Item 136 of the provisional agenda*
Review of the efficiency of the administrative and financial functioning of the United Nations
Activities of the Independent Audit Advisory Committee for the period from 1 August 2017 to 31 July 2018
Report of the Independent Audit Advisory Committee
The present report covers the period from 1 August 2017 to 31 July 2018. During the period, the Independent Audit Advisory Committee held four sessions, which were presided over by Maria Gracia Pulido Tan (Philippines) as Chair and Patricia Arriagada Villouta (Chile) as Vice-Chair. As has been the case during the history of the Committee, all members attended all of the sessions during their appointments.
Section II of the report contains an overview of the activities of the Committee, the status of its recommendations, and its plans for 2019. Section III sets out the detailed comments of the Committee.
- The General Assembly, by its resolution 60/248, established the Independent Audit Advisory Committee as a subsidiary body to serve in an expert advisory capacity and to assist it in fulfilling its oversight responsibilities. By its resolution 61/275, the Assembly approved the terms of reference for the Committee, as well as the criteria for its membership, as contained in the annex to that resolution. In accordance with its terms of reference, the Committee is authorized to hold up to 4 sessions per year. To date, the Committee has held 43 sessions since its inception in January 2008.
- In accordance with its terms of reference, the Committee submits an annual report containing a summary of its activities and related advice to the General Assembly. The present eleventh annual report covers the period from 1 August 2017 to 31 July 2018.
- The Committee is also required to advise the General Assembly on the compliance of management with audit and other oversight recommendations; the overall effectiveness of the risk management procedures and deficiencies in the internal control systems; the operational implications of the issues and trends highlighted in the financial statements and the reports of the Board of Auditors; and the appropriateness of the accounting and disclosure practices in the Organization. The Committee also advises the Assembly on the steps necessary to facilitate cooperation among the oversight bodies.
- The present report addresses the issues identified during the reporting period as they pertain to the above-mentioned responsibilities of the Committee.
- Activities of the Independent Audit Advisory Committee
- Overview of the sessions of the Committee
- During the reporting period, the Committee held four sessions: from 12 to 15 December 2017 (fortieth session), from 21 to 23 February 2018 (forty-first session), from 25 to 27 April 2018 (forty-second session) and from 18 to 20 July 2018 (forty-third session). Three of the sessions were held at United Nations Headquarters. The forty-first session was held at the United Nations Office at Nairobi.
- The Committee functions under its adopted rules of procedure, as contained in the annex to its first annual report (A/63/328). To date, all members of the Committee have a 100 per cent attendance rate at its sessions. All the decisions of the Committee have been unanimous; however, its rules of procedure make provision for members to record their dissent with respect to decisions taken by the majority.
- During the fortieth session, in December 2017, the members re-elected Maria Gracia Pulido Tan (Philippines) as Chair, and elected Patricia Arriagada Villouta (Chile) as Vice-Chair for 2018. The Committee also hosted a second meeting of the Chairs and Vice-Chairs of the United Nations system oversight committees to discuss best practices, lessons learned and other issues of importance to the United Nations oversight community. Additional information about the Committee can be found on its website (www.un.org/ga/iaac) in all the official languages of the United Nations.
- During the reporting period, the Committee issued two reports: the Committee’s annual report to the General Assembly for the period from 1 August 2016 to 31 July 2017 (A/72/295) and a report to the Assembly, through the Advisory Committee on Administrative and Budgetary Questions, on the proposed budget of the Office of Internal Oversight Services (OIOS) under the support account for peacekeeping operations for the period from 1 July 2018 to 30 June 2019 (A/72/766).
- Status of the recommendations of the Committee
- The Committee meets four times per year, typically for three days at each session. During the reporting period, several issues, particularly in relation to enterprise risk management and the operations of OIOS, were addressed. The Committee followed up on the implementation of its recommendations as a standard agenda item at each session. Some of the significant recommendations made by the Committee during the reporting period relate to:
- The need for management to continue to make efforts to ensure the timely implementation of the oversight bodies’ recommendations;
- The need for senior managers to actively lead enterprise risk management efforts and ensure that departments and offices have the capacity and resources to effectively implement and sustain enterprise risk management;
- The need for OIOS to embed fully enterprise risk management into the Office;
- The need for the Organization to assess and manage fully all aspects of the risks associated with extrabudgetary funding;
- The need for OIOS to expedite the quality review process for the Inspection and Evaluation Division and the Investigation Division, and for all its divisions and the Office as a whole to complete client satisfaction surveys;
- The need for OIOS to establish specific outcome-oriented goals and indicators that demonstrate the outcome of the Office’s efforts. These performance metrics should include leveraging data visualizations to analyse trends over time, depict progress against targets, identify where actions are required, and determine the details on actions to be taken;
- The need for OIOS to continue to address its vacancy issue and pursue alternative recruitment and retention strategies;
- The need for management to put in place an audit module in Umoja that takes into account the needs of OIOS, and for the Organization to develop consistently the capacity to manage Umoja and use its outputs to make decisions.
- Overview of the plans of the Committee for 2019
- The Committee undertook its responsibilities, as set out in its terms of reference, in accordance with the scheduling of the sessions of the Advisory Committee on Administrative and Budgetary Questions and the General Assembly. The Committee will continue to schedule its sessions and activities to ensure coordinated interaction with intergovernmental bodies and the timely availability of its reports. In a preliminary review of its workplan, the Committee identified several key areas that will be the main focus for each of its four sessions for fiscal year 2019 (see the table below).
Workplan of the Committee from 1 August 2018 to 31 July 2019
Key focus area
Intergovernmental consideration of the report of the Committee
Review of the 2019 workplan of OIOS in the light of the workplans of other oversight bodies
Proposed budget of OIOS under the support account for peacekeeping operations for the period from 1 July 2019 to 30 June 2020
Operational implications of issues and trends in the financial statements and reports of the Board of Auditors
Coordination and cooperation among oversight bodies, including hosting a coordination meeting of oversight committees
Election of the Chair and Vice-Chair for 2019
Advisory Committee on Administrative and Budgetary Questions, first quarter 2019
General Assembly, second part of the resumed seventy-third session
Status of implementation of oversight bodies’ recommendations
Report of the Committee on the OIOS support account budget
Review of the enterprise risk management and internal control framework in the Organization
General Assembly, second part of the resumed seventy-third session
Operational implications of issues and trends in the financial statements and reports of the Board of Auditors
Proposed programme budget for OIOS for the year ended 31 December 2020
Coordination and cooperation among oversight bodies
Transformational projects and other emerging issues
Advisory Committee on Administrative and Budgetary Questions, second quarter 2019
General Assembly, main part of the seventy-fourth session
Preparation of the annual report of the Committee
Review of the enterprise risk management and internal control framework in the Organization
General Assembly, main part of the seventy-fourth session
Status of implementation of oversight bodies’ recommendations
Coordination and cooperation among oversight bodies
- In planning its work, the Committee is mindful of the following relevant events that could have an impact on its work activities:
- The various reform/transformational initiatives on which the Organization has embarked, such as the management reform, including the delegation of authority, the shift in the management culture from process to results, and Umoja;
- The end of the terms of office of three of the five members of the Committee, whose three-year terms expire in December 2019.
- Detailed comments of the Committee
- Status of the recommendations of United Nations oversight bodies
- Under paragraph 2 (b) of its terms of reference, the Committee is mandated to advise the General Assembly on measures to ensure the compliance of management with audit and other oversight recommendations. The Committee maintains that if the weaknesses identified by the oversight bodies are fully implemented in a timely manner, the chances for the Organization to achieve its objectives are greatly improved. During the reporting period, the Committee reviewed the status of implementation by management of the recommendations of United Nations oversight bodies, as a standard practice.
Board of Auditors
- With respect to the financial report and audited financial statements for the year ended 31 December 2017 (A/73/5 (Vol. I)) (non-peacekeeping financial statements), the Board of Auditors reported that as at 31 December 2017, of the 129 outstanding recommendations up to the year ended 31 December 2016, 31 (24 per cent) had been fully implemented, 84 (65 per cent) were under implementation, 12 (9 per cent) had not been implemented and 2 (2 per cent) had been overtaken by events.
- The Board noted that the rate of implementation had increased from 18 per cent in 2016 to 24 per cent in 2017 and that steps had been taken to implement nearly 65 per cent of the outstanding recommendations. The Board urged the Administration to build on the momentum and ensure the implementation of the recommendations within a defined time frame.
- With respect to the financial report and audited financial statements for the 12‑month period from 1 July 2016 to 30 June 2017 (A/72/5 (Vol. II)) (peacekeeping financial statements), the Board of Auditors noted that the rate of implementation of recommendations for the 12-month period from 1 July 2015 to 30 June 2016 stood at 42 per cent, a decrease from the 49 per cent reported for the previous year. The Board acknowledged, however, that recommendations often required actions to ensure compliance, and could in some cases require a longer time to implement. The Board also noted that, of the 198 recommendations it had made over the previous four years, 151 (76 per cent) had been fully implemented, and urged the Administration to ensure that all outstanding recommendations were implemented in a prompt and timely manner in accordance with General Assembly resolution 69/249.
- The Committee urges Management to continue making efforts to ensure timely implementation of the Board’s recommendations.
Office of Internal Oversight Services
- All recommendations categorized as “critical” by OIOS are brought to the attention of the Management Committee for follow-up action, and special focus is placed on recommendations whose implementation is past due. The Committee receives quarterly updates from OIOS and the Department of Management on the status of implementation of critical recommendations.
- According to OIOS, the total number of outstanding critical recommendations decreased from 44 at the end of the fourth quarter of 2016 to 35 as at the end of the first quarter of 20 Of the 35 outstanding critical recommendations, 17 were past due. The largest share of OIOS past due critical recommendations continues to be in the Office of the United Nations High Commissioner for Refugees and peacekeeping and special political missions.
- The Committee urges Management to continue its efforts to implement the past due critical recommendations in a timely manner.
- The Committee was informed that over the past two years, the overall number of critical recommendations had continued to fall, as shown in figure I. The Committee asked Management and OIOS to explain the decline.
Trend analysis of critical recommendations of the Office of Internal Oversight Services
- Management said that the declining number of recommendations was attributable to OIOS not finding many critical deficiencies in its assignments because of the strengthening of internal controls and the fact that managers were becoming more aware of their fiduciary responsibilities.
- OIOS said that the downward trend was the result of two main factors. First, in mid-2016 OIOS had introduced an escalation standard operating procedure, whereby unaccepted critical recommendations were required to be escalated to the Secretary-General. As a result, OIOS had enhanced its review process to ensure that only the most critical recommendations were escalated to the Secretary-General. Second, several audits conducted in 2014 and 2015, including audits of air operations, waste management, safety and security, and peacekeeping start-up missions (the United Nations Multidimensional Integrated Stabilization Mission in Mali and the United Nations Multidimensional Integrated Stabilization Mission in the Central African Republic), had resulted in a number of critical recommendations. Those audits had been instrumental in strengthening procedures and controls over high-risk areas; accordingly, it was to be expected that the number of critical findings contained in subsequent reports related to the same audit subjects would fall.
- The Committee welcomes the comments of both management and OIOS alluding to improvements in internal controls as one of the possible reasons for the reduction in the number of critical recommendations. The Committee emphasizes the need to sustain such efforts. In the same vein, the Committee recalls the Joint Inspection Unit’s observation that improved internal controls would enable OIOS to expand its focus to a more strategic outlook, a matter that will be discussed later in the report, in the context of the effectiveness of OIOS.
- OIOS further informed the Committee that it had formed a working group to analyse the Internal Audit Division’s recommendation rating methodology using, as a benchmark, the best practices of the internal audit offices of other United Nations agencies, as well as similar organizations, and the expectations of all stakeholders. According to OIOS, at the end of the exercise, the working group would make proposals on the recommendation rating methodology and the escalation process.
- In paragraph 30 of its report on its activities for the period from 1 August 2015 to 31 July 2016 (A/71/295), the Committee recommended that OIOS review its rating methodology. Although that recommendation pertained to the ranking of reports in general, the Committee is nevertheless pleased to note that OIOS has decided to create a working group to address the rating system.
Implementation of the recommendations of the Investigation Division
- In his report on shifting the management paradigm in the United Nations (A/72/492), the Secretary-General noted that, as part of the reform initiatives, the investigation function would be strengthened. Ensuring that recommendations are implemented in a timely manner is part of that strengthening. In its discussions with OIOS, the Committee was informed that the percentage of recommendations implemented by the target date was 68 per cent for the first quarter of 2018.
- The Committee was concerned about that implementation rate and asked management for an explanation. Management informed the Committee that the Organization had endeavoured to put in place an effective system to follow up on the implementation of recommendations while protecting the confidentiality of the information.
- In its report on the investigations function in the United Nations system (A/67/140), paragraph 63, the Joint Inspection Unit noted that there was no centralized authority tasked with monitoring and following up on investigation reports to see if action had been taken and, if so, whether the action had been proportional. The Unit believed that was a major lacuna that should be corrected, as it could lead to cases not being acted upon, intentionally or not, and result in the unequal treatment of staff who committed similar offences but did not receive similar sanctions. The Unit recommended that the executive heads designate a focal point to monitor the implementation and follow-through of all investigation reports within their organizations.
- The views of the Joint Inspection Unit were echoed by some managers, who indicated that while the Investigation Division’s work was of high quality, thorough and helpful, there was a lack of accountability following such investigations. Some managers believed that for OIOS to be an instrument of positive change, there was a need to ensure that there was accountability once the reports were submitted to Headquarters. In other words, not only must justice be done, but it must also be seen to be done.
- Upon inquiry, management informed the Committee that issues regarding the follow-up of the results of OIOS investigation reports had largely been resolved with the issuance of the revised administrative instruction on unsatisfactory conduct, investigations and the disciplinary process in October 2017 (ST/AI/2017/1). According to the administrative instruction, all OIOS investigation reports should be submitted to the Assistant Secretary-General for Human Resources Management, as well as to the Under-Secretary-General for Legal Affairs if the investigation report recommends possible referral to national authorities.
- Management added that the Assistant Secretary-General for Human Resources Management and the Under-Secretary-General for Legal Affairs would, if necessary and in their respective areas of responsibility, escalate the cases to the Under-Secretary-General for Management or the Secretary-General and ensure that action was taken. According to management, that had not been the case in the past; previously, OIOS reports had been sent to the heads of departments and offices, who decided what action should be taken.
- In view of the above, and within the context of a shifting management paradigm, the Committee welcomes the new effort to address the lacunae in the follow-up mechanism of investigation reports. At the same time, the Committee recommends that management ensure that the recommendations of the Investigation Division are implemented in a timely manner to foster accountability.
Joint Inspection Unit
- In its report for 2017 and programme of work for 2018 (A/72/34), the Joint Inspection Unit noted that the average rate of acceptance of recommendations made between 2009 and 2016 in single organization reports and notes was higher (82 per cent) than that of recommendations in system-wide and several organizations reports (68 per cent). However, the Unit also noted that, during the same period, the implementation rate of recommendations in single organization reports and notes was lower (79 per cent) than that of system-wide reports (85 per cent). According to the Unit, that was partly because in the 15 reviews of management and administration performed in single organizations between 2009 and 2016, three had significantly low rates of implementation.
- For the United Nations Secretariat, the average acceptance rate decreased to 57 per cent for the period 2009–2016, compared to 64 per cent for the 2008–2015 period. The implementation rate also decreased slightly to 78 per cent for the 2009–2016 period, compared to 79 per cent for the previous period (see figure II). The Committee noted that the trend had peaked during the 2007–2014 period and had been declining ever since. The Committee sought management’s views on the matter and in response, management reiterated its previous position that the decrease was attributable to the fact that many of the Joint Inspection Unit’s recommendations were addressed to both the governing bodies and the United Nations System Chief Executives Board for Coordination, over which the Secretariat has no control.
Status of acceptance/implementation of recommendations of the Joint Inspection Unit
- The Committee notes the importance and value of the Joint Inspection Unit’s recommendations for the Organization. The Committee is concerned, however, that while the acceptance rate peaked during the 2006–2013 period and the implementation rate peaked during the following period, they have been on a downward trend since. The Committee urges management to implement the recommendations of the Joint Inspection Unit in a timely manner.
- Risk management and internal control framework
- Paragraphs 2 (f) and (g) of the terms of reference of the Committee mandate the Committee to advise the General Assembly on the quality and overall effectiveness of risk management procedures and on deficiencies in the internal control framework of the United Nations.
Enterprise risk management
- The Committee has long believed that enterprise risk management is an integral and important management tool of the Organization and has emphasized that top management is needed to continue to actively lead enterprise risk management efforts to ensure that identifying and managing risks become standard ways of doing business across the Organization. The Committee fully agrees with General Assembly resolution 69/272, in particular paragraphs 7 and 8, and the observations of the Advisory Committee on Administrative and Budgetary Questions, the Board of Auditors and the Joint Inspection Unit regarding the importance of embedding enterprise risk management in the day-to-day work of departments.
- While progress has been made in that regard, during its interactions with offices away from Headquarters, the Committee was informed that enterprise risk management was still mainly a Headquarters-driven exercise that had not yet translated into a practical tool that could help those offices to assess risk. Additionally, the offices believed that there was a need to carry out a fresh risk assessment and to weigh the benefits versus the costs of controls to mitigate risk.
- During the meeting of the Chairs and Vice-Chairs of the United Nations system oversight committees, held in December 2017, it was agreed that it was important for entities to have a mature culture of prudent risk-taking, as opposed to risk avoidance, and a well thought-out and clearly communicated risk appetite consistent with the Secretary-General’s initiative of shifting the management paradigm. Participants also noted that risk management was evolving into a more holistic and strategic perspective in organizations.
- For enterprise risk management to be an important management tool, the Committee believes that it should not only be Headquarters-centric, but also properly expanded to all offices. The Committee also agrees with the sentiments of some managers that the Organization needs a mature culture of prudent risk appetite.
- With respect to enterprise risk management and the three lines of defence model, management informed the Committee that the newly approved Department of Management Strategy, Policy and Compliance would be responsible for developing and maintaining the policy framework and the methodology for enterprise risk management. The new Department would support the distribution of best practices and guidance concerning risk and internal control management principles and develop the appropriate communications and training programmes to enhance the Secretariat’s risk management culture. Furthermore, the Committee was informed that it would be the responsibility of managers at all levels to conduct risk assessment exercises in their respective areas, and through risk assessments, to identify and manage the specific risks that affect them. The new Department would prepare a consolidated entity-level risk register for the Secretariat and update the status of implementation of the actions taken to mitigate risk by departments, offices and missions, for distribution to the Management Committee and the Secretary-General and, on behalf of the Secretary-General, to the Committee and the General Assembly, as required.
- Taking the above into account, the Committee welcomes the Organization’s adoption of the three lines of defence model as part of the integrated assurance process. The Committee will continue to follow up on this as a priority.
Assessing the organizational culture in the Secretariat
- In his reports on shifting the management paradigm in the United Nations (A/72/492 and A/72/492/Add.2), the Secretary-General said that the United Nations must move to a culture that was focused more on results than on processes, better managed administrative and mandate delivery risks, valued innovation, and demonstrated a higher tolerance for honest mistakes and a greater readiness to take prompt corrective action. He noted that the Secretariat had conducted several assessments to better understand the current culture.
- During the meeting of the Chairs and Vice-Chairs of the United Nations system oversight committees, participants emphasized that audit committees could play an important role by ensuring that the institutional tone and culture featured in their discussions on oversight matters. They agreed that common ways to gauge culture included staff surveys, visiting offices and staff, and soliciting inputs from internal and external auditors. They also noted that both audit committees and internal audit could provide valuable insights into organizational culture and emphasized the importance of collaboration between the two.
- The Committee has initiated discussions with management and the oversight bodies on that subject. In the meantime, the Committee shares the view of the National Association of Corporate Directors Blue Ribbon Commission that organizations must consider culture as an asset similar to an organization’s human, physical, intellectual, technological and other assets. According to the Commission, a healthy culture serves as a unifying force for the organization and reinforces the elements of the strategy and business model in a productive way. Conversely, a dysfunctional culture has the potential to undermine the business model and create significant risk for an organization.
- The Committee notes that the Secretary-General has embarked on a process of addressing management culture. Noting the importance of the tone at the top, the Committee recommends that the Organization take advantage of the reform to undertake a holistic review of the culture of the Organization. The Committee believes that the Organization should systematically identify the positive culture that should define the Organization, and implement it both in word and action. The Committee also calls upon OIOS to come up with a clear methodology, taking into account best practices, for periodically assessing the culture of the Organization.
Information and communication technology strategy, infrastructure and security
- In its previous report (A/72/295), paragraph 43, the Committee recognized the potential scale and impact of the threat to cybersecurity and digitalization. In the same report, the Committee noted that it had been informed of the implementation of a 10 point action plan to strengthen information security.
- The Committee followed up on the plan and was informed that it had transitioned to maintenance mode. A longer-term strategic road map for information security built on the 10-point action plan had been developed. The five objectives of the road map are:
- To provide a set of pragmatic activities built on the information and communications technology strategy framework;
- To broaden the scope of the initiatives of the 10-point action plan;
- To transform the initiatives into programmatic activities;
- To expand the objective beyond addressing common deficiencies within the Secretariat’s information and communications technology environment to providing guidance on and solutions for specific risk areas, such as the handling of sensitive information, and operational requirements;
- To institute accountability for recognizing the central role of the Chief Information Technology Officer and ensuring compliance within the delegation of authority framework.
- During the first meeting of the Chairs and Vice-Chairs of the United Nations system oversight committees, held in November 2016, participants agreed that oversight committees had an important role to play in encouraging and assisting management to look forward at how technological advances and other changes in the business or wider environment might affect an organization’s risk exposure and in identifying potential strategies for dealing with them.
- At the second meeting, in December 2017, participants again discussed the issue of cybersecurity and digitalization and were briefed by a number of cybersecurity experts on recent trends, including the need for organizations to move from reactive measures to proactive protection, such as isolating sensitive and legacy applications, ensuring data exchanges occur only through clearly defined interfaces and introducing technical solutions such as next-generation firewalls. Participants were also informed of the need for cybersecurity risk management to be part of an organization’s wider enterprise risk management and business continuity framework.
- Cybersecurity awareness was another topic of concern for the Committee. The Committee believes that lack of awareness could lead to compromises of information and communications technology systems, confidentiality and integrity of information. Upon inquiry, management informed the Committee that the issue of awareness had been receiving a lot of attention and that a mandatory training programme was in place. In its second annual progress report on the implementation of the information and communications technology strategy (A/73/160), paragraph 72, the Board of Auditors reported that as at 31 December 2017, 17,906 (47 per cent) out of 38,105 staff working across the Secretariat, and 35,611 external personnel, had completed the mandatory information security awareness training course.
- The Committee recognizes the potential scale and impact of the threat to cybersecurity and digitalization and welcomes the efforts of management to address those challenges, including through mandatory training. The Committee recalls management’s view that cybersecurity is only as strong as its weakest link. On that note, the Committee recommends that management make a concerted effort to achieve a 100 per cent completion rate for mandatory training. The Committee is aware that will require concerted and coordinated efforts among all stakeholders because the issues are cross-cutting. The Committee plans to follow up on the matter by not only assessing the extent to which cybersecurity risks are being reflected in the Organization’s enterprise risk management strategy but also the extent to which management is making decisions to mitigate the most important cyber-risks.
- Effectiveness, efficiency and impact of the audit activities and other functions of the Office of Internal Oversight Services
- Under its terms of reference, the Committee has the responsibility to advise the General Assembly on aspects of internal oversight (resolution 61/275, annex, paras. 2 (c)–(e)). In undertaking to fulfil its mandate, the Committee has maintained its standard practice of meeting with the Under-Secretary-General for Internal Oversight Services and other senior OIOS officials during its sessions. The discussions have been focused on OIOS workplan and budget execution, with significant findings reported by OIOS, operational constraints (if any), post incumbency, the status of implementation by management of OIOS recommendations, including critical recommendations, and strengthening investigations.
- During the current period, the Committee continued to focus its assessment on two broad areas: (a) strategic planning, OIOS effectiveness and performance measurement; and (b) strengthening the investigation function.
Strategic planning, OIOS effectiveness and performance measurement
Evolving role of the internal audit function
- According to the standards of the Institute of Internal Auditors, internal auditors have an obligation to assist the organizations they serve in improving the quality of governance, risk management and internal control processes. In its report on the state of the internal audit function in the United Nations system (A/72/120), the Joint Inspection Unit noted that when the second line of defence (management oversight activities) is strong and well developed, it may enable the internal audit function to, inter alia, expand audit services into more strategic areas, including performance auditing, and extend the coverage of activities and operations over which internal audit can provide effective oversight. According to the Joint Inspection Unit, one of the benefits of performance audits is that they can identify redundancies, unnecessary controls and processes and thereby increase efficiency and value for money.
- During the reporting period, the Committee met with various senior officials to get their views on how OIOS audits and other oversight functions have assisted them in the oversight of their respective departments or entities. The general response was that, while they had a good relationship with OIOS, some managers would like to see more performance audits than compliance audits. They would also like to see OIOS make recommendations that would improve their operations — recommendations that were strategic in nature as opposed to the narrow recommendations they currently received. Furthermore, managers were of the view that it would be useful if OIOS did more benchmarking of good practices and deep dives into the processes that needed to be reviewed and amended.
- The Committee discussed the findings with OIOS and was informed that the Internal Audit Division already included aspects of performance auditing (measuring efficiency and effectiveness) in many of the audits it carried out. OIOS mentioned that further efforts might be needed to bring performance-related audit results to the attention of their clients and further develop clients’ awareness. OIOS confirmed that the Internal Audit Division did not have baseline data on the number of audits that included efficiency and effectiveness issues (performance audit elements), but it was in the process of reviewing that. During its deliberations, the Committee was provided with a list of audits that OIOS considered to be performance audits, including on procurement, facilities management and pension funds. According to OIOS, 40 per cent of recommendations made in 2017/18 related to effectiveness and efficiency issues. OIOS added that all evaluations conducted by the Inspection and Evaluation Division were performance audits since they covered the aspects relating to economy, efficiency and effectiveness. OIOS further noted that a senior evaluator from the Inspection and Evaluation Division would be joining the Internal Audit Division for a short period, which would be an opportunity for the Internal Audit Division to further develop its tools, such as survey questions for conducting performance audits.
- Subsequently the Committee was also informed that in a client satisfaction survey conducted the previous year, 91 per cent of respondents had expressed satisfaction with the audit reports of OIOS.
- The Committee believes that for OIOS to establish itself as a trusted advisor, it needs to understand and appreciate the concerns of its clients. There seems to be a divergence of expectations between some managers and OIOS on what constitutes a performance audit. The Committee believes that arriving at a mutual understanding on performance audits and striking a balance between compliance and performance audits would be consistent with the Joint Inspection Unit’s finding that stakeholders deem performance and compliance audits to be the most important types of audit services.
- In addition to developing a baseline and establishing performance indicators, the Committee recommends that, to shift the focus of its work, OIOS must clearly identify the steps it plans to take to improve its capability to conduct performance audits. Such steps should include identifying its plans for future performance audits, the applicable audit standards and what training its staff would need to improve their capability to conduct such audits, as well as a communication plan to effectively inform its clients of the shift.
- The Committee was also informed that some managers are concerned that auditors do not understand or are not familiar with the subject matter that they are auditing. During the interaction with OIOS, the Committee was informed that, if there was a lack of knowledge in a particular area, a consultant was usually hired. For example, if there was an audit on climate change, they would hire a consultant who specialized in climate change.
- The Committee agrees with OIOS that auditors are not expected to be experts in every field of their clients’ business, hence the utilization of consultants to address the specialized or technical aspects of such businesses.
Role of OIOS in the context of the 2030 Agenda for Sustainable Development
- In its previous report, the Committee looked at the progress OIOS was making in embodying the integrated, universal and indivisible nature of the 2030 Agenda through its own operations. As a follow-up, OIOS informed the Committee that in its three-year work planning process the Internal Audit Division was focusing on emerging risks related to the Sustainable Development Goals, including gender mainstreaming and gender parity issues. The Division had conducted audits assessing the extent to which United Nations entities — including the United Nations Conference on Trade and Development, the Economic Commission for Latin America and the Caribbean, the Economic and Social Commission for Asia and the Pacific and the secretariat of the United Nations Framework Convention on Climate Change — were mainstreaming the Goals into their programmes. OIOS said that in 2018 the Division would continue with that approach in all applicable audits. The Division had also scheduled specific audits related to the mainstreaming of the Goals into the programmes of work of the Department of Economic and Social Affairs, the Economic Commission for Africa, the Economic and Social Commission for Western Asia and the Economic Commission for Europe.
- With respect to the Inspection and Evaluation Division, the Committee was informed that the Division was conducting thematic evaluations of policy coherence and the preparedness of the entire Secretariat to implement the Sustainable Development Goals as part of the 2018–2019 work plan.
- The Committee welcomes the steps OIOS is taking with respect to the 2030 Agenda and will continue to follow up with OIOS on this matter.
Strengthening the investigation function
Vacant posts in the Investigation Division
- The Committee has consistently expressed concern about the high number of vacancies in OIOS. Since 2008, the General Assembly has requested that the Office make every effort to fill those vacancies as a matter of priority.
- The Committee considers this to be a major risk, hence why it is a standing item on its agenda. At its forty-third session, the Committee was informed that overall, the vacancy rate for OIOS continues to show a downward trend, from 13.4 per cent in October 2017 to 10.5 per cent as at 30 June 2018. For the Investigation Division, the vacancy rate decreased dramatically, from 21.2 per cent to 11.5 per cent.
- The Committee commends OIOS in general and the Investigation Division in particular for succeeding in reducing the vacancy rate, which initially appeared to be a daunting task. The challenge now is to sustain that progress. The Committee will continue to monitor the issue.
- With respect to staff retention, OIOS highlighted several obstacles faced by the Division, including the lack of a good mobility plan owing to the small size of the Division; the nature of the work (investigators in peacekeeping missions often deal with very difficult situations); the lack of job security, as some of the posts are temporary; and the fact that the Division, as the largest investigation unit in the United Nations system, is always seen as an entry point for individuals seeking to join the United Nations investigation system. As such, it is a rich recruiting ground for other United Nations investigation units seeking well-trained and experienced investigators. According to OIOS, a temporary post has been created in order for an in-depth review of staff retention in the Division to be conducted, with a view to analysing the underlying causes and coming up with specific recommendations to address those problems.
- The Committee acknowledges the challenges that the Investigation Division faces in retaining staff and believes that identifying the cause of the low retention rate is an integral part of the solution. The Committee will continue to follow up and report on any progress made in future reports.
Investigation of cases of retaliation
- Ensuring that staff feel safe reporting wrongdoing and protecting them against retaliation when they do so is an important part of any accountability framework. During the reporting period, the Committee met with the Ethics Office, which indicated that since the issuance of the revised whistle-blower policy in November 2017 (ST/SGB/2017/2/Rev.1), the number of queries and requests for advice had doubled.
- The Committee inquired about the working arrangement between the Ethics Office and OIOS, and the Director of the Ethics Office emphasized that cooperation between the two offices was increasing, as evidenced by the participation of the Ethics Office in an OIOS induction training course for new investigators in April 2018 at the Regional Service Centre in Entebbe, Uganda. However, the Ethics Office did note that it took OIOS too long to complete investigations pertaining to retaliation. According to the Ethics Office, it took OIOS 9 to 10 months to investigate a case, while the revised whistle-blower policy stipulated that it should take 120 days. According to the Ethics Office, the long timeframe was due to the fact that OIOS might not consider retaliation to be as pressing a matter as other high-risk cases, such as those involving sexual exploitation, abuse and harassment.
- The Committee followed up with OIOS on this issue, and was informed that the investigation of retaliation cases was very much a priority. The Committee was informed that the average time taken to complete such an investigation was 200 days, with the longest 320 days and the shortest 127 days. OIOS further noted that, following the drive to strengthen the whistle-blower policy, the bar for retaliation had been set so low that there had been a flood of new cases, and that owing to the complexity of most retaliation cases, the time limit of 120 days was unrealistic.
- The Committee believes that the investigation of retaliation cases should be a priority given the high risk such cases present, and recommends that OIOS work to reduce the length of time it takes to investigate such cases.
- Financial reporting
- During the reporting period, the Committee engaged in discussions with the Board of Auditors, the Under-Secretary-General for Management, the Controller and the Umoja Project Director on a number of issues relating to financial reporting. The issues discussed included:
- Implementation of Umoja;
- Internal control, especially as it pertains to delegation of authority and fraud prevention and detection;
- Issues and trends apparent in the financial statement of the Organization and the reports of the Board of Auditors.
Implementation of Umoja
- On the status of the roll-out of Umoja, management informed the Committee of the completed deployments in 2017, including integration, parts of Umoja Extension 2 and phase two of the International Civil Service Commission compensation package. The Committee was also provided with a timeline for subsequent deployments, including phase three of the International Civil Service Commission compensation package (January 2018); travel for national staff (March 2018); and certain Umoja Extension 2 projects, including strategic planning, budget formulation and performance management; fundraising and donor relations; supply chain management (phase two); and implementing partners (September 2018). Additional parts of Umoja Extension 2 — phase three of supply chain management, and payments to troop- and police-contributing countries — would be implemented in December 2018.
- With respect to roll-outs in 2018, the Committee was informed that Umoja Extension 2 (modules for strategic planning, budget formulation and performance management, fundraising and donor relations, supply chain management and implementing partners), a software upgrade, supply chain management (phase three), a module on conference and event management, and payments to troop- and police-contributing countries, would be rolled out.
- The Committee was further informed that the strategic planning, budget formulation and performance management module would capture the entire cycle from strategic planning and budget execution to monitoring and reporting across all funding sources. Management noted that it would replace a disparity of systems and provide a 360-degree view for managers.
- Furthermore, in discussions with several offices on how well Umoja was working, the Committee was informed that while Umoja had improved their day-to-day operations, some aspects, such as business intelligence, were still in their infancy. For example, one entity indicated that it had had to invest in a new programme to do analytics.
- The Committee asked management about that and was informed that the system’s user-friendliness was still in development. Management further noted that with the demands for various types of business intelligence reports growing as users gained a better understanding of data and the capabilities of the system, the Administration acknowledged the importance of enhancing Umoja reporting to ensure a stronger foundation for leveraging the true potential of Umoja for decision-making. In that regard, the Committee was informed that several concurrent actions were under way, including:
- A management dashboard developed by the Office of Information and Communications Technology, in conjunction with the Umoja team, that would be rolled out shortly to all departments and offices. According to management, the dashboard would leverage Umoja data, along with data from other enterprise systems such as Inspira, and would give managers a comprehensive view of aspects such as human resources, posts, finances, travel, facilities, procurement and training;
- The roll-out of Umoja Extension 2, which would add programmatic reporting capabilities as resources would be linked to outputs and outcomes as part of results-based budgeting frameworks;
- The creation of a more responsive business intelligence development function by extending training and access to key businesses to staff working in procurement and supply chain management, which should address the user-friendliness concern noted above.
- The Committee welcomes the progress made in implementing Umoja, including the commitment to capture the Organization’s cycle from strategic planning to reporting. Given the financial resources, effort and time that have been invested in developing and implementing Umoja, the Committee believes that capturing the full cycle would lead to the maximum exploitation of the potential that Umoja offers.
Governance, risk and compliance module
- The Committee recalled its prior recommendations that management put in place an audit module that took into account the needs of OIOS before the finalization of the design phase of Umoja. The Committee had previously been informed that a governance, risk and compliance module was being developed and could also function as an audit module, and that dialogue between OIOS, the Office of Programme Planning, Budget and Accounts and the Umoja team on the functionality of the governance, risk and compliance module was under way.
- As a follow-up, the Committee asked management about the status of implementation of the governance, risk and compliance module and was informed that, while discussions had been held with both OIOS and the Office of Programme Planning, Budget and Accounts, the development and implementation of the module would have to factor in important changes impacting the project, arising from the reform proposals approved by the General Assembly. The management reform changes, in particular, including the simplification of the regulatory frameworks, the increased delegation of authority and the creation of two new departments (the Department of Management Strategy, Policy and Compliance and the Department of Operational Support), would alter the controls significantly. According to management, it would be more prudent to implement the governance, risk and compliance module after the new structures were in place, including the more urgent and functionally expansive Umoja Extension 2.
- The Committee believes that, like any other enterprise resource planning system, the Umoja governance, risk and compliance module could provide OIOS with an opportunity for continuous auditing through an embedded audit module, a common feature of governance, risk and compliance. While appreciating the challenges brought about by the reforms, the Committee still believes that an audit module is a critical enabler of a strong accountability system and should be considered high priority in the implementation of Umoja.
Internal control system and anti-fraud policy
Ex ante controls versus ex post facto compliance
- In his report on shifting the management paradigm in the United Nations (A/72/492), the Secretary-General noted that the focus of oversight mechanisms must shift away from ex ante control to ex post facto compliance. Such a shift would have implications for the internal control system, and as one of the responsibilities of the Committee is to advise the General Assembly on risk management and the internal control system of the Organization, it is important for the Committee to have a good grasp of this matter.
- The Committee asked management what implications the shift from ex ante control to ex post facto compliance would have for the internal control system of the Organization. The Committee was informed that management was cognizant of the challenges and was taking steps to address them. Such steps included the new delegation of authority and improved accountability. Furthermore, the Committee was informed that with Umoja, there would be real-time visibility, making it easier for the newly approved Business Transformation and Accountability Division to do more effective monitoring for red flags.
- The Committee notes that the shifting of the focus from ex ante controls to ex post facto compliance will have significant implications for the Organization, as noted above. The Committee will continue to follow up with management on the steps taken to address those challenges.
Statement of internal control
- In its previous three reports (A/70/284, A/71/295 and A/72/295), the Committee reported on the statement of internal control, on the basis of regular updates from management. The statement of internal control is a public accountability document that describes the effectiveness of internal controls in an organization.
- During the current reporting period, the Committee was informed that the statement of internal control would be implemented in phases. The first phase would focus on external and internal financial reporting objectives, excluding non-financial ones. According to management, the result of that exercise would be the issuance of a statement of internal control accompanying IPSAS-compliant financial statements.
- The Committee was further informed that the statement of internal control was set around four main work pillars covering the assurance process, training, the Internal Control Advisory Group and the Umoja governance, risk and compliance module. Additionally, the implementation of the statement of internal control would be built on five pillars, namely an internal control checklist based on the 17 principles of internal control developed by the Committee of Sponsoring Organizations of the Treadway Commission; the Umoja governance, risk and compliance module; two training videos, to be developed, describing the framework developed by the Committee of Sponsoring Organizations of the Treadway Commission and the governance, risk and compliance module; the Internal Control Advisory Group; and a benefit realization exercise benchmarking current United Nations performance against the principles of the Committee of Sponsoring Organizations of the Treadway Commission as adapted for the United Nations.
- According to the Controller, the Organization was building the governance, risk and compliance platform in Umoja with the hope of issuing the first statement of internal control in the 2020 financial statements.
- The Committee was informed that the Internal Control Advisory Group was composed of six leading experts on enterprise risk management, internal control frameworks and the principles of the Committee of Sponsoring Organizations of the Treadway Commission. The objective of the Internal Control Advisory Group, which met twice a year, was to provide technical advice on the implementation of the statement of internal control across the Secretariat, so as to ensure technical compliance with the requirements of the internal control-integrated frameworks of the Committee of Sponsoring Organizations of the Treadway Commission, as adapted for the United Nations, at all times.
- The Committee reiterates its position that the statement of internal control is an important accountability tool through which an organization provides assurances that it is appropriately managing and controlling the resources under its responsibility. The Committee commends the progress made so far and will continue to monitor and report back on the situation in its future reports.
- Additionally, the Committee recommends that management ensure that in the second phase, the remaining reporting objectives (non-financial) of the statement of internal control are appropriately captured in the accountability system of the Organization. This is all the more imperative given the management reforms under way, such as those noted in paragraphs 85 to 87.
- With respect to end-of-service liabilities, the Committee recalled its prior comments and recommendations contained in its reports of 2008 (A/63/328) and 2014 (A/69/304), in which the Committee had called upon the General Assembly to decide whether, how and to what extent the liabilities would be funded. Furthermore, during the Committee’s discussions with various offices, the issue of employee benefits liabilities, specifically after-service health insurance, was noted by management as a major concern.
- According to management, liabilities for after-service health insurance stood at $4.6 billion as at 31 December 2017, an increase of 18.8 per cent from the previous year. After-service health insurance accounted for 88.8 per cent of total employee benefits liabilities. The Committee was informed that the increase was attributable to updates in the demographic assumptions used in actuarial valuations, such as marriage rates, mortality tables and longevity improvement factors.
- The Committee notes that the General Assembly endorsed the pay-as-you-go arrangement as a viable approach in various resolutions. According to management, however, that approach is not sustainable. The Board of Auditors agrees, noting that such an approach exposes the General Assembly to the risk of increasing cash costs in future periods. The Committee was informed of a proposal to address the issue by fully funding after-service health insurance while maintaining the pay-as-you-go approach.
- Given the risk this matter poses to the Organization, the Committee agrees with the Board of Auditors and reiterates its prior recommendation that the General Assembly revisit this matter with a view to ensuring that funding for end-of-service liabilities is placed on a sustainable path.
Fraud risk assessment
- With respect to fraud, the Committee’s comments are guided by its previous observations and recommendations, and those of the Board of Auditors, the Joint Inspection Unit, the Advisory Committee on Administrative and Budgetary Questions and the General Assembly. In its previous report (A/72/295), paragraph 104, the Committee reported that a Fraud Risk Assessment Advisory Committee had been created, co-chaired by the Office of the Under-Secretary-General for Management and the Office of Programme Planning, Budget and Accounts. The Committee conducted an assessment to identify the most critical areas at risk of fraud and corruption in order to design a comprehensive anti-fraud and anti-corruption strategy and to implement proper mitigation measures. The assessment was based on a review of available historical data and losses suffered by the Secretariat and an extensive series of interviews and workshops held across the Secretariat, including consultations with the oversight bodies.
- During discussions with management, the Committee was informed that 16 risks had been identified, of which 6 had been classified as critical and requiring immediate attention, namely:
- Organizational culture and accountability;
- Information and communications technology governance and cybersecurity;
- Umoja system control environment;
- Implementing partners;
- Theft of fuel rations and inventory;
- The Management Committee approved the risk register in February 2018 and corporate risk owners were assigned and tasked with the responsibility of developing detailed treatment and response plans.
- With respect to OIOS, as noted in the Committee’s previous report (A/72/295), tackling fraud and corruption have been given a renewed focus by the Office. According to the Investigation Division, fraud and corruption account for 35 per cent (52 cases out of 150) of all cases under investigation.
- The Division informed the Committee that, in the light of those figures, the Organization must start confronting the issue of financial recovery, and that the Office for the Coordination of Humanitarian Affairs should revisit its funding agreements. The Division also acknowledged that, as noted by the Committee and the other oversight bodies, it was possible that the Division was merely scratching the tip of the iceberg because of underreporting.
- The Committee will continue to follow up on the steps taken by the Organization to develop and implement detailed risk mitigation plans for the most critical areas of fraud risk.
- Coordination among United Nations oversight bodies
- During the reporting period, in addition to its regularly scheduled meetings with OIOS, the Committee met with other oversight bodies, such as the Joint Inspection Unit and the Board of Auditors, including the Audit Operations Committee. The dialogue allowed for the sharing of perspectives on matters of mutual concern and provided a useful opportunity for cooperation among United Nations oversight bodies.
- The Committee sought comments from the three oversight bodies, all of which underscored the coordination mechanisms that existed among the three bodies, including the sharing of their programmes of work. In separate meetings with the Board of Auditors, the Joint Inspection Unit and OIOS, the Committee noted the positive relationship fostered through the tripartite coordination meetings of the oversight bodies and the sharing of workplans in an effort to avoid duplication. The Committee believes that such coordination provides a valuable platform for additional opportunities.
- Furthermore, in December 2017, the Committee hosted the second meeting of representatives of United Nations system oversight committees. Twenty-four representatives from 19 oversight committees from organizations within the United Nations Secretariat, the United Nations funds, programmes and specialized agencies, and the World Bank attended the meeting.
- At the meeting, participants continued the discussions from the previous meeting on common challenges and potential good practices in the work and conduct of the United Nations system oversight committees. Participants focused on how oversight committees could contribute to the assessment and understanding of organizational culture, looked at the need for common approaches to risk management, internal control and integrated assurance, and examined digital threats and the actions needed to protect United Nations system organizations.
- The participants agreed that there were four common concerns, which were conveyed to the Secretary-General, in his capacity as Chair of the United Nations System Chief Executives Board for Coordination. The four issues were:
- The need for a common, recognized and credible approach to risk management;
- The fact that cybersecurity would be a critical enabler of the significant opportunities associated with digital transformation, including the contributions that could be made to improved operations and delivery of the 2030 Agenda. Additionally, the participants supported the adoption of a recognized and common system-wide cyber-risk management framework, fully integrated into entities’ overall approach to enterprise risk management and business continuity;
- The low level of cyber-risk awareness among management and staff. Participants stressed the need for organizations to start developing in-house capability by leveraging external expertise to stay abreast of new developments;
- The challenge of introducing modern and standardized business processes, common frameworks and new ways of working. Participants noted that there were threats to successful business transformation, including change management, organizational culture and communicating such transformation projects to stakeholders.
- Other matters
- The Committee spoke to the Director of the Ethics Office about measures to strengthen the independence of the Office. In his report on the activities of the Office (A/73/89), paragraph 94 (b), the Secretary-General provided a rationale for adding a reporting line to the Committee. The Committee looked at the best practices prevailing in United Nations system oversight entities and found that the majority of oversight committees had the review of the ethics function under their purview.
- The Committee noted that some of the functions undertaken by the oversight committees with respect to the Ethics Office included:
- Reviewing and providing advice on workplans;
- Providing input to the performance appraisal of the Director of the Ethics Office;
- Advising on the appointment and dismissal of the Director of the Ethics Office;
- Reviewing and advising on the adequacy of the ethics function, including the code of ethics, financial disclosure and whistle-blower policies;
- Promoting understanding and the effectiveness of the ethics function;
- Providing a forum to discuss ethics-related matters.
- In view of the above, the Committee supports the Secretary-General’s proposal to add a reporting line to the Committee. When considering the role of the Committee with respect to the Ethics Office, the General Assembly may wish to consider some or all of the functions noted in paragraph 111.
- Cooperation and access
- The Committee reports that it received good cooperation from OIOS and senior management in the Secretariat, including the Department of Management, in discharging its responsibilities. The Committee was given appropriate access to staff, documents and information that it needed in order to undertake its work. The Committee is pleased to report that it continued to work closely with the Joint Inspection Unit and the Board of Auditors. The Committee looks forward to continued cooperation with the entities with which it interacts in order to discharge its responsibilities, as set out in its terms of reference, in a timely manner.
114. In the context of its terms of reference, the Independent Audit Advisory Committee presents the preceding observations, comments and recommendations, as contained in paragraphs 16, 19, 23, 25, 32, 35, 40, 42, 46, 52, 59, 60, 62, 65, 68, 70, 74, 81, 84, 87, 93, 94, 98, 104 and 112, for the consideration of the General Assembly.