Activities of the Independent Audit Advisory Committee for the period from 1 August 2018 to 31 July 2019: Report of the Independent Audit Advisory Committee

 

 

14.     As shown in figure I, although other entities such as those referred to in A/73/5 (Vol. II) (peacekeeping financial statements), the International Trade Centre (ITC) and the United Nations Office on Drugs and Crime (UNODC) had an above average implementation rate, the overall average implementation rate was mainly affected by the low implementation rate pertaining to entities such as those referred to in A/74/5 (Vol. I) (non-peacekeeping financial statements).

 

                         Figure I
Implementation rate of the Board’s recommendations as at 31 December 2018

(percentage)

 

 

15.     With respect to the financial report and audited financial statements for the year ended 31 December 2018 (A/74/5 (Vol. I)) (non-peacekeeping financial statements), the Board reported that, as at 31 December 2018, of the 167 recommendations outstanding up to the year ended 31 December 2017, 13 (8 per cent) had been fully implemented, 149 (89 per cent) were under implementation, 4 (2 per cent) had not been implemented and 1 (1 per cent) had been overtaken by events. In contrast, the implementation rate as at 31 December 2017 stood at 24 per cent, with 65 per cent of recommendations under implementation.
16.     Management further noted that out of 334 recommendations issued during the previous seven periods (since the period 2008–2009), 151 (45 per cent) had been fully implemented as at 31 December 2018.
17.     The Committee is aware that, over time, the rate of implementation of oversight bodies’ recommendations improves. The Committee considers, however, an 8 per cent implementation rate to be too low for an effective and accountable organization and calls on Management to significantly improve its efforts in this regard. The Committee also calls on the Management Committee to look into this matter with a view to ensuring that Management is addressing the implementation of oversight bodies’ recommendations as a priority.
18.     With respect to the financial report and audited financial statements for the 12‑month period from 1 July 2017 to 30 June 2018 (A/73/5 (Vol. II)) (peacekeeping financial statements), the Board reported that the rate of implementation of outstanding recommendations, as at 30 June 2018, stood at 51 per cent, an increase from the 48 per cent reported for 2017 (see table 1 and figure I). The Board further noted, in table II.1 of its report (A/73/5 (Vol. II)), that out of its 273 recommendations for the previous five years, 207 (76 per cent) had been fully implemented. Although only three recommendations had been under implementation for more than two fiscal years, the Board was concerned that those recommendations, especially the one pertaining to the collection of contractor performance reports (outstanding for five years, as at 30 June 2018), represented a high risk, the non-implementation of which is a cause for concern. The Board urged the Administration to ensure that all outstanding recommendations are implemented in a prompt and timely manner in accordance with General Assembly resolution 69/249B.
19.     The Committee followed up with Management and was informed that, at the time of writing, there are 30 main recommendations of the Board that are two or more years old, 18 of which relate to the regular budget (Vol. I); 1 relates to the peacekeeping operations (Vol. II); 3 relate to the capital master plan (Vol. V); 7 relate to the Board’s second progress report on the information and communications technology strategy (A/73/160); and 1 relates to the seventh progress report on implementation of Umoja (A/70/369 and A/70/369/Corr.1 and A/70/369/Corr.2). Management also indicated that, for 11 recommendations, it had requested closure by the Board and that for the other 19, the implementation was in progress.
20.     With respect to Volume I, Management informed the Committee that the main reasons for the low implementation rate of outstanding recommendations were:

1.      Some subject matters required consideration by the General Assembly (e.g., performance appraisal system under human resources reforms);
2.      There were some differences in views between the Board and the Administration (e.g., the methodology for estimating assets and inventory values through standard costing versus considering all actual associated costs);
3.      Some recommendations are linked to the implementation of other major transformation initiatives, such as Umoja Extension 2;
4.      Lack of capacity during the reporting period for addressing the issue (e.g., fraud risk assessment in different duty stations, results-based management and contract management);
5.      Some recommendations can be considered as having been overtaken by events (e.g., delegation of authority in procurement and human resources, which have been superseded by the new delegation of authority as part of the management reform).

21.     The Committee commends Management for attaining a higher than average implementation rate for peacekeeping operations, ITC and UNODC. The Committee is nevertheless concerned by the low implementation rates with respect to Volume I, the United Nations Environment Programme and the United Nations Human Settlements Programme (UN-Habitat) and urges Management to continue making efforts to ensure the timely implementation of the Board’s recommendations.

 

                         Office of Internal Oversight Services

 

22.     The Committee was informed that during 2018, OIOS issued 397 reports, containing 1,183 recommendations, 34 of which were considered critical. That represents an increase in comparison to 2017, when OIOS issued 342 reports containing 1,073 recommendations, 26 of which were critical.
23.     All recommendations categorized as “critical” by OIOS are brought to the attention of the Management Committee for follow-up action, and special focus is placed on those recommendations whose implementation is past due. The Committee receives quarterly updates from OIOS and the Department of Management Strategy, Policy and Compliance on the status of implementation of critical recommendations.
24.     According to Management, the total number of outstanding critical recommendations increased from 33 at the end of the fourth quarter of 2017 to 55 at the end of the first quarter of 2019. Of the 55 outstanding critical recommendations, 20 were addressed to the Office of the United Nations High Commissioner for Refugees (UNHCR), 5 to the United Nations Joint Staff Pension Board and 1 to the United Nations Joint Staff Pension Fund, leaving 29 as the outstanding critical recommendations relating to the Secretariat.
25.     Of the 55 outstanding critical recommendations, 27 (49 per cent) were past due at the end of the first quarter of 2019. The largest share of critical recommendations by OIOS that are past due continues to be in UNHCR (12), while 10 related to the Secretariat.
26.     The Committee urges Management to continue to improve its efforts to implement past due critical recommendations in a timely manner.
27.     In its previous report (A/73/304), the Committee observed a downward trend in the number of critical recommendations issued by OIOS since 2014. In the same vein, the Committee welcomed the comments of both Management and OIOS that alluded to improvements in internal controls as a possible reason for the reduction in the number of critical recommendations. The Committee also recalls that OIOS had formed a working group to analyse the Internal Audit Division recommendation rating methodology using, as a benchmark, best practices in the internal audit offices of other United Nations system entities, as well as those of similar organizations, and the expectations of all stakeholders. According to OIOS, at the end of the exercise, the working group would make proposals on the recommendation rating methodology and escalation process.
28.     The Committee followed up with OIOS on the outcome of the working group’s analysis and was informed that the group proposed and management of the Internal Audit Division decided to maintain the ratings of important and critical, and provided criteria for determining whether a recommendation should be classified as critical or not.
29.     The Committee commends OIOS for reviewing its criteria for determining which recommendations are critical. The Committee will continue to review trends pertaining to critical recommendations in subsequent sessions.

 

                         Joint Inspection Unit

 

30.     In its annual report for 2018 and programme of work for 2019 (A/73/34), the Joint Inspection Unit noted that the average rate of acceptance of recommendations made between 2010 and 2017 in single organization reports and notes was higher (78 per cent) than that of recommendations in system-wide reports and reports covering several organizations (70 per cent). However, the Unit noted that during the same period, the implementation rate of recommendations in single organization reports and notes was lower (74 per cent) than that of system-wide reports (85 per cent). According to the Unit, that was because in the 15 reviews of management and administration performed in single organizations between 2010 and 2017, three continue to have significantly low rates of implementation.
31.     For the United Nations Secretariat, the average acceptance rate improved from 57 per cent for the period 2009–2016 to 63 per cent for the period 2010–2017. The average implementation rate remained constant at 78 per cent for the period 2010–2017 (see figure II).

 

                         Figure II
Status of acceptance and implementation of recommendations of the Joint Inspection Unit (Secretariat), 2000–2007 to 2010–2017

 

 

32.     The Committee notes the importance and value of recommendations of the Joint Inspection Unit for the Organization. Although the average implementation rate (78 per cent) is still below the system-wide average of 85 per cent, the Committee commends Management for the improvement in the acceptance rate – an issue that was of concern to the Committee during the previous fiscal year. The Committee also urges Management to implement the recommendations of the Unit in a timely manner.

 

 

2.     Risk management and internal control framework

 

 

33.     Paragraphs 2 (f) and (g) of the terms of reference of the Committee (see General Assembly resolution 61/275, annex) mandate is the Committee to advise the General Assembly on the quality and overall effectiveness of risk management procedures and on deficiencies in the internal control framework of the United Nations.

 

                         Enterprise risk management

 

34.     The Committee has long believed that enterprise risk management is an integral and important management tool of the Organization and emphasized that top management effort is needed to continue to actively lead enterprise risk management efforts so as to ensure that identifying and managing risks become standard ways of doing business across the Organization. The Committee also fully agrees with General Assembly resolution 69/272 (paras. 7 and 8) and the observations of the Advisory Committee on Administrative and Budgetary Questions (A/69/802, para. 8), the Board of Auditors and the Joint Inspection Unit regarding the importance of embedding a culture of enterprise risk management in the day-to-day work of departments.
35.     In its previous report (A/73/304), while acknowledging the progress made in embedding enterprise risk management, the Committee was concerned that enterprise risk management was still mainly a Headquarters-driven exercise that had not yet translated into a practical tool to help offices assess their risks. That conclusion led the Committee to recommend that, in order for enterprise risk management to be an important management tool, it should not only be Headquarters-centric but should also be properly expanded to all offices.
36.     During the course of the current fiscal year, the Committee followed up with management and was informed that in the context of the ongoing reform, an Enterprise Risk Management Section has been created in the Department of Management Strategy, Policy and Compliance. Management further noted that the Enterprise Risk Management Section had conducted its first round of interviews and workshops on the Secretariat-wide risk assessment. The assessments had been completed and an analysis is being prepared, in order to update the risk register accordingly. According to Management, the Secretariat-wide risk register will be the basis for all departments and other system entities to implement their own risk assessment exercises and develop risk mitigation plans. However, it is not clear how long it will take to finalize risk registers, develop risk mitigation plans at Headquarters and then complete a similar process in other entities and units, especially those based outside of New York.
37.     With respect to the anti-fraud risk register, the Committee had previously noted (A/73/304, paras. 100 and 101) that 16 risks had been identified, 6 of which had been classified as critical and required immediate attention. The Committee was further informed that the Management Committee had approved the risk register and that corporate risk owners had been assigned and tasked with the responsibility of developing detailed risk treatment and response plans. Upon follow-up, the Committee was informed that the anti-fraud risk register has been subsumed into the overall risk assessment conducted by the Enterprise Risk Management Section, and that the training of focal points was under way.
38.     While welcoming the efforts to date, and mindful of the ongoing reforms, the Committee believes that the implementation of enterprise risk management should be accorded high priority throughout the United Nations system, if enterprise risk management is to be a useful management tool. The Committee reiterates its previous recommendation that the enterprise risk management process should not be Headquarters-centric, but rather an all-encompassing process. Accordingly, the Committee encourages Management to establish specific milestones for assessing risks and completing risk mitigation plans in the Secretariat as well as in subordinate and field-based units and to hold managers accountable for achieving those milestones.

 

                         Organizational culture in the Secretariat

 

39.     In his reports on shifting the management paradigm in the United Nations (A/72/492 and A/72/492/Add.2), the Secretary-General noted the importance of moving the Organization towards a culture that is focused more on results than on processes, better manages administrative and mandate delivery risks, values innovation and demonstrates a higher tolerance for honest mistakes and a greater readiness to take prompt corrective action. In paragraph 12 of A/72/492/Add.2, he further noted that the Secretariat had conducted several assessments to better understand the culture.
40.     During the meeting of the Chairs and Vice-Chairs of the United Nations system oversight committees, participants emphasized that audit committees could play an important role by ensuring that the tone and culture of system entities feature in their discussions on oversight matters. Participants also highlighted the importance of both senior management and oversight committees regularly assessing and understanding organizational culture, given its impact on governance, risk management, business transformation and the cost-effective delivery of mandates. It was further noted that, for the boards and audit committees of many global organizations, culture is a priority and perennial agenda item in their discussions.
41.     In its interaction with Management, the Committee reiterated its earlier views that a positive culture is a core asset that can drive improved performance in very concrete ways and needs to be seen and managed as such. Conversely, a dysfunctional culture has the potential to seriously undermine the very purpose and desired impact of entities and creates significant risk. Culture is also highly dynamic, especially in the volatile operating environment of many United Nations system entities, and requires constant vigilance and a continuous improvement mindset.
42.     The Committee therefore continues to encourage senior management to include culture as a regular feature of their discussions. For a start, Management needs to be clear about: (a) the values and behaviours that will help the Organization to excel; (b) how the incentives, policies and controls they are designing will support the entities’ purpose and desired culture; and (c) the behaviours for which there will be zero tolerance.
43.     In response to those recommendations, Management indicated that the Secretary-General fully supports the sentiment that a positive culture is a core asset that can drive improved performance in very concrete ways and has placed a strong emphasis on organizational culture in the context of his ongoing management reform. The Committee was further informed that the Secretary-General was working to create a culture of empowerment and accountability, ensuring that leaders, managers and staff have the wherewithal to achieve, where, when and as required.
44.     The Committee continues to welcome the efforts that the Secretary-General has put into addressing management culture, including the attention that the discussion of culture has garnered within the United Nations system as exemplified by the involvement of the High-level Committee on Management in this matter. Noting the importance of the tone at the top, the Committee reiterates its recommendation that the Organization take advantage of the reform to undertake a holistic review of the culture of the Organization. The Committee believes that the Organization should systematically identify the attributes of a positive culture that should define the Organization and should implement them both in word and in action.

 

                         Information and communications technology strategy, infrastructure and security

 

45.     In paragraph 43 of its report for the period from 1 August 2016 to 31 July 2017 (A/72/295), the Committee recognized the potential scale and impact of the threats to cybersecurity and digitalization. In the same report, the Committee was informed that a 10-point action plan to mitigate the risk had been developed.
46.     At the meeting of the Chairs and Vice-Chairs of the United Nations system oversight committees held in December 2018, participants continued to recognize cybersecurity as a critical enabler of the opportunities associated with digitalization. In its previous report (A/73/304), the Committee noted some trends in cybersecurity, including the need for organizations to move from reactive measures to taking proactive protective measures, such as strong isolation of sensitive applications from legacy applications; the exchanging of data only through clearly defined interfaces and various technical solutions, such as next generation firewalls. Participants were also informed of the need for cybersecurity risk management to be part of an organization’s wider enterprise risk management and business continuity framework.
47.     The Committee followed up with Management regarding issues such as how the skills deficits in cybersecurity and data analytics are being addressed. In response, the Committee was informed that the Digital and Technology Network (formerly the Information and Communication Technology Network) had established an Information Security Special Interest Group that is actively discussing cybersecurity-related risks.
48.     The Committee continues to recognize the potential scale and impact of the threat to cybersecurity and digitalization and welcomes the efforts of Management to address those challenges, including through mandatory training. The Committee also recalls Management’s view that cybersecurity is as strong as its weakest link. On that note, the Committee recommends that Management make a concerted effort to obtain a 100 per cent completion rate for mandatory training. The Committee is aware that this will require concerted and coordinated efforts among all stakeholders, because the issues are cross-cutting. The Committee plans to continue to follow up on the matter by assessing the extent to which cybersecurity risks are not only being reflected in the Organization’s enterprise risk management strategy but also the extent to which Management is making decisions to mitigate the most important cyberrisks.

 

 

3.     Effectiveness, efficiency and impact of the audit, investigations, inspection and evaluation activities of the Office of Internal Oversight Services

 

 

49.     Under its terms of reference, the Committee has the responsibility to advise the General Assembly on aspects of internal oversight (resolution 61/275, annex, paras. 2 (c)–(e)). In undertaking to fulfil its mandate, the Committee has maintained its standard practice of meeting with the Under-Secretary-General for Internal Oversight Services and other senior OIOS officials during its sessions. The discussions have been focused on OIOS workplan and budget execution, significant findings reported by OIOS, operational constraints (if any), post incumbency, the status of implementation by management of OIOS recommendations, including critical recommendations, and strengthening investigations.
50. During the current period, the Committee focused its assessment on: (a) strategic planning, OIOS effectiveness and performance measurement; (b) organizational culture; and (c) matters associated with the 2030 Agenda.

 

1.      Strategic planning, effectiveness of the Office of Internal Oversight Services and performance measurement

 

                         Performance audit

 

51.     According to the standards of the Institute of Internal Auditors, internal auditors have an obligation to assist the organizations they serve in improving the quality of governance, risk management and control processes.^[1] In its report on the state of the internal audit function (A/72/120), the Joint Inspection Unit noted that when the second line of defence (management oversight activities) is strong and well developed, it may enable the internal audit function to, inter alia, expand audit services into more strategic areas, including performance auditing, and extend the coverage of activities and operations over which internal audit can provide effective oversight. According to the Joint Inspection Unit, one of the benefits of performance audits is that they can identify redundancies, unnecessary controls and processes and thereby increase efficiency and value for money.
52.     During the reporting period, the Committee followed up with OIOS regarding its prior recommendation that OIOS clearly identify the steps it plans to take to improve its capability to conduct performance audits. Such steps should include identifying its plans for future performance audits, the applicable audit standards and what training its staff would need to improve their capability to conduct such audits, as well as a communication plan to effectively inform its clients of the shift.
53.     In response, OIOS informed the Committee that the Internal Audit Division continues to conduct many audits where the audit objective refers to economy, efficiency and/or effectiveness, and thus is systematically including elements of performance auditing in most of its audits. This is communicated to clients of the Division during the audit process. In addition, the Committee was informed that the Division also works in partnership with the Inspection and Evaluation Division to further develop its performance auditing techniques, including by providing training and guidance to auditors on: (a) the development of survey questions and the analysis of results; and (b) leading focus groups to better identify key issues and risks and improve the collection and analysis of data. Auditors of the Internal Audit Division have been trained on performance auditing techniques and this has continued to be a topic covered in annual workshops over the past three years or more.
54.     In a related presentation from OIOS, the Committee was informed that a revised standard operating procedure on reporting recommendations with financial implications was issued in May 2019 to ensure that recommendations or findings having financial implications are systematically identified. The Office further informed the Committee that it classifies financial implications into seven categories: loss and waste of resources; recoveries; additional income (one-time); additional income (recurring); budget reduction; expenditure reduction (one-time); and expenditure reduction (recurring). The annual financial implications identified during the investigations, audits, evaluations and inspections processes are reported in the Office’s annual report.
55.     The Committee is aware that a strong second line of defence will not necessarily obviate the need for OIOS to conduct compliance audits. The Committee nevertheless commends OIOS for the effort it is investing in making performance audits and value for money audits a priority. The Committee is aware that more needs to be done and will continue to follow up with OIOS in this regard.

 

                         Vacant posts in the Investigation Division

 

56.     The Committee has consistently expressed its concerns about the high number of vacancies in OIOS. In fact, in several resolutions, the General Assembly has been requesting that the Office make every effort to fill those vacancies as a matter of priority. The Committee continues to consider this as a major risk, hence it appears as a standing item on its agenda. At its forty-seventh session, the Committee was informed that overall, the vacancy rate for OIOS had not improved, but had in fact worsened, from 10.5 per cent, as reported in June 2018, to 14 per cent, as at 30 June 2019. For the Investigation Division, the vacancy rate increased from 11.5 per cent, in 2018, to 22.1 per cent, in 2019, with the peacekeeping section of the Division registering a vacancy rate of 25.8 per cent as at 30 June 2019.
57.     The Committee is aware that OIOS, like any other department in the Secretariat, is operating within the constraint of a tight financial situation, which has required the maintenance of certain vacancies for fiscal reasons. The Committee is also aware of the improvement in the vacancy rate in the Investigation Division reported over the past year. The Committee is nevertheless concerned that the Division has not been able to come up with a sustainable strategy to address the vacancies, especially with respect to the peacekeeping section. The Committee therefore reiterated its prior recommendations that OIOS address this matter as a priority.
58.     With respect to retaining staff, OIOS reiterated the list of obstacles faced by the Investigation Division, including: the lack of a suitable mobility plan, owing to the small size of the Division; the nature of the work (investigators in peacekeeping missions, in many instances, deal with the worst situations); the lack of job security, as some of the posts were temporary; and the view that the Division, as the largest investigation unit in the United Nations system, is typically seen as an entry point for individuals seeking to join the United Nations investigation system. As such, it provides a rich recruiting ground for other United Nations system investigation units seeking well-trained and experienced investigators.
59.     The Committee continues to acknowledge the challenges faced by the Investigation Division in retaining staff and believes it is important for the Division to explore and consider retention approaches that would address the investigators’ need for a desirable duty station from which they can be more easily deployed to the field as needed and/or on a visitorial, short-term and rotating basis.

 

                         Timeliness in the completion of investigation cases

 

60.     The Committee has long contended that the timeliness with which an investigation is completed is an essential element of an effective accountability system. During the reporting period, the Committee followed up with OIOS on some of its performance indicators and was informed that 82 per cent of its investigations are completed within 12 months, whereas 18 per cent take more than one year to complete. The Committee was further informed that the average length of an investigation stands at 11.5 months.
61.     While the average length of an investigation has been brought down to 11.5 months, this is still longer than the six-month period prescribed by OIOS in its programme impact pathways. It is also far higher than the 120 days stipulated in article 8.1 of the Secretary-General’s bulletin on protection against retaliation for reporting misconduct and for cooperating with duly authorized audits or investigations (ST/SGB/2017/2/Rev.1). The fact that investigations taking more than one year to complete comprise 18 per cent of the cases is even more worrying. Best practice and due process require that investigations be carried out with dispatch to deter impunity and feelings of uncertainty in the workplace. The Committee therefore urges the Investigation Division to increase its focus on completing investigations in a timely manner. The Committee further encourages the Division to analyse the root causes of why investigations exceed targeted time frames, including any constraints on resources, and to propose solutions to improve time frames.

 

                         Public disclosure of audit and evaluation reports of the Office of Internal Oversight Services

 

62.     Pursuant to paragraph 11 of General Assembly resolution 69/253, the Committee had discussed the disclosure of public reports with various stakeholders. One entity informed the Committee that, following the decision to make internal audit reports public, there was a need for it to recalibrate the way in which it dealt with the auditors; that management was now paying particular attention to audit reports on account of their potential impact; and that there was more engagement with the auditors. Another official expressed a need for OIOS to continue to be circumspect when dealing with certain reports, owing to the sensitive nature of some of them. At one of its sessions in 2017, the Committee was also informed that, in one entity in the United Nations system, owing to the nature of its work, all member States could have access to internal audit reports on a bilateral basis rather than through public disclosure. In its report on donor-led assessments of the United Nations system organizations (JIU/REP/2017/2), the Joint Inspection Unit reported that donors had called for audit reports to be made publicly available.
63.     The Committee has not encountered any adverse impact due to the public disclosure of OIOS audit and evaluation reports. It will nevertheless continue to review those practices in its future sessions and advise the Assembly as appropriate.

 

2.      Assessing the organizational culture

 

64.     In paragraph 46 of its previous report (A/73/304), the Committee called upon OIOS to come up with a clear methodology, taking into account best practices for periodically assessing the culture of the Organization. The Committee followed up with OIOS on the progress in this regard and was informed that the Internal Audit Division had provided training to almost all of its auditors on auditing culture so as to raise awareness of the subject and share the Division’s strategy for incorporating information regarding the culture and the control environment in its audits. The Committee was further informed that the Division, in collaboration with the Inspection and Evaluation Division, had issued common audit and evaluation guidelines for assessing organizational culture. In addition, OIOS informed the Committee that the Inspection and Evaluation Division had issued an inception paper on the evaluation of organizational culture in peacekeeping missions and its impact on effectiveness in mandate implementation.
65.     Given the importance of having the right culture in an Organization, the Committee welcomes the steps OIOS is taking to assess the organizational culture. The Committee looks forward to reviewing the first report on evaluating culture, which is expected to be completed towards the end of 2019. The Committee will continue to review the matter further at its future sessions.

 

3.      Role of the Office of Internal Oversight Services in the context of the 2030 Agenda for Sustainable Development

 

66.     In paragraphs 64 to 66 of its report for the period from 1 August 2016 to 31 July 2017 (A/72/295), the Committee looked at the progress OIOS was making in embodying the integrated, universal and indivisible nature of the 2030 Agenda throughout its owns operations. As part of its follow-up process, the Committee was informed that in its three-year work planning process, the Internal Audit Division focused on emerging risks related to the Sustainable Development Goals, including gender mainstreaming and gender parity issues. The Committee was also informed that the Division conducted audits to assess the mainstreaming of the Goals in the programmes of United Nations system entities, including the United Nations Conference on Trade and Development, the Economic Commission for Latin America and the Caribbean, the Economic and Social Commission for Asia and the Pacific and the secretariat of the United Nations Framework Convention on Climate Change. In addition, OIOS reported that in 2019, the Division will continue to take that approach in all applicable audits and has scheduled specific audits related to the mainstreaming of the Goals in the programmes of work of the Economic Commission for Africa, the Economic Commission for Europe and the Economic and Social Commission for Western Asia.
67.     The Committee was further informed that the Internal Audit Division audit planning exercise continues to include reviewing risks related to the mainstreaming of the Goals in clients’ programmes of work, as well as capacity development projects to support Member States in their implementation of the Goals. As such, OIOS indicated that it had made several recommendations in its reports including the need to: (a) establish clear governance and accountability processes in mainstreaming the Goals in the programmes of work of clients; (b) identify Member State needs for capacity development and other support; (c) update the Statistics Division’s capacity to respond to the need for data reporting in relation to Goals; (d) develop and implement effective advocacy and outreach plans on voluntary national reviews; and (e) promote the accountability of Member States by reaching out to national oversight institutions, such as the supreme audit institutions.
68.     With respect to the Inspection and Evaluation Division, the Committee was informed that as part of its 2019–2020 workplan, the Sustainable Development Goals Evaluation Working Group of the United Nations Evaluation Group, of which the Division is a member, is being convened with the objective of strengthening the role of evaluation in the processes to review progress towards the achievement Goals. The Working Group has decided that its focus will be on norm- and standard-setting for evaluation relating to the Goals and on building tools for everyone, starting with guidance notes on evaluability, meta-synthesis experiences and big data.
69.     The Committee welcomes the steps OIOS is taking with respect to the 2030 Agenda and will continue to follow up with OIOS on this matter.

 

 

4.     Financial reporting

 

 

70.     During the reporting period, the Committee engaged in discussions with the Board of Auditors, the Under-Secretary-General for Management Strategy, Policy and Compliance, and the Controller, who doubles as the Umoja Project Director on a number of issues relating to financial reporting. The issues discussed included:

1.      Implementation of Umoja, including Umoja Extension 2;
2.      Internal control, especially as it pertains to the delegation of authority and fraud prevention and detection;
3.      After-service health insurance;
4.      Issues and trends apparent in the financial statements of the Organization and the reports of the Board of Auditors.

 

                         Implementation of Umoja

 

71.     In paragraph 81 of its previous report (A/73/304), the Committee welcomed the progress achieved in implementing Umoja, including the commitment to capture the Organization’s cycle from strategic planning to reporting. Regarding the status of the roll-out of Umoja, the Committee followed up with Management with respect to Umoja deployments since its previous report.
72.     The Committee was informed that, following the consideration of the Secretary-General’s tenth annual report on Umoja (A/73/389), the General Assembly, in its resolution 73/279 A: (a) welcomed the expansion of the Umoja user base to 46,500 users across 420 locations; (b) recognized the progress made towards the completion of full deployment of the Umoja project and requested the Secretary-General to achieve the full implementation of the Umoja solution by December 2019; and (c) reaffirmed the importance of effective and high-quality training.
73.     The Committee was also informed that, in addition to the aggressive timelines for Umoja Extension 2 implementation, in 2018 the Umoja team provided support to the Secretary-General’s reforms in several ways, including: (a) setting up new organizational structures for all three reform pillars, effective 1 January 2019, namely the preparation of data in Umoja relating to organization, position, funding and staff; (b) assisting with the design and establishment of the coding blocks and the work breakdown structure elements; and (c) supporting the new departments and new delegation of authority framework.
74.     The Committee was further informed that the strategic planning, budget formulation and performance management module will capture the entire cycle, including strategic planning, budget execution, monitoring and reporting across all funding sources. Management noted that it will replace a disparity of systems and will provide a 360-degree view for managers.
75.     The Committee continues to welcome the progress achieved in implementing Umoja, including the commitment to capture the Organization’s cycle from strategic planning to reporting as part of the Umoja Extension 2 implementation. The Committee is aware of the December 2019 deadline to complete the implementation of Umoja. Given the importance of the enterprise resource planning system to the Organization, the Committee believes that it is imperative to ensure that the roll-out of the remaining modules is properly addressed.

 

                         Governance, risk and compliance module

 

76.     As part of the integrated assurance process, the Committee welcomed the Organization’s adoption of the three lines of defence model. Within this model, management control forms the first line of defence, the various risks, controls and compliance measures form the second line and the independent assurance (from OIOS and other oversight bodies) form the third line of defence.
77.     The Committee recalled its prior recommendations that Management put in place an audit module that takes into account the needs of OIOS before the finalization of the design phase of Umoja. The Committee also recalls that Management had indicated that the governance, risk and compliance module (which was in the development stage) would, in addition to being an enabling tool for the second line of defence, also serve as an audit module that could be used by OIOS.
78.     The Committee followed up with both Management and OIOS regarding the progress in having a fully functional governance, risk and compliance module. Management informed the Committee that although it was committed to implementing the governance, risk and compliance module after the roll-out of Umoja Extension 2, the current version of the module will not be compatible with the new version of SAP that is soon to be installed. Accordingly, Management indicated that the governance, risk and compliance module will be installed after the completion of the Umoja upgrades.
79.     The Office of Internal Oversight Services, on the other hand, informed the Committee that it had significantly increased its capacity to extract data from Umoja and has issued a data extraction manual to provide guidance to its auditors in extracting data from Umoja, making the reliance on the governance, risk and compliance module less critical. OIOS was of the view that the governance, risk and compliance module, while facilitating OIOS work, would also be of great benefit for the functions to be conducted by the second line of defence.
80.     The Committee still believes that the governance, risk and compliance module is a critical enabler of a strong accountability system and should be considered high priority in the implementation of Umoja. The Committee further believes that a fully implemented governance, risk and compliance module will lead to more effective second and third lines of defence. The Committee is also of the opinion that a fully functional governance, risk and compliance module and a robust data analytics capability are not mutually exclusive, especially since not all auditors will be experts in data analytics. The Committee therefore reiterates is previous recommendation that in finalizing Umoja, Management ensure that it has in place a module that will facilitate the work of both the second and third lines of defence.

 

                         Internal control system and anti-fraud policy

 

                         Statement of internal control

 

81.     In the course of preparing its four previous reports (A/70/284, A/71/295, A/72/295 and A/73/304), the Committee received regular updates from Management and reported on the statement of internal control. The statement of internal control is a public accountability document that describes the effectiveness of internal controls in an organization.^[2] The Committee was previously informed that the statement of internal control was set around four main work pillars covering the assurance process, training, the Umoja governance, risk and compliance module and the Internal Control Advisory Group.
82.     With respect to the Advisory Group, the Committee was informed that the group’s main objective was to provide technical advice on the implementation of the statement of internal control across the Secretariat so as to ensure technical compliance with the requirements of the internal control-integrated frameworks of the Committee of Sponsoring Organizations of the Treadway Commission, as adapted to the United Nations, at all times. The Committee met with the members of the Advisory Group, who underscored the usefulness of the statement of internal control as a tool for good governance. The Advisory Group also underscored the fact that when an organization is going through significant change, having a statement of internal control in place was very helpful as a means of fostering a positive culture and mindset.
83.     During the current reporting period, the Committee was provided with an update pertaining to the implementation of the statement of internal control. Management indicated that the first statement of internal control would be issued in 2021, covering operations in 2020, and that departments had been informed accordingly. With respect to the Advisory Group, the Committee was informed that the Group continues to provide constructive feedback. Management further noted that the Advisory Group concurred with the Organization’s decision to delay the implementation of the statement of internal control and that the Group was pleased with the progress achieved so far.
84.     In paragraph 94 of its previous report (A/73/304), the Committee recommended that Management ensures that in the second phase, the remaining reporting objectives (non-financial) of the statement of internal control are appropriately captured within the accountability system of the Organization. The Committee followed up with Management in this regard and was informed that the Organization had decided to implement all the reporting objectives of statement of internal control, including the operational ones. According to Management, the result of this exercise would be the issuance of a statement of internal control that would accompany International Public Sector Accounting Standards-compliant financial statements. In the intervening period, the Committee was informed that a team plans to travel to Lebanon to test the survey and the self-assessment programmes among the United Nations system entities there.
85.     The status of the governance, risk and compliance module is discussed extensively in paragraphs 76 to 80 above. The Committee nevertheless recalls paragraph 91 of its previous report (A/73/304), where Management informed the Committee that the Organization was building the governance, risk and compliance platform in Umoja, with the hope of issuing the first statement of internal control in the financial statements for 2020.
86.     Without the governance, risk and compliance module in place, the Committee is concerned that there may be significant challenges with regard to the issuance of the statement of internal control.
87.     The Committee reiterates its position that the statement of internal control is an important accountability tool, which assists an organization in providing assurance that it is appropriately managing and controlling the resources under its responsibility. The Committee commends the progress made so far, supports Management’s decision to expand the scope of the statement of internal control to include controls over operations, and will continue to monitor and report on the status thereof in future reports.

 

                         End-of-service liabilities

 

88.     With respect to the end-of-service liabilities, the Committee recalled its prior comments and recommendations (contained in its reports A/63/328 and A/69/304), in which the Committee had called on the General Assembly to decide whether, how and to what extent the liabilities would be funded. Furthermore, during the Committee’s discussions with various offices, the issue of employee benefits liabilities, specifically after-service health insurance, was noted by Management as a major concern.
89.     According to Management, after-service health insurance liabilities stood at $4.27 billion (Vol. I) as at 31 December 2018, representing a decrease of 6.9 per cent from $4.6 billion the previous year. For peacekeeping operations (Vol. II), the after-service health insurance liabilities as at 30 June 2018 stood at $1.36 billion, down slightly from $1.41 billion the previous year. According to the Board of Auditors, employee benefit liabilities constituted 75 per cent of total liabilities for non‑peacekeeping financial statements, a slight improvement from the 88.8 per cent reported the previous year. With respect to the decrease in after-service health insurance liabilities, the Board attributed it to a higher discount rate used in the actuarial valuation.
90.     The Committee believes that for the United Nations to have after-service health insurance liabilities making up 75 per cent of the total liabilities presents, in and of itself, a significant risk which should be properly managed.
91.     Moreover, in paragraph 98 of its previous report (A/73/304), the Committee reiterated its prior recommendation that the General Assembly revisit this matter with a view to ensuring that funding for end-of-service liabilities is placed on a sustainable path. The need to implement the recommendation has become all the more urgent, since it cuts across the United Nations system, with significant ramifications.
92.     The Committee is pleased to note that the General Assembly has continued to deliberate on this important subject. Although the General Assembly has decided to maintain the pay-as-you-go for after-service health insurance, the Committee is encouraged that the Assembly continues to focus on this matter.

 

 

5.     Coordination among United Nations oversight bodies

 

 

93.     During the reporting period, in addition to its regularly scheduled meetings with OIOS, the Committee met with other oversight bodies, such as the Joint Inspection Unit and the Board of Auditors, including the Audit Operations Committee. The dialogue allowed for the sharing of perspectives on matters of mutual concern and provided a useful opportunity for cooperation among United Nations oversight bodies.
94.     The Committee sought comments from the three oversight bodies, each of which emphasized, in their comments, the existing coordination mechanisms, including the sharing of their programmes of work. In separate meetings with the Board of Auditors, the Joint Inspection Unit and OIOS, the Committee noted the positive relationship fostered through the tripartite coordination meetings of the oversight bodies and the sharing of workplans in an effort to avoid duplication. The Committee believes that such coordination provides a valuable platform for additional opportunities for cooperation.
95.     Furthermore, in December 2018, the Committee hosted a third meeting of the Chairs and Vice-Chairs of the United Nations system oversight committees. A total of 25 representatives from 20 oversight committees, from organizations within the Secretariat, the funds and programmes, the specialized agencies and the World Bank attended the meeting.
96.     During the meeting, discussions resumed, building on the previous meetings, with regard to common challenges and potential identification of good practices in the work and conduct of the United Nations system oversight committees. Participants continued to focus on how oversight committees can contribute to the assessment and understanding of organizational culture, the escalating and potentially unsustainable cost of after-service health insurance under a pay-as-you-go approach and the risk it presents, the role of oversight committees in the governance architecture of the United Nations system organizations and investigative capacity, as well as workplace harassment and sexual harassment, bullying and whistle-blower protection.
97.     Following the conclusion of the meeting, the participants agreed to convey the concerns outlined above to the Secretary-General, in his capacity as Chair of the United Nations System Chief Executives Board for Coordination. In his letter, the Secretary-General highlighted the progress the organizations have achieved in this respect.

 

 

6.     Other matters

 

 

                         Audit report of the Office of Internal Oversight Services on United Nations Joint Staff Pension Board governance

 

98.     Pursuant to General Assembly resolution 72/262 A, OIOS conducted an audit of the governance structure and related processes of the United Nations Joint Staff Pension Board, from February to May 2018, and issued a report (A/73/341) on 6 September 2018. In its resolution, the General Assembly requested OIOS to conduct a comprehensive audit of the governance structure of the Pension Board and submit a report with key findings to the General Assembly at its seventy-third session. On 8 August 2018, the Chair of the Pension Board wrote to the then Chair of the Independent Audit Advisory Committee to request the Committee to consider the report “in view of what was seen by the large majority as a flawed audit process that some members considered did not follow the accepted practice and standards for the professional practice of internal auditing, as well as those expressed in the United Nations Joint Staff Pension Fund Internal Audit Charter”.
99.     The Committee conducted due diligence on this matter from August 2018 to July 2019. In addition to reviewing the report of OIOS on Pension Board governance, including the Pension Board’s response to OIOS recommendations and OIOS rebuttal of the Board’s responses, the Committee met with the Chairs of the Pension Board (past and present), the past Chair of the Pension Fund Audit Committee and with OIOS leadership to hear their perspectives. The Committee weighed the information in the report, testimonial evidence and other information such as General Assembly guidance and internal audit guidelines.
100.   The Pension Board and OIOS believe that the governance audit conducted in response to General Assembly resolution 72/262 would have benefited from a longer time frame for discussion of key issues and findings. The Committee however, did not find evidence that OIOS did not follow the accepted practice and standards for the professional practice of internal auditing in conducting the audit.
101.   On that note, the Committee encourages the leadership of the Pension Board and OIOS to move past the disagreements associated with this audit and work together to develop and sustain open and constructive communications with regard to future audits of issues relating to the United Nations Joint Staff Pension Fund.

 

 

7.     Cooperation and access

 

 

102.   The Committee reports that it received good cooperation from OIOS and senior management in the Secretariat, including the Department of Management Strategy, Policy and Compliance, in discharging its responsibilities. The Committee was given appropriate access to staff, documents and information that it needed in order to conduct its work. The Committee is pleased to report that it continued to work closely with the Joint Inspection Unit and the Board of Auditors. The Committee looks forward to continued cooperation with the entities with which it interacts in order to discharge its responsibilities, as set out in its terms of reference, in a timely manner.

 

 

4.     Conclusion

 

 

103.       In the context of its terms of reference, the Independent Audit Advisory Committee presents the preceding observations, comments and recommendations, as contained in paragraphs 17, 21, 26, 29, 32, 38, 42, 44, 48, 55, 57, 59, 61, 63, 65, 69, 75, 80, 86, 87, 90, 92, 100 and 101 for the consideration of the General Assembly.