical recommendations, strengthening investigations and funding arrangements.
- During the current period, the Committee focused its assessment on two broad areas: (a) strategic planning, OIOS effectiveness and performance measurement; and (b) strengthening the investigation function.
Strategic planning, OIOS effectiveness and performance measurement
Guidelines and protocols
- The Committee recalls paragraphs 57 of its report A/70/284, in which it reviewed the operational independence of OIOS, and recommended, inter alia, that OIOS develop guidelines and protocols when advising management and making statements about situations that might be subject to audit or investigation.
- In its discussions with OIOS, the Committee was informed that the guidelines had been finalized and circulated to all OIOS staff. While welcoming this development, the Committee recommends that OIOS not stop there, but rather ensure that these guidelines are operationalized and that there is an appropriate balance between advising management and the need to maintain operational independence.
OIOS audit report ratings
- In July 2011, OIOS introduced a new audit reporting format in which ratings were assigned regarding the adequacy and effectiveness of the governance, risk management and internal control system. According to OIOS, in its annual report A/67/297 (Part I), those ratings (satisfactory, partially satisfactory and unsatisfactory) were supposed to communicate clearly the level of assurance being provided on the basis of the audit work concluded, including the significance of any deficiencies identified.
- In paragraph 30 of document A/71/295, the Committee recommended that OIOS continue to take further initiatives to reach out to stakeholders to ensure that there was a clear understanding as to how reports were rated and recommendations developed. In August 2016, the Committee was surprised to learn that OIOS had decided that it would no longer rate its audit reports and would l instead have an overall conclusion that reflected the essence of the audit reports concerned. The Committee was further informed that the decision to discontinue the rating system had been arrived at following informal consultations with some offices in the Organization.
- As noted in paragraph 73 of document A/69/304, the ranking of audit reports was a common practice. Furthermore, the Joint Inspection Unit, in its report on the state of the internal audit function in the United Nations system (JIU/REP/2016/8), noted that a number of United Nations system entities were providing some form of standardized rating on overall audit results. It also noted that having a standard rating on the overall audit reports provided a good assessment as to the degree to which the entity audited was effectively meeting its objectives in relation to the stated audit criteria and the frequency with which it should be audited. Although the Joint Inspection Unit noted some challenges, it recommended in paragraph 256 that because more United Nations system organizations were publishing their reports online, there should be a harmonized approach to ratings across the United Nations system.
- The Committee believes that this decision was premature and recommends that OIOS review its decision and, as a first step, seek to improve the transparency and objectivity of the ratings of reports rather than do away with them.
Effectiveness of OIOS and performance measurement
- According to standard 1300 of the Institute of Internal Auditors, a chief audit executive must maintain a quality assurance and improvement programme that covers every aspect of the internal audit activity. In line with the standards of the Institute, quality assurance and improvement programmes comprise two parts: an internal self-assessment for ongoing monitoring and performance improvement; and a formal external quality review conducted by an independent examiner.
- The Committee, in paragraphs 47 and 48 of document A/69/304, stated its belief that well-designed surveys, aimed at the stakeholders and conducted frequently, could be useful tools to measure performance and improve effectiveness. The Committee recommended that OIOS establish specific goals with associated performance measures and conduct surveys for its divisions and for OIOS as a whole. Building on that, the Committee believes that there are opportunities for improvement, especially with respect to client satisfaction surveys and programme impact pathways.
External quality assessment review
- Consistent with the standards of the Institute of Internal Auditors, the Committee was informed that a quality assessment review had been completed in May 2017 by an external firm, Baker Tilly Virchow Krause LLP. The overall opinion of Baker Tilly was that the Internal Audit Division of OIOS “generally conformed” to the standards and code of ethics of the Institute of Internal Auditors. “Generally conforms” means that an internal audit activity has a charter, policies and processes that are judged to be in conformance with the standards. The Committee notes that since 2006, the Internal Audit Division has had three such assessments (one every five years) and that this is the first time that OIOS has been rated as “generally conforms” (previously, OIOS was rated as “partially conforms”), meaning that deficiencies in practice that are judged to deviate from the standards have been noted.
- The Committee believes that the opinion of the external reviewer is a noteworthy and important achievement for the Internal Audit Division. Nonetheless, the Committee continues to believe that OIOS needs to make substantial progress in setting outcome-oriented goals and managing its performance on the basis of those goals.
- Regarding the Inspection and Evaluation Division, the Committee notes that the most recent review was in 2012. OIOS reported that funding for an independent review of evaluation had not been approved and as such, plans for a peer review remained on hold, and the Division would explore other alternatives.
- Lastly, with respect to the Investigations Division, the Committee notes that the most recent review was conducted in 2012 and resulted in recommendations on, inter alia, fraud prevention, the intake process, the handling of sexual exploitation and abuse and staff vacancies. All of those issues continue to hamper the effectiveness of the Division. The Committee notes that in the past, the reason given for why there was no peer review planned was that OIOS wanted to stabilize the Division first. As mentioned previously, this appears to still be the case.
- The Committee believes that external quality reviews are a vital component of an effective oversight service and recommends that OIOS continue to communicate the results of such assessments with all stakeholders in accordance with the standards of the Institute of Internal Auditors. In addition, the Committee recommends that OIOS expedite the external quality review process for the Inspection and Evaluation Division and the Investigations Division.
Client satisfaction surveys
- With respect to client satisfaction surveys, the Committee followed up on its recommendation that OIOS ensure that all the divisions of the Office, and OIOS as a whole, conduct surveys. The Committee believed that for divisions, not only should surveys be conducted annually, but where practical, especially for the Internal Audit Division and the Inspection and Evaluation Division, after each engagement. Since then, the Committee was informed that the Internal Audit Division conducted an annual survey of departments and offices to receive feedback on the assignment process. The Inspection and Evaluation Division surveyed its clients, and the Committee for Programme and Coordination, on their reports on an annual basis. In addition, OIOS noted that it regularly received feedback through meetings or letters from departments and offices and other counterparts in the Organization.
- The Committee notes that no surveys have been conducted for the Investigations Division or OIOS as a whole. For OIOS to improve its overall performance, the Committee recommends that the Office ensure that all divisions, and OIOS as a whole, conduct surveys.
Programme impact pathways
- As noted in paragraph 45 of document A/69/304, OIOS provided the key indicators (quantitative and qualitative) for each activity, output and outcome and intended to make the programme impact pathways a management tool that would integrate the work of the rest of the divisions and assist in breaking down the silos that currently existed in the Office.
- Subsequently, the Committee was informed that OIOS continued to monitor quarterly progress on divisional programme impact pathways and that progress was included in the OIOS quarterly activities report. The Committee noted that the Inspection and Evaluation Division had made good progress in developing outcome-oriented performance measures. In addition, the Committee was informed that OIOS was assessed annually through its compact with the Secretary-General, which included performance measures that were set at an Organizational level by the Secretary-General in the areas of management reform, financial resource management, human resource management, timely issuance of official documentation, organizational digitalization, compliance with ethical standards and rules and regulations and contribution to the broader interests of the United Nations.
- The Committee recommends that OIOS establish specific outcome-oriented goals and indicators that demonstrate the outcome of OIOS efforts. These performance metrics should include leveraging data visualizations to analyse trends over time, depict progress against targets, identify where actions are required and to determine the details on actions to be taken.
Performance auditing and the 2030 Agenda for Sustainable Development
- In paragraphs 76 to 78 of document A /71/295, the Committee looked at the progress being made by OIOS in embodying the integrated, universal and indivisible nature of the 2030 Agenda for Sustainable Development through its owns operations. At that time, OIOS informed the Committee that the Inspection and Evaluation Division had started to include reviews of the Sustainable Development Goals in its evaluations and that it had designated support for the Goals as one of the high-risk focus areas of the Organization.
- The Board, in its current audit reports, noted, inter alia, that not all entities under review had formulated a long-term strategy on their role in the implementation of the Sustainable Development Goals. The Board also noted that for the Secretariat, there was a need to further align the strategy with the requirement to systematically address the work relating to the Goals, in order to achieve the coherence desired by the General Assembly. As a follow-up, OIOS shared its thoughts and initial efforts to assess the preparedness of the Organization to deliver on its commitment as part of the 2030 Agenda for Sustainable Development.
- The Committee endorses the efforts of OIOS and looks forward to updates on its progress in the coming years.
Strengthening the investigation function
Central intake mechanism for investigations
- The need for an efficient and effective intake system for the Secretariat has been a long-standing concern of not just this Committee but of the General Assembly, the Advisory Committee on Administrative and Budgetary Questions, the Board of Auditors, the Joint Inspection Unit and the Management Committee. In reviewing the progress made during the reporting period, the Committee recalls its previous statements made in paragraphs 63 to 69 of document A/71/295. Specifically, in paragraph 69, the Committee strongly regretted that this critical recommendation remained unimplemented. Moreover, in paragraph 15 of its recent report on the accountability system (A/71/820), the Advisory Committee stated that it looked forward to the prompt implementation of the agreed recommendations regarding the establishment of a central intake mechanism for investigations. The recommendation of the Advisory Committee was subsequently endorsed by the General Assembly in its resolution 71/283.
- Throughout the reporting period, the Committee followed up on the status of the central intake system and was informed that OIOS had agreed to handle the central intake matters for fraud and presumptive fraud within the context of the Anti-Fraud and Anti-Corruption Framework of the United Nations Secretariat. OIOS further informed the Committee that implementing a central intake mechanism for fraud and presumptive fraud was not expected to present a level of demand that would require additional resourcing because the reporting would be done through the OIOS Investigations Division hotline and initiation and action would be part of the Division’s existing intake procedures.
- In response to the Committee’s question on why OIOS was limiting itself to being the single repository for fraud and presumptive fraud, OIOS informed the Committee that central intake issues relating to other forms of misconduct would require an agreed approach within the Organization and feasible ways of obtaining the additional resources needed for managing the systems and additional tasks associated with the mechanism. Subsequently, at its thirty-eighth session, held in April 2017, the Committee was informed that as part of the enhanced sexual exploitation and abuse reporting mechanisms, OIOS was likely to become the central repository for system-wide sexual exploitation and abuse reports and its hotline was likely to be connected to all United Nations system websites as part of the enhanced sexual exploitation and abuse reporting mechanisms.
- The Committee followed up with OIOS one more time and was informed that the central intake mechanism was not a priority, given other pressing demands. The Committee notes, however, that in General Assembly resolution 59/287, in which the Assembly endorsed the OIOS categorization of the different types of investigations (category I and category II), the Assembly envisaged that there would be reporting of all investigation cases.
- The Committee does not agree with the OIOS assessment that the central intake mechanism is not a priority and finds the arguments used for delaying its full implementation unconvincing. The Committee regrets that successive recommendations of the Advisory Committee on Administrative and Budgetary Questions, the Independent Audit Advisory Committee, the Joint Inspection Unit and the Board of Auditors, decisions of the Management Committee and two General Assembly resolutions have not been enough to spur OIOS to develop a much-needed central intake mechanism. The Committee reiterates its previous recommendation that OIOS implement a central intake mechanism as expeditiously as possible without further excuses. The Committee will continue to follow up on this critical recommendation in subsequent sessions.
Vacant posts in the Investigations Division
- The Committee is aware that concerns have been expressed across the Organization about the difficulties and length of time of the recruitment and hiring process. Notwithstanding the system-wide concerns, the Committee has long and consistently expressed its concerns about the high number of vacancies in OIOS and notes that since 2008, the General Assembly has requested that the Secretary-General make every effort to fill those vacancies as a matter of priority, most recently in its resolution 71/7.
- The Committee notes that as at 31 May 2017, the overall vacancy rate in the Investigations Division stood at 21.2 per cent. To put it in context, the average vacancy rate for the support account for peacekeeping operations for the period from 1 July 2015 to 30 June 2016 stood at 9.8 per cent (see A/71/726). As previously noted, one could call into question the ability of OIOS to fulfil its mandate. This has been one of the reasons for which the Committee has not been able to provide assurances of the overall resources of the Investigations Division.
- The Committee has long insisted to OIOS that it pursue alternative recruitment strategies to address its vacancy issues, as highlighted in paragraph 8 of document A/70/86. Some of those recruitment strategies included building talent from the ground up by hiring entry-level investigators who could then be trained, developed and promoted to become lead investigators; considering tapping into the retired law enforcement officer pool of the various countries in which the United Nations operates; and establishing an effective, thorough retention strategy.
- During the review of the OIOS 2017/18 support account and the 2018-2019 regular budget planning cycles, the Committee was informed that a comprehensive workplan had been designed to address some of the long- standing issues of the Division. According to OIOS, these include ensuring that the Division recruits the best available staff from the widest available pool, improves diversity and at the same time retains those staff; continuing to build and maintain an operational focus on sexual exploitation and abuse investigations; increasing the focus on investigations of fraud and corruption; and continuously improving professionally and servicing the increasing demands on the Division to provide training inputs and build capacity in other parts of the United Nations.
- With respect to the first initiative, the Committee was informed that a comprehensive recruitment exercise had been completed in February and March 2017, which OIOS hoped would result in filling many of the posts in an efficient and effective manner. The Committee was also informed that the exercise included innovative recruitment processes such as online testing.
- OIOS further informed the Committee that it would take a number of actions to improve its recruitment and retention policies, including:
- Redefining the Division’s resourcing model and planning its resource requirements accordingly;
- Preparing realistic and risk-based budget submissions to better support the Division’s requests for more resources or the better distribution of those resources;
- Seeking wherever possible and appropriate, extrabudgetary funding for additional investigator posts;
- Reducing the vacancy rate to 5 per cent;
- Attaining 100 per cent compliance with the e-performance requirements while ensuring that managers properly use the e-performance system to effectively manage their staff;
- Ensuring that a suitably experienced and qualified staff member is temporarily recruited to the P-4 level and tasked to carry out an in-depth review of the Division’s staff retention, with a view to producing an action plan that can be used to effectively tackle and improve the OIOS retention rate.
- The Committee further followed up with OIOS on the efforts to fill its vacancies in the Investigations Division and was informed that several posts were in the pipeline to be filled. If OIOS fills those posts, it would be a step in the right direction.
- In the light of the above, the Committee acknowledges the efforts of OIOS and looks forward to seeing real and concrete achievements in reducing the vacancy rates. The Committee reiterates its prior recommendation that OIOS address this issue as a matter of priority and will continue to monitor it and highlight any progress in future reports.
Reduction in the length of the time to complete an investigation
- In paragraphs 29 and 30 of document A/72/85, the Committee stated that it had been informed that the average time to complete an investigation continued on a downward trajectory, from a high of 23 months in 2011 to the current level of less than 12 months. OIOS also informed the Committee that maintaining the downward trend was a major emphasis for managers and the goal was that at the first day of the year, there would be no open cases dating from the year prior to the previous one. For example, on 1 January 2017, there should be no open 2015 or 2014 cases.
- As a follow-up, the Committee was informed that reporting would now include more input from Chief Investigators and Chief Resident Investigators to account for the progress of cases under their particular portfolio. OIOS reported that the Regional Investigation Office in Entebbe, Uganda had adopted a portfolio approach to case management through a number of initiatives including improving case allocation and reassignment on the basis of recognized expertise to improve the statistics of ageing cases; streamlining investigative quality; and empowering, as well as holding accountable, mid-level management with a more hands-on approach to monitoring the progression of cases.
- Furthermore, the Committee was informed that all of the 2015 cases had been adequately handled and the majority of 2016 cases over six months were at the reporting stage. The Committee welcomes the progress thus achieved and calls upon OIOS to maintain the momentum so as to achieve the target of reducing the average length of time to complete an investigation to six months.
- Financial reporting
- During the reporting period, the Committee engaged in discussions with the Board of Auditors, the Under-Secretary-General for Management, the Controller and the Project Director of Umoja on a number of issues relating to financial reporting. The issues discussed included:
- Status of the benefits realization plans for the International Public Sector Accounting Standards (IPSAS) and Umoja;
- Implementation of Umoja;
- Internal control, especially as it pertains to fraud prevention and detection.
Implementation of the International Public Sector Accounting Standards
- With respect to the implementation of IPSAS, the Committee continued to be routinely apprised of the project status and has noted the continued issuance of unqualified audit opinions by the Board of Auditors. The IPSAS-compliant financial statements for 2015 and the 2016 financial statements for the peacekeeping operations received unqualified audit opinions.
- The Committee was also informed that the project would close by December 2017 and the required functions would be mainstreamed into the regular and peacekeeping budgets. Furthermore, the Committee was informed that the tenth and final IPSAS report would be issued by September 2017. Consequently, the Controller informed the Committee of the lessons learned from the implementation of IPSAS, including: (a) It has been one of the most successful change management efforts of the United Nations in recent years; (b) Strong project governance, management and oversight are key to success; (c) The establishment of local implementation teams and their membership on the IPSAS Steering Committee ensured harmonized organization-wide implementation; (d) A clear benefits realization plan and senior management engagement (through compacts) are essential; and (e) A longer-term permanent structure and resource commitment by Member States are necessary to support longer-term IPSAS compliance.
- The Committee commends the Secretariat for having attained the milestone of bringing the accounting standards of the Organization into line with international standards. The Committee also commends the Secretariat for articulating the lessons learned that could be a basis for successful implementation of other similar projects. However, the Committee notes that there appear to be no apparent challenges expressed among the lessons learned and recommends that such experiences and challenges also be articulated.
Implementation of Umoja
- With respect to Umoja, the Committee held several sessions on the progress made to date, including:
- In July 2016, the service delivery (cost recovery) to peacekeeping and special political missions, together with the first part of the International Civil Service Commission (ICSC) package, was rolled out. The final solution with respect to the ICSC package would occur in September 2017;
- Cluster 5 (human resource interface to national staff and individual uniformed personnel) was rolled out and the process went smoothly owing to the lessons learned from the previous roll-outs;
- In January and February 2017 respectively, ICSC phase 2 (unified salary scale) and financial statements (Volume I, United Nations Environment Programme, United Nations Human Settlements Programme, United Nations Office on Drugs and Crime, International Trade Centre and the Tribunals) were rolled out.
- With respect to roll-outs in 2018, the Committee was informed that strategic planning and performance management (previously referred to as budget formulation), supply chain management (phases 2 and 3), fundraising and donor relationship management, implementing partners, force planning and an SAP software upgrade would be rolled out.
- During the deliberations, the Committee inquired whether Umoja had a provision for an audit module. In response, management informed the Committee that there was no specific audit module, but that it could work with the auditors to address those concerns if necessary.
- Subsequently, during its discussion with OIOS, the Committee was informed that there was a governance, risk and compliance module and that OIOS was maintaining liaison with management to incorporate it within Umoja.
- As noted in previous reports, the implementation of Umoja provides great opportunities for management and other decision makers to gain insight into operations and costs across the Organization. The key, as this Committee and others have long noted, will be to deliver on the promised benefits realization. In that regard, the Committee has long urged OIOS to develop strategies on how it will use the data generated from Umoja in its audit work. This will require OIOS to develop and/or obtain additional analytic skills in the use of data mining, root cause analysis, data visualization, and systems and statistical analysis.
- In the light of the above, the Committee believes that given the wealth of valuable data that Umoja is expected to provide, and in the light of the digitalized environment under which OIOS is expected to operate, it is crucial that there be a proper audit module. The Committee therefore recommends that management work to put in place an audit module that takes into account the needs of OIOS before the finalization of the design phase of Umoja. The Committee believes that having a proper audit module would strengthen the internal controls of the Organization as a whole.
- The Committee also welcomes the progress achieved in implementing Umoja. The Committee reiterates its previous observation that as Umoja moves into the stabilization phase, the key issues now centre on ensuring that the Organization consistently develops the capacity to manage Umoja and use its outputs to make decisions. This requires the Secretariat to ensure that managers and staff have the needed knowledge and capacities, through training, knowledge-sharing and other means. Such capacity development is vital to achieving the reasonable demands of the Member States for the benefits realization of Umoja, given the cost, effort and time that was needed to implement the project. Above all, there is a need to ensure that the oversight bodies, in particular OIOS, have the skill set to perform their duties within the digitalized environment.
- Furthermore, the Committee believes that recent and ongoing work of national audit offices may be helpful to OIOS in considering how best to use the data products from Umoja to streamline and better target its audit work.
IPSAS and Umoja benefits realization
- With respect to IPSAS, the Committee was informed that work would be guided by the General Assembly’s endorsement of the recommendations of the Advisory Committee on Administrative and Budgetary Questions on the ninth progress report on the adoption of IPSAS by the United Nations (A/71/226). In paragraph 6 of its related report (A/71/542), the Advisory Committee stated that it was of the view that reporting of benefits should include concrete examples supported by quantitative measurements. The Advisory Committee also noted that the information should make a clear distinction as to improvements attributable to the Umoja-related system enhancements and those attributable to the adoption of IPSAS. As such, the Controller noted that trends in financial statements (both peacekeeping and non-peacekeeping) would be analysed to identify changes and improvements brought by IPSAS (qualitative and quantitative) and that the related results would be included in the most recent progress report.
- With respect to Umoja benefits realization, the Committee was informed of both qualitative and quantitative benefits of Umoja. This benefits case would be based on a common methodology and any updates would be included in the next Umoja progress report. The qualitative benefits included:
- More informed decisions owing to real-time visibility of global data and more analytical information;
- Greater potential for improved service delivery;
- More efficient processes through the elimination of redundant tasks and better automation.
- Regarding the quantitative benefits of Umoja, the Committee was informed that the total annual benefits by 2021 would amount to $205.5 million, comprising $85 million from the regular budget and $120.5 million from the peacekeeping budget. Furthermore, the Committee was informed that management was analysing the quantitative aspects of the benefits realization and that the Board of Auditors was in the process of validating the methodology used.
- The Committee notes these developments and will follow up on these matters in its subsequent sessions.
Internal control system and anti-fraud policy
Statement of internal control
- In paragraph 80 of document A/70/284, the Committee stated that it had been informed that the statement of internal control would be appended to the financial statements in 2018. The Committee was also informed that the Committee of Sponsoring Organizations of the Treadway Commission integrated internal control framework would serve as the conceptual framework for the statement of internal control. Since then, the Committee has received regular updates on progress made.
- As noted in its subsequent report (A/71/295), the Committee was informed that a self-assessment checklist and assurance statement would be developed and a pilot phase would be undertaken in the fall of 2016 and early 2017. As a follow-up, the Committee was informed by the Controller that an Assurance and Monitoring Unit had been established in the Accounts Division of the Office of Programme Planning, Budget and Accounts. The Unit is responsible for undertaking activities aimed at proving reasonable assurances in respect of the reliability of data flowing into financial statements and financial records. The Unit also regularly monitors transactions in Umoja, analyses potential for error, detects irregularities and ensures appropriate corrective actions by transaction owners or other stakeholders.
- Furthermore, the Controller informed the Committee that the Office of Programme Planning, Budget and Accounts was developing self-assessment checklists and assurance statements for 17 internal control principles, based on the “Committee of Sponsoring Organizations of the Treadway Commission cube”. As a result, after consultations with the Department of Management, OIOS, the Office of Legal Affairs and the Department of Field Support, select peacekeeping entities would test the assurance tools. With respect to non-peacekeeping operations, the Committee was informed that appending the statement of internal control to those financial statements was slated for 2018 and would be subject to a number of issues such as the reforms under way and the evaluation of technical options.
- The statement of internal control is an important accountability tool through which an organization provides assurance that it is appropriately managing and controlling the resources under its responsibility. Consistent with its role, the Committee plans to delve deeper into reviewing the Organization’s statement of internal control to ensure that the important elements, such as scope of responsibility, purpose of the system of internal control, capacity to handle risk, the risk and control framework and the review of the effectiveness of the same, are in place.
Fraud risk assessment
- With respect to fraud, the Committee’s comments are guided by its previous observations and recommendations and those of the Board of Auditors, the Joint Inspection Unit, the Advisory Committee on Administrative and Budgetary Questions and the General Assembly. The Committee notes paragraphs 7 and 8 of General Assembly resolution 71/283, in which the Assembly requested the Secretary-General to conduct a comprehensive fraud risk assessment by mid-2017 and to update the legal instruments for engaging third parties.
- In response, the Committee was informed that a Fraud Risk Assessment Advisory Committee had been created, co-chaired by the Office of the Under-Secretary-General for Management and the Office of Programme Planning, Budget and Accounts. According to management, the assessment will:
- Review the data on fraud events and oversight reports;
- Develop tailored fraud taxonomy with prioritization of risks based on surveys, interviews and focus groups;
- Define the corporate risk owners who will design and implement detailed risk treatment action plans to strengthen the response of the Organization;
- Approve the reports.
- Furthermore, the Controller emphasized to the Committee that principle No. 8 of the 2013 Committee of Sponsoring Organizations of the Treadway Commission integrated internal control framework requires an organization to consider the potential for fraud in assessing risks for the achievements of objectives. Therefore, the process leading to the development of the statement of internal control would encompass an annual self-assessment of the potential for fraud in each entity and related assurances and attestations.
- During discussions with OIOS, and as previously mentioned in paragraph 65 of the present report, tackling fraud and corruption was given a renewed focus by the Office. The Office’s approach to fraud was centred on strengthened collaboration among its divisions. The Committee was informed that OIOS had developed a Fraud Audit and Investigation Manual, which would serve as a guide to formalize and develop the relationship between audit and investigation.
- OIOS also emphasized that it was working with the Department of Management in developing the Anti-Fraud and Anti-Corruption Framework of the United Nations Secretariat. As a result, OIOS indicated that it had agreed to be the central intake mechanism for fraud reporting and corruption. Furthermore, OIOS noted that the Internal Audit Division and the Investigations Division would focus on three discrete themes in fraud and corruption and that each main office would be allocated one theme: medical insurance fraud, at Headquarters; education grant fraud, at Vienna; and fraud by implementing partners, in Entebbe, Uganda.
- Furthermore, OIOS informed the Committee that it was supporting the Ethics Office in the development of a new, compulsory online training programme on fraud and corruption and that it was developing awareness events highlighting fraud and corruption.
- While commending OIOS for its renewed effort in tackling fraud and corruption, the Committee believes that without an effective central intake system, the concerns raised by several oversight bodies regarding the underreporting of fraud will not be addressed.
- Coordination among United Nations oversight bodies
- During the reporting period, in addition to its regularly scheduled meetings with OIOS, the Committee met with other oversight bodies, such as the Joint Inspection Unit and the Board of Auditors, including the Audit Operations Committee. The dialogue allowed for the sharing of perspectives on matters of mutual concern and provided a useful opportunity for cooperation among United Nations oversight bodies.
- Within its mandate, the Committee sought comments from the three oversight bodies, all of which underscored the coordination mechanisms that existed among the three bodies, including the sharing of their programmes of work. In separate meetings with the Board of Auditors, the Joint Inspection Unit and OIOS, the Committee noted the positive relationship fostered through the tripartite coordination meetings of the oversight bodies and the sharing of workplans in an effort to avoid duplication. The Committee believes that such coordination provides a valuable platform for additional opportunities.
- Furthermore, in November 2016, the Committee hosted a meeting of representatives of United Nations system oversight committees. Twenty-six representatives from 19 oversight committees from organizations within the United Nations Secretariat, the United Nations funds and programmes and specialized agencies and the International Monetary Fund attended the meeting.
- The meeting was held within the context of the Joint Inspection Unit report on the audit function in the United Nations system (A/66/73), in which it was noted that audit committees worked best and could better contribute to the governance process when they maintained a flowing and objective relationship with each other. Discussions with various oversight committees indicated strong support for holding an annual meeting of all the oversight committees.
- The main objective of the meeting was to exchange information on common challenges and good practices in the execution of the work of the oversight committees and to identify any broader issues of concern that might need to be brought to the attention of governing bodies, management, the oversight community or other interested parties. The participants discussed current and emerging risks, including in relation to fraud and corruption; cybersecurity and digital transformation; and the maturity of enterprise risk management approaches across the United Nations system. The participants also discussed their committees’ mandates and relationships with the wider oversight community and how they might be improved. The meeting concluded with the participants agreeing that the ability to share information and insights was invaluable and that regular meetings of oversight committees should continue.
- Cooperation and access
- The Committee reports that it received good cooperation from OIOS and senior management in the Secretariat, including the Department of Management, in discharging its responsibilities. The Committee was given appropriate access to staff, documents and information that it needed in order to undertake its work. The Committee is pleased to report that it continued to work closely with the Joint Inspection Unit and the Board of Auditors. The Committee looks forward to continued cooperation with the entities with which it interacts in order to discharge its responsibilities, as set out in its terms of reference, in a timely manner.
116. In the context of its terms of reference, the Independent Audit Advisory Committee presents the preceding observations, comments and recommendations, as contained in paragraphs 17, 20, 23, 27, 30, 31, 33, 39, 43, 47, 51, 55, 58, 60, 63, 66, 71, 71, 74, 79, 82, 86, 92, 93, 94, 98, 102 and 109 for the consideration of the General Assembly.