This SOP will be used by the Headquarters Audit Section as well as the Special Assignments Section.

Transcription

1 Headquarters Audit Risk Assessment Model Standard Operating Procedure No. 121 Date of Original Issue: 17 September 2014 Date of Revision: 3 September 2015 Purpose This SOP supplements SOP No. 120 Annual Work Planning, which describes the risk assessment process in general. This SOP 121 deals with one set of the audit universe Headquarters-based audit universe. Specifically, this SOP describes the risk assessment model for identifying and selecting potential audit areas to be considered in the Audit Plan. This SOP supersedes the last updated version of SOP No. 121 dated 17 September This SOP will be used by the Headquarters Audit Section as well as the Special Assignments Section. Audit Universe The Headquarters-based universe consist of entities and processes. Entities (this refers to business units) o Headquarters Bureaux o Outposted Headquarter units such as Regional Centres, Representation Offices, Policy Centres and Global Shared Service Centres o Special funds and programmes such as United Nations Volunteers, United Nations Capital Development Fund, and United Nations Office for South-South Cooperation. Key business processes and sub-processes spanning across two or more HQ units. o Processes refer to an activity or set of activities that will accomplish a specific organizational goal. Business processes in UNDP are approved at the corporate level. Identifying and managing critical business processes is vital in the effective management UNDP. Risk identification and prioritization Risk assessment for processes is important due to the cross-cutting nature of some processes. Processes carried out exclusively by a unit within the audit universe will be covered as part of that unit s audit and will not be considered separately in the risk assessment. Where processes span two or more units (cross-cutting processes), these will be assessed separately. Some risk indicators are more critical than others. In ranking the risks, the following weights will be applied based on an overall understanding of the risk indicators significance. The relevance of these weights has to be reviewed annually prior to the start of the risk assessment exercise. The risk assessment for entities and processes will be performed at the same time. (a) For entities (see annex A for definitions and scores) Risk categories - UNDP ERM Financial Risk categories/indicators OAI s operationalization of the risk categories Financial materiality Risk indicators - for HQ based audit universe (Entities) Percentages (a) Total annual expenditure 10% 1 of 10

2 Headquarters Audit Risk Assessment Model Standard Operating Procedure No. 121 Date of Original Issue: 17 September 2014 Date of Revision: 3 September 2015 Operational Operational (b) Significance of entity for 10% complexity implementing UNDP s objectives (c) Recent of anticipated major 7.5% changes (d) Complexity of Offices/Bureaux 15% operations, processes, systems Organizational Entity-level controls (e) Time elapsed since last audit 10% Political Strategic Regulatory Environmental * Refers to the adequacy and effectiveness of internal controls. An internal control is a process, effected by an entity's management designed to provide reasonable assurance regarding the achievement of objectives (b) For processes (see Annex B for definitions and scores) Risk categories/indicators Risk categories - UNDP ERM OAI s operationalization of the risk categories Risk indicators - for processes Percentages Operational Operational (a) Significance of process for 15% complexity implementing UNDP s objectives (b) Recent of anticipated major 10% changes (c) Complexity of Offices/Bureaux 15% operations, processes, systems Organizational Entity-level controls (d) Time elapsed since last audit 15% Political Strategic Regulatory Environmental Stakeholders concerns Stakeholders concerns (f) Significance of entity to deliver 10% development results (g) Control effectiveness* 20% (h) Clarity of communication and tone at the top (i) Special interests and concerns of UNDP stakeholders (e) Significance of process to deliver 15% development results (f) Control effectiveness* 20% (g) Special interests and concerns of UNDP stakeholders 10% 7.5% Total 100% 10% Total 100% * Refers to the adequacy and effectiveness of internal controls. An internal control is a process, effected by management designed to provide reasonable assurance regarding the achievement of objectives 2 of 10

3

4 Headquarters Audit Risk Assessment Model Standard Operating Procedure No. 121 Date of Original Issue: 17 September 2014 Date of Revision: 3 September 2015 Annex A: Risk Indicators for Entities: Definitions and Scores (a) Total annual expenditure Annual expenditure is one of the key elements in assessing inherent risk and quantifying the materiality of the impact if a control breakdown occurs. For entities, the total delivery pertains to the total expenditure for 12 months. The validity of the scale below must be reviewed every year, prior to the start of the risk assessment exercise. <=$7.5 million 1 >$7.5 million to $15 million 2 >$15 million to $30 million 3 >$30 million to $60 million 4 >$60 million 5 Source: Executive Snapshot (b) Significance of entity in implementing the organization s objectives Most Headquarters entities are not the primary implementing and spending entities within UNDP. They carry out supporting functions and therefore their financial volume is mainly composed of their administrative expenditure. However, they may play a significant, indirect role in enabling the organization to achieve its objectives. No or minor impact on organizational objectives if disruption of activities/ processes occurs Low impact on organizational objectives if disruption of activities/ processes occurs Medium impact on organizational objectives if disruption of activities/ processes occurs Major impact on organizational objectives if disruption of activities/ processes occurs Critical impact on organizational objectives if disruption of activities/ processes occurs Sources: Strategic plan; Headquarters Products and Services Survey; IRRF; UNDP dashboards (c) Recent or anticipated changes Recent or anticipated changes in the office portfolio, leadership or organizational structure may impact on the operations or necessitate changes in the organizational structure, business systems or processes, policies and procedures, including increase or decrease in staff and other personnel. 4 of 10

5 Headquarters Audit Risk Assessment Model Standard Operating Procedure No. 121 Date of Original Issue: 17 September 2014 Date of Revision: 3 September 2015 No changes in the previous year / expected or some changes expected with no 1 impact Some changes in the previous year / expected with minor impact 2 Major changes in the previous year / expected with some impact 3 Major changes in the previous year / expected with major impact 4 Several major changes in the previous year / expected with critical impact 5 Sources: Interviews / documentation review (QCPR decisions, IRRF, EB decision and documents) (d) Complexity of Offices/Bureaux operations, processes, systems Complexity in organizational structure, processes and systems may give rise to increased operational and financial risks. Complex conditions may include factors such as: (i) size of the office/number of parties involved, (ii) unclear or overlapping processes or systems, (iii) variety of transactions, (iv) level of difficulty to achieve objectives etc. Very low complexity / basic process 1 Relatively simple and straightforward operations, processes, systems 2 Moderately complex operations, processes, systems 3 Highly complex operations, processes and systems 4 Very highly complex operations with different parties involved within the primary 5 unit/entity, complex systems and processes, high number of transactions, etc.) Sources: Executive Snapshot; Strategic Plan; Annual Work Plans; Mandated TORs; Headquarters Products and Services Survey Risk logs; Interviews (e) Time elapsed since last OAI/BOA audit The time elapsed since the last audit (by OAI or other independent body) can be used as an indication of the degree of confidence regarding the internal controls of an entity/ process. Audit done within the past year 1 Audit done one to two years ago 2 Audit done three to four years ago 3 Audit done five or six years ago 4 No audit performed 5 Sources: OAI CARDS database; Board of Auditors reports (f) Significance of entity to deliver development results Some entities in UNDP are more significant than others for the organization to achieve its developmental goals and remain relevant in the development arena. 5 of 10

6 Headquarters Audit Risk Assessment Model Standard Operating Procedure No. 121 Date of Original Issue: 17 September 2014 Date of Revision: 3 September 2015 Entity has low significance for UNDP achieving/delivering its development results 1 and for remaining relevant in the development arena Entity is moderately important for UNDP achieving/ delivering its development 2 results and for remaining relevant in the development arena Entity is highly important for achieving/delivering UNDP s development results 3 and for remaining relevant in the development arena Entity is very highly important for achieving/delivering UNDP s development 4 results and for remaining relevant in the development arena Entity is critical for achieving/delivering UNDP s development results and for 5 remaining relevant in the development arena Sources: Strategic Plan; Annual Work Plans; Evaluation reports; Mandated TORs; Headquarter Products and Services Survey (g) Control effectiveness The result of the last audit, corporate recommendations relating to the entity from country office audits as well as indications from interviews and any other sources will be used to come to a conclusion regarding the control effectiveness of an entity/ process. Based on any information available, it can be assumed that controls are adequate / effective and produce the desired results. Based on any information available, it can be assumed that controls produce the desired results to some extent and are partly adequate / effective. Based on any information available, it can be assumed that controls do not on the whole produce the desired results and are not overall adequate and effective. Based on any information available, it can be assumed that the controls are overall inadequate / ineffective and fail to produce the desired results. Based on any information available, there is complete absence of controls or the controls in place are fully ineffective Sources: OAI CARDS database; Board of Auditors reports; Joint Inspection Unit reports (h) Clarity of Communication and tone at the top UNDP conducts General Satisfaction Surveys annually. Two areas were selected from the GSS survey, which reflect clarity of communication and tone at the top: office management team and top management. The risk score is based on the 50 th percentile (triangle) and on the 25 th through 75 th percentile (blue bar) of all COs score: 6 of 10

7 Headquarters Audit Risk Assessment Model Standard Operating Procedure No. 121 Date of Original Issue: 17 September 2014 Date of Revision: 3 September 2015 Unit score is to the right of the triangle (well above average) 1 Unit score is to the right and overlapping the triangle (above average) 2 Unit score is to the left of the triangle but still touching the blue bar (average) 3 Unit score is to the left of the triangle and outside the blue bar ( > 40 percent) 4 Unit score is to the left of the triangle and outside the blue bar (<= 40 percent) 5 Source: Annual GSS Survey results GSS Overview Dimension Profile (i) Special interests and concerns of UNDP stakeholders (to be assessed by the Executive Office and Partnership Bureau and Audit Chief concerned HAS and/or SAS) The level of interest that UNDP stakeholders (namely: Executive Board, member states, donors, international community, local partners, media, general public) may have in the auditable unit may vary. This interest, in turn, determines the reputational risk for UNDP, that is associated with individual units and processes. The assessment by the audit clients and respective Audit Chief will have equal weight. Existing level of interest is none 1 Existing level of interest is low 2 Existing level of interest is moderate 3 Existing level of interest is high 4 Existing level of interest is very high 5 Sources: HAS surveys and/or questionnaires to the Executive Office; Inputs from Partnerships Bureau; Executive Board minutes 7 of 10

8 Headquarters Audit Risk Assessment Model Standard Operating Procedure No. 121 Date of Original Issue: 17 September 2014 Date of Revision: 3 September 2015 Annex B Risk Indicators for processes: Definitions and Scores (a) Significance of process in implementing the organization s objectives Processes are vital in enabling the organization to achieve its objectives. An effective process is one that achieves the results that are intended i.e. the objectives. An effectively managed process is a process in which the activities, resources and behaviors are planned, organized and controlled in a way that the outcomes meet specified objectives. Any disruption in key processes will an impact on the achievement of organizational objectives. No or minor impact on organizational objectives if disruption of process occurs 1 Low impact on organizational objectives if disruption of process occurs 2 Medium impact on organizational objectives if disruption of process occurs 3 Major impact on organizational objectives if disruption of process occurs 4 Critical impact on organizational objectives if disruption of process occurs 5 Sources: Strategic plan; Headquarters Products and Services Survey; IRRF; UNDP dashboards (b) Recent or anticipated changes Recent or anticipated changes in the office portfolio, leadership or organizational structure may impact on the operations or necessitate changes in the organizational structure, business systems or processes, policies and procedures, including increase or decrease in staff and other personnel. In addition, new policies enacted by UNDP or decisions by the EB may have a significant impact on processes. No changes in the previous year / expected or some changes expected with no 1 impact Some changes in the previous year / expected with minor impact 2 Major changes in the previous year / expected with some impact 3 Major changes in the previous year / expected with major impact 4 Several major changes in the previous year / expected with critical impact 5 Sources: Interviews / documentation review (QCPR decisions, IRRF, EB decision and documents) 8 of 10

9 Headquarters Audit Risk Assessment Model Standard Operating Procedure No. 121 Date of Original Issue: 17 September 2014 Date of Revision: 3 September 2015 (c) Complexity of processes and systems Complexity in processes and systems may give rise to increased operational and financial risks. Complex conditions may include factors such as: (i) number of units involved, (ii) unclear or overlapping processes or systems, (iii) variety of transactions, (iv) level of difficulty to achieve objectives etc. Very low complexity / basic process 1 Relatively simple and straightforward operations, processes, systems 2 Moderately complex operations, processes, systems 3 Highly complex operations, processes and systems 4 Very highly complex operations with different parties involved within the primary 5 unit/entity, complex systems and processes, high number of transactions, etc.) Sources: Executive Snapshot; Strategic Plan; Annual Work Plans; Mandated TORs; Headquarters Products and Services Survey Risk logs; Interviews (d) Time elapsed since last OAI/BOA audit The time elapsed since the last audit (by OAI or other independent body) can be used as an indication of the degree of confidence regarding the internal controls of a process. Audit done within the past year 1 Audit done one to two years ago 2 Audit done three to four years ago 3 Audit done five or six years ago 4 No audit performed 5 Sources: OAI CARDS database; Board of Auditors reports (e) Significance of process to deliver development results Some processes in UNDP are more significant than others for the organization to achieve its developmental goals and remain relevant in the development arena. Process has low significance for UNDP achieving/delivering its development results and for remaining relevant in the development arena Process is moderately important for UNDP achieving/ delivering its development results and for remaining relevant in the development arena Process is highly important for achieving/delivering UNDP s development results and for remaining relevant in the development arena Process is very highly important for achieving/delivering UNDP s development results and for remaining relevant in the development arena Process is critical for achieving/delivering UNDP s development results and for remaining relevant in the development arena of 10

10 Headquarters Audit Risk Assessment Model Standard Operating Procedure No. 121 Date of Original Issue: 17 September 2014 Date of Revision: 3 September 2015 Sources: Strategic Plan; Annual Work Plans; Evaluation reports; Mandated TORs; Headquarter Products and Services Survey (f) Control effectiveness The result of the last audit, corporate recommendations relating to the process from country office/corporate audits as well as indications from interviews and any other sources will be used to come to a conclusion regarding the control effectiveness of an entity/ process. Based on any information available, it can be assumed that controls are adequate / effective and produce the desired results. Based on any information available, it can be assumed that controls produce the desired results to some extent and are partly adequate / effective. Based on any information available, it can be assumed that controls do not on the whole produce the desired results and are not overall adequate and effective. Based on any information available, it can be assumed that the controls are overall inadequate / ineffective and fail to produce the desired results. Based on any information available, there is complete absence of controls or the controls in place are fully ineffective Sources: OAI CARDS database; Board of Auditors reports; Joint Inspection Unit reports (g) Special interests and concerns of UNDP stakeholders (to be assessed by the Executive Office and Partnership Bureau and Audit Chief concerned HAS and/or SAS) The level of interest that UNDP stakeholders (namely: Executive Board, member states, donors, international community, local partners, media, general public) may have in a process may vary. This interest, in turn, determines the reputational risk for UNDP, that is associated with individual processes. The assessment by the audit clients and respective Audit Chief will have equal weight. Existing level of interest is none 1 Existing level of interest is low 2 Existing level of interest is moderate 3 Existing level of interest is high 4 Existing level of interest is very high 5 Sources: HAS surveys and/or questionnaires to the Executive Office; Inputs from Partnerships Bureau; Executive Board minutes 10 of 10

11

12 Information Communication Technology Audit Risk Assessment Model Standard Operating Procedure No. 122 Date of original issue: 19 December 2012 Date of Issue: 16 September 2015 Annex: Risk Indicators: Definitions and scores (a) Business and operational impact of ICT systems / processes (financial) (to be assessed by OFRM and OAI) UNDP s core functions and business processes are supported by a variety of ICT systems and processes. UNDP s ability to execute its core functions will be negatively impacted in case the ICT systems / processes supporting these core functions will be unavailable or do not function as expected. This factor will assess the financial consequences for UNDP with regard to the unavailability or incorrect functioning of its ICT systems / processes. No or very minor financial impact for UNDP in case ICT system / process is 1 down. Financial impact for UNDP of less than $0.5million in case ICT system / 2 process is down Financial impact for UNDP of more than $0.5 million, but less than $5 million 3 in case ICT system / process is down Financial impact for UNDP of more than $5 million, but less than $50 million 4 in case ICT system / process is down Financial impact for UNDP of more than $50 million in case ICT system / 5 process is down Source: OFRM, Special Assignments Section with input from OAI staff with ICT audit qualifications (b) Business and operational impact of ICT systems / processes (operational) (to be assessed by OIMT and OAI) UNDP s core functions and business processes are supported by a variety of ICT systems and processes. UNDP s ability to perform its core functions will be negatively impacted in case the ICT systems / processes supporting these core functions will be unavailable or do not function as expected. This factor will assess the impact unavailable or incorrect functioning ICT systems / processes will have on UNDP s ability to continue conducting its day to day business. No or very minor disruption of UNDP s business processes in case ICT system 1 / process is down Minor disruption of UNDP s business processes in case ICT system / process is 2 down Moderate disruption of UNDP s business processes in case ICT system / 3 process is down Significant disruption of UNDP s business processes in case ICT system / 4 process is down Very significant disruption of UNDP s business processes in case ICT system / 5 process is down Source: OIMT, Special Assignments Section with input from OAI staff with ICT audit qualifications

13 Information Communication Technology Audit Risk Assessment Model Standard Operating Procedure No. 122 Date of original issue: 19 December 2012 Date of Issue: 16 September 2015 (c) Complexity of ICT systems / processes (to be assessed by OIMT and OAI) This factor regards the extent of interfaces, interdependencies, and other technical concepts that increase the complexity of the ICT system / process. The more complex a system / process is, the more difficult it becomes to manage, increasing the risk of something unforeseen happening, causing the system / process to malfunction. Besides, technical components of the complexity of the system / process will also be based on the number of staff supporting the system / process and number of users / units using the system / process. For the purpose of this risk assessment the complexity of a system / process will be considered to move in sync with the numbers of users and staff supporting the system / process (complexity increases with the increase in numbers of users as well as with the increase in number of staff supporting it). Simple and straightforward ICT system / process 1 Minimally complex ICT system / process 2 Moderately complex ICT system / process 3 Complex ICT system / process 4 Highly complex ICT system / process. 5 Source: OIMT, Special Assignments Section with input from OAI staff with ICT audit qualifications (d) Quality of internal controls (to be assessed by OIMT and OAI) This factor considers the extent to which ICT systems / processes have a known history of control weaknesses based on the results of previous audits of these systems / processes. Furthermore, the skill level of staff, the strength of the management team and organizational structure supporting the systems / processes as well as the extent to which the systems / processes have been documented will be taken into account. The risk will be considered to be higher in case of previously noted control weaknesses, in case of a lack of skills of staff, weaknesses in the management team or organizational structure supporting the systems / processes, and in case of a lack of documentation. No issues with regard to control weaknesses, skill levels of staff, strength of management team supporting the system / process or documentation that would affect the quality of internal controls of the ICT system / process. Minor issues with regard to control weaknesses, skill levels of staff, strength of management team supporting the system / process or documentation, minimally affecting the quality of internal controls of the ICT system / process. Issues with regard to control weaknesses, skill levels of staff, strength of management team supporting the system / process or documentation, moderately affecting the quality of internal controls of the ICT system / process. Major issues with regard to control weaknesses, skill levels of staff, strength of management team supporting the system / process or documentation severely affecting the quality of internal controls of the ICT system / process Major issues with regard to control weaknesses, skill levels of staff, strength of management team supporting the system / process or documentation, with

14 Information Communication Technology Audit Risk Assessment Model Standard Operating Procedure No. 122 Date of original issue: 19 December 2012 Date of Issue: 16 September 2015 generally unknown impact on the quality of internal controls of the ICT system / process. Source: CARDS, OIMT, Special Assignments Section with input from OAI staff with ICT audit qualifications (e) Public sensitivity and disclosure impact (to be assessed by BERA and OAI) Risk comes in many forms and the cost of adverse events can be direct (lost contributions) or indirect (reputation). This factor considers how internal and external stakeholders and the general public may react to any adverse event affecting UNDP s ICT systems / processes (e.g. breach of data, leaking of privileged information). No or isolated local comments of informal nature. 1 Several external local comments of informal nature. 2 Comments in external local media / forums of more formal in nature. 3 Comments in international media / forums or among stakeholder. 4 Featured reports in international media or among key stakeholders. 5 Source: BERA, Special Assignments Section with input from OAI staff with ICT audit qualifications

15 Country Office Audit Risk Assessment Model Standard Operating Procedure No. 123 Date of original issue: 22 August 2013 Date of revised issue: 2 December 2016 Purpose, which describes the risk assessment process in general. This SOP 123 deals with one set of the sub-audit universe the Country Offices (COs). Specifically, this SOP describes the risk assessment model for selecting COs to be considered in the Audit Plan. This SOP supersedes the last updated version of SOP No. 123 dated 11 September Risk identification and prioritization Some risk indicators are more critical than others. In ranking the risks, the following weights will be applied reviewed annually prior to the start of the risk assessment exercise. Risk categories/indicators Risk categories OAI Risk Indicators for Cos audit universe Percentages UNDP ERM operationalization of the risk categories Financial Financial (a) Total programme delivery 15% materiality (b) Financial data quality 10% Operational Operational (c) Recent or anticipated major changes in CO 10% complexity portfolio or structure (d) Results of NGO/NIM (HACT) reviews 10% Organizational Entity-level controls (e) Time elapsed and previous risk score since 10% last audit (f) GSS: Tone at the top 10% Political Strategic Regulatory Environmental concerns (g) in UNDP 10% (h) Exceptional circumstances or political 10% situations (i) Special concerns of UNDP stakeholders 10% (j) Transparency International Corruption 5% Perceptions Index Total 100% Generally, Country Offices are audited in a cycle based on the risk level, as follows: Total risk score* Risk Level Frequency of audits >3.7 Very High Every 2 years >2.65 up to 3.7 High Every 3 years >2.2 up to 2.65 Medium High Every 4 years >1.8 up to 2.2 Medium Low Every 5 years <=1.8 Low Every 6 years *The range of total risk scores may vary based on the result of the annual risk assessment.

16

17 Country Office Audit Risk Assessment Model Standard Operating Procedure No. 123 Date of original issue: 22 August 2013 Date of revised issue: 2 December 2016 Annex: Risk Indicators: Definitions and Scores (a) Total programme delivery Delivery amount is one of the key elements to assess risk, especially in the cases of COs that support development services through the procurement of goods and services. The total programme delivery by a CO pertains to its total expenditure during a one-year period, preferably from the beginning of September of the prior year up to the end of August of the current year. COs that did not incur expenditures during the period are removed from the list. The validity of the scale below must be reviewed every year, prior to the start of the risk assessment exercise. <=$7.0 million 1 >$7.0 million up to $15 million 2 >$15 million up to $30 million 3 >$30 million up to $60 million 4 >$60 million 5 Source: Atlas Snapshot report (b) Financial data quality Financial data quality is measured monthly on a dashboard with selected finance indicators that determine the condition of financial information. It captures accounting errors (such as accounts payable errors, accounts receivable direct journal errors, and purchase order errors) and the status of accounting information. The information on the dashboard is consolidated by the Office of Financial Resources Management on a quarterly basis to come up with the Comptroller s list. COs of 3. Average score (Q1 & Q2) from the Comptroller's list is < 55 1 Average score (Q1 & Q2) from the Comptroller's list is between 55 and 72 3 Average score (Q1 & Q2) from the Comptroller's list is >72 5 Source: (c) Recent or anticipated major changes in CO portfolio or structure (to be assessed by Regional Bureaux and Regional Audit Centres) Changes in the CO portfolio or structure may impact the CO operations and necessitate changes in office systems, policies and procedures, including an increase or decrease in staff and other personnel. The assessments by the Regional Bureaux and the assessments by the Regional Audit Centers have equal weight. 1 of 4

18 Country Office Audit Risk Assessment Model Standard Operating Procedure No. 123 Date of original issue: 22 August 2013 Date of revised issue: 2 December 2016 No changes or changes with no impact 1 Some changes with minor impact 2 Major changes with some impact 3 Major changes with major impact 4 Major changes with generally unknown impact 5 Source: Regional Bureaux and Regional Audit Centres (d) Results of NGO/NIM (HACT) reviews eview of audit reports on NGO/NIM (HACT) projects review covers four areas, namely: (i) materiality of the financial audit qualifications, (ii) severity of audit observations, (iii) adequacy of audit scope, and (iv) adequacy of the administration of the audit exercise. This review results in an overall rating of satisfactory, partially satisfactory, or unsatisfactory, and combines the separate ratings in the four areas. Risk Satisfactory rating 1 Partially Satisfactory rating 3 Unsatisfactory rating 5 Source: OAI Special Assignments Section (e) Time elapsed and previous risk score since last audit The time elapsed since the last internal audit by OAI and/or external audit by the United Nations Board of Auditors pertains to the dates of the fieldwork of the last audit. Time elapsed is calculated by determining the number of months elapsed from the date of the last audit fieldwork up to the first day of the new year (e.g., 2017). The equivalent risk scores for the time elapsed are determined as follows: Risk Level 2 of 4 Risk score If time elapsed is < If time elapsed is between 2.0 and If time elapsed is between 3.1 and If time elapsed is between 4.1 and If time elapsed is > The equivalent risk scores of the prior year risk ratings will also be determined using the following scale: Risk Level Risk score Very High 5 High 4 Medium High 3 Medium Low 2 Low 1

19 Country Office Audit Risk Assessment Model Standard Operating Procedure No. 123 Date of original issue: 22 August 2013 Date of revised issue: 2 December 2016 The final risk score will be determined by calculating the average equivalent risk scores from the time elapsed and prior year risk ratings. (f) GSS: Tone at the top UNDP conducts a Global Staff Survey annually. Two areas were selected from the Survey that reflect clarity of based on the 50 th percentile (triangle) and on the 25 th through 75 th Unit score is to the right of the triangle (well above average) 1 Unit score is to the right and overlapping the triangle (above average) 2 Unit score is to the left of the triangle but still touching the blue bar (average) 3 Unit score is to the left of the triangle and outside the blue bar ( > 40 percent) (below average) 4 Unit score is to the left of the triangle and outside the blue bar (<= 40 percent) (significantly below average) Source: Annual GSS Survey results GSS Overview Dimension Profile 5 (g) a one-year period, preferably from the beginning of September of the prior year up to the end of August of the current year. The number of investigation cases is equal to or less than 1 1 The number of investigation cases is between 2 and 5 3 The number of investigation cases is greater than 5 5 (h) Exceptional circumstances or political situations(to be assessed by Regional Bureaux and Regional Audit Centres) UNDP, through the Regional Bureaux, periodically monitors and assesses the socio-economic and political situation in each country. Fo risk assessment purposes, exceptional circumstances or political situation means a country is experiencing or has experienced (i) natural disasters, (ii) a crisis, (iii) a serious security situation, or (iv) any particular event that makes the normal conduct of activities difficult. The activation of the Fast Track Procedures may be an indication that a country is in such a special situation. When special events occur or Fast Track Procedures are activated, COs are not generally implementing the standard controls, which may increase risks and exposure to losses. The assessments by the Regional Bureaux and the assessments by the Regional Audit Centres have an equal weight. 3 of 4

20 Country Office Audit Risk Assessment Model Standard Operating Procedure No. 123 Date of original issue: 22 August 2013 Date of revised issue: 2 December 2016 The country is under a normal operation 1 The country is in any one of the above special situations 3 The country is in more than one of the above special situations 5 Source: Regional Bureaux and Regional Audit Centres (i) Special concerns of UNDP stakeholders (to be assessed by Regional Bureaux and Regional Audit Centres) The level of intere ders may have in a given country programme may vary depending on the profile and visibility of the programme or the interests of donors in certain projects, such as the international community at large, media, local partners or host country governments. Reputational risks to UNDP may arise due to project failures or losses of financial and other resources. The assessments by the Regional Bureaux and the assessments Regional Audit Centres have equal weight. No special interest known 1 Known or expected level of interest is low 2 Known or expected level of interest is medium 3 Known or expected level of interest is high 4 Known or expected level of interest is very high 5 Source: Regional Bureaux and Regional Audit Centres ranking (j) Transparency International Corruption Perceptions Index Transparency International is a global civil society organization leading the fight against corruption. The Corruption Perceptions Index (CPI) ranks countries in terms of the degree to which corruption is perceived to exist in the public sector. It is a composite index, a poll of polls, drawing on corruptionrelated data from expert and business surveys carried out by a variety of independent and reputable institutions. The CPI reflects views from around the world, including those of experts who are living in the countries evaluated. In 2014, the CPI ranked 141 countries, with scores ranging from 0 (highly corrupt) to 100 (very clean). As no countries in which UNDP is actively engaged achieved a score in excess of 74, the risk relative to UNDP is being assessed on CPI scores between 0 und 74. Countries with CPI is between 60 and 74 1 CPI is between 45 and 59 2 CPI is between 30 and 44 3 CPI is between 15 and 29 4 CPI is between 0 and 14 5 Source: CPI (2014 release) 4 of 4

21 Country Office Audit Risk Assessment Model Standard Operating Procedure No. 123 Date of original issue: 22 August 2013 Date of revised issue: 2 December of 4

22 DIM Audit Risk Assessment Model Standard Operating Procedure No. 124 Date of original issue: 2 October 2012 Date of revised issue: 2 December 2016 Purpose, which describes the risk assessment process in general. This SOP 124 deals with one set of the sub-audit universe the projects directly implemented by UNDP Specifically, this SOP describes the risk assessment model for selecting DIM projects to be considered in the Audit Plan. This SOP supersedes the last updated version of SOP No. 124 dated 14 November Risk identification and prioritization Some risk indicators are more critical than others. In ranking the risks, the following weights will be applied based on an overall understanding of the risk of these weights has to be reviewed annually prior to the start of the risk assessment exercise. Risk categories - UNDP ERM Risk categories/indicators OAI operationalization of the risk categories Financial materiality Risk Indicators - for DIM audit universe Percentages Financial (a) Value of project expenditure 30% (b) Cumulative value of DIM 15% expenditure Organizational Entity-level controls (c) Result of last OAI audit of UNDP 15% Office (d) Result of last OAI audit of DIM 10% project (e) 5% Political Strategic Regulatory Environmental concerns (f) Exceptional circumstances or political situation (g) Special concerns of UNDP stakeholders 10% 10% (h) Transparency International 5% Corruption Perceptions Index Total 100% Weighted risk score which is to be calculated by summing the results of multiplication of the percentage weight as shown in the table above and each of the risk score as determined by referring to the tables in the Annex will be categorized into three levels as shown in the table below. Level of Risk Weighted risk score sum High >3.69 Medium >3.00 to 3.69 Low 3.00 or lower 1 of 5

23

24 DIM Audit Risk Assessment Model Standard Operating Procedure No. 124 Date of original issue: 2 October 2012 Date of revised issue: 2 December 2016 Annex: Risk Indicators: Definitions and scores (a) Value of project expenditure Value of project expenditure is a key element to assess risk. For the purpose of this risk assessment exercise, the value of expenditure is calculated by project output as recorded in Atlas at the year-end closing, as of 31 December. The validity of the scale below must be reviewed every year, prior to the start of the risk assessment exercise. $0.5 million to $1.0 million 1 >$1.0 m to $2.5 million 2 >$2.5 million to $5.0 million 3 >$5.0 million to $10.0 million 4 >$10.0 million 5 Source: Atlas - data extraction (b) Cumulative value of DIM expenditure The cumulative value of DIM expenditure is another key element to assess risk. This factor reflects the total inception. $10 million 1 >$10 m to $18 million 2 >$18 million to $40 million 3 > $40 million to $100 million 4 >$100 million 5 Source: Atlas data extraction (c) Result of last OAI audit of UNDP Office This pertains to the results of the previous audit assignments to the respective UNDP Office handling the project. This review results in an overall rating of satisfactory, partially satisfactory, or unsatisfactory. CO audit: Satisfactory rating 1 CO audit: Partially Satisfactory rating 3 CO audit: Unsatisfactory rating 5 Source: CARDS OAI Audits 3 of 5

25 DIM Audit Risk Assessment Model Standard Operating Procedure No. 124 Date of original issue: 2 October 2012 Date of revised issue: 2 December 2016 (d) Result of last OAI DIM project This pertains to the results of the previous audit assignments to the respective DIM project. This review results in an overall audit opinion under the following categories: unqualified, qualified, adverse/disclaimer of opinion. (Note: If the DIM project has not yet been audited, it gets a risk score of 5). audited expenditure Qualified opinion with qualification between 1% and 2 % of audited expenditure Source: CARDS OAI Audits Risk Score (e) a one-year period, preferably from the beginning of September of the prior year up to the end of August of the current year. The number of investigation cases is equal to or less than 1 1 The number of investigation cases is between 2 and 5 3 The number of investigation cases is greater than 5 5 (f) COs in special development or political situations (to be assessed by Regional Bureaux and Regional Audit Centres) UNDP, through the Regional Bureaux, periodically monitors and assesses the socio-economic and political situation in each country. Fo risk assessment purposes, special development or political situation means a country is experiencing or has experienced (i) natural disasters, (ii) a crisis, (iii) a serious security situation, or (iv)any particular event that makes normal conduct of activities difficult. The activation of the Fast Track Procedures may be an indication that a country is in such a special situation. When special events occur or Fast Track Procedures are activated, COs are not generally implementing the standard controls, which may increase risks and exposure to losses. The assessment by the Regional Bureaux and Regional Audit Centres will have an equal weight. The country is under a normal operation 1 The country is in any one of the above special situations 3 The country is in more than one of the above special situations 5 Source: Regional Bureaux and Regional Audit Centres 4 of 5

26 DIM Audit Risk Assessment Model Standard Operating Procedure No. 124 Date of original issue: 2 October 2012 Date of revised issue: 2 December 2016 (g) Special interests and concerns of UN (to be assessed by Regional Bureaux and Regional Audit Centres) The level of interest ders may have in a given country programme may vary depending on the profile and visibility of the programme or the interests of donors in certain of its projects, the international community at large, media, local partners or host country government. The risk of reputation to UNDP may arise due to project failures or losses of financial and other resources. The assessment by the Regional Bureaux and Regional Audit Centres will have an equal weight. No special interest known 1 Known or expected level of interest is low 2 Known or expected level of interest is medium 3 Known or expected level of interest is high 4 Known or expected level of interest is very high 5 Source: Regional Bureaux and Regional Audit Centres ranking (h) Transparency International Corruption Perceptions Index Transparency International is a global civil society organization leading the fight against corruption. The Corruption Perceptions Index (CPI) ranks countries in terms of the degree to which corruption is perceived to exist in the public sector. It is a composite index, a poll of polls, drawing on corruptionrelated data from expert and business surveys carried out by a variety of independent and reputable institutions. The CPI reflects views from around the world, including those of experts who are living in the countries evaluated. CPI ranks more than 160countries, with scores ranging from 0 (highly corrupt) to 100 (very clean). As no countries in which UNDP is actively engaged achieved a score in excess of 74, the risk relative to UNDP is being assessed on CPI scores between 0 und 74. CPI is between 60 and 74 1 CPI is between 45 and 59 2 CPI is between 30 and 44 3 CPI is between 15 and 29 4 CPI is between 0 and 14 5 Source: CPI ) 5 of 5