Audit of the UNESCO Statement on Internal Control

Transcription

1 Internal Oversight Service Audit Section IOS/AUD/2017/11 Original: English Audit of the UNESCO Statement on Internal Control October 2017 Auditors: Hir Purkait Vivian Leung Edny Saint-cyr

2 EXECUTIVE SUMMARY Key Results: IOS conducted an audit of the Statement on Internal Control (SIC) to provide assurance that it is well managed and effective, focussing on the Control Self-Assessment (CSA) process. The SIC has been issued annually since 2011, putting UNESCO among the first UN agencies to have established an annual SIC as part of its Annual Consolidated Financial Statements. However, the SIC is typically issued before the analysis of the CSAs presented to the Senior Management Team (SMT), limiting the use of the CSAs analysis for SMT discussions on the SIC. Broadening consultations on the SIC with more stakeholders as stipulated in the SIC methodology would make it more meaningful. The CSA is completed by all entities as required. However, IOS assessments of the CSA diverge significantly compared to the self-assessments in some functional areas. Additional guidance on the CSA methodology would improve its reliability and comparability. There needs to be a greater link between the SIC and CSA process and the risk identification and management process. Despite the issuance of various memos and the 2016 IOS Advisory on Enterprise Risk Management, risk registers at the entity-level are still largely missing and the corporate risk register is still under development. The Risk Management Committee (RMC) should continue to implement Action Three from the 2016 IOS Advisory on ERM (IOS/AUD/2016/05) and also continue to develop the BCP Strategy and the BCP for the field. Insufficient monitoring by entities of mitigation actions required to manage potential weaknesses means that the CSA exercise has a limited operational use. Despite the methodology requiring the elaboration of action plans, in most cases these were not reported in CSAs, and hence it is not possible to determine whether the underlying operational risk was managed/mitigated at the entity level. Background 1. The Statement on Internal Control (SIC) was introduced in 2011 in UNESCO s financial statement as part of the management reform programme. The purpose and accountabilities of the SIC are governed by Chapter 3.4 of the Administrative Manual, under the Internal Control Policy Framework, which also includes the Internal Control Self-Assessment Methodology. 2. Through the SIC, the Director-General discloses significant matters arising during the year for which the statement is issued. As such, the financial challenges faced by the Organization, due to the fact that some major Member States continue to withhold their assessed contribution, is reported on a yearly basis as part of significant matters along with the measures implemented to manage the underlying risks. 3. In UNESCO, the Director-General is responsible for establishing and maintaining a sound system of internal control. Through the SIC s/he not only discloses the Organization s challenges but also provides Member States with reasonable assurance regarding the effectiveness of UNESCO s internal control system. 4. Through this, the Director-General provides reasonable assurance of the achievement of the three internal control objectives: I. Programme objectives are being achieved efficiently; II. Published and other financial information produced are being prepared reliably; III. Applicable policies and procedures, laws and regulations are being complied with. 1

3 5. In order to review and evaluate the status of UNESCO s internal control system and to shape the content of the Statement, the Director General considers the following: (a) Audit, Evaluation, Advisory reports issued by the Internal Oversight Service (IOS) for the year for which the SIC is to be issued; (b) Advices on Risk Management, Financial and Internal Controls from the Oversight Advisory Committee (OAC); (c) Advices and counsels on ethics and standards of control from the Ethics Advisor; (d) The Risk Management Committee who is responsible, among other tasks, to frequently re-evaluate risks and assess UNESCO s risk tolerance level; (e) Inspection reports issued by the Joint Inspection Unit (JIU); (f) Comments or statements made by the External Auditor; (g) The Governing Bodies observations and opinions; and (h) Feedback from the Organization s Senior Managers through periodic meetings and identification of control issues, together with a remedial action plan, through a self-assessment process, as confirmed by their personal written attestation 6. The requirement, through the yearly personal attestation and Control Self-Assessment obliges Assistant Directors-General, Heads of Bureau and Offices, Heads of Established Offices and Institutes/Centres away from Headquarters, to assess the adequacy of internal control related to their activities and to identify and report any weakness or deficiency in internal controls and actions taken to address them. Scope, Objective and Methodology 7. IOS conducted this audit to provide assurance that the process of the Statement on Internal Controls (SICs) is well managed and effective, focussing on the Control Self- Assessment process. 8. The audit team reviewed UNESCO s Internal Control Policies Framework and the Statement on Internal Control process in order to ascertain whether there is adequate guidance about the process, that the CSA is prepared as per the guidance and the results of the CSA are reliable and effectively used in identifying and managing potential control weaknesses at the unit level. 9. More specifically, the audit aimed to determine whether: SIC is issued in accordance with the established and issued methodologies Control self-assessments by the different Heads of office, institutes/centres serve as ones of the basis to the statement on internal control Disclosure of any significant identified weakness in the internal control system, with adverse impact on the achievement of those objectives, are identified though the SIC process 10. The audit covered SICs issued in 2015 and 2016 and prior periods since 2010 were also analysed for comparative purposes and to determine compliance with policies in place. 11. The audit was performed in accordance with the International Standards for the Professional Practice of Internal Auditing. It involved a walk-through of the SIC process, review and analysis of relevant records and data, interviews with relevant personnel, dissemination and analysis of a survey questionnaire, and a review of results of past audits. The survey questionnaire was circulated online over a period of two weeks in May In total, 39 responses were received out of 86 entities, registering a response rate of 45%. 12. To review compliance with the CSA methodologies, the Internal Control Policies Framework, samples of CSAs, other relevant reports and observations on internal controls were selected using the random sampling methodology. Furthermore, 10 entities were selected for further study and in-depth interviews (Annex A). 2

4 Achievements 13. UNESCO is among the early adopters within the UN system to establish an annual control self-assessment process and a statement on internal control. 14. UNESCO has a detailed framework of the CSA and annual attestations to inform the Director-General on the functioning of internal controls in a given year, and support her statement of internal control. 15. UNESCO has embedded a good practice of annual control self-assessment that achieves full participation rate. In 2015, all 85 UNESCO entities expected to participate in the CSA exercise completed it. Similarly in 2016, 86 entities completed the CSAs as required. Challenges and Opportunities 16. In line with best practices and as established in UNESCO, the contents of the SIC is derived based on inputs from different sources such as attestations supported by CSA, IOS reports, OAC, Ethics advisor, RMC, JIU reports, External Auditor reports and Governing Bodies observations. The current process only includes consultation with IOS, DDG and ODG after the SIC is drafted by BFM. 17. While the guidance provided by BFM on conducting Control Self-Assessments is quite detailed, managers used different approaches in levels of participation of staff and some delegated it to Administrative Officers to complete the exercise. Furthermore, IOS assessments in past audits pointed to significant divergence with the self-assessment in functional areas such as supply& procurement, programme management, financial control and travel management. 18. Absence of key documents such as an updated risk register and a business continuity plan is a recurring feature in most entities. 29 out of 39 (74%) entities responding to IOS survey indicated that they did not have a risk register. 19. CSA serves as a useful tool to sensitise individual managers about their role in the internal control process. However, in most cases when entities noted weaknesses, action plans were not reported in their CSA questionnaires in accordance with the methodology and hence there is no assurance that the underlying operational risks have been managed/mitigated at the entity level. Table of recommendations We recommend that: Recommendation 1: BFM to extend the process for consultations with other relevant stakeholders for finalizing the Statement on Internal Control. SMT can potentially become the platform for discussions on the DG s annual statements. Recommendation 2: BFM i) with IOS, to remind the individual managers of the need for more objective rating in the CSAs when IOS identifies significant deviation between their selfassessments and IOS assessments, and, ii) update the written attestation templates for managers to confirm they have followed a consultative process when completing the CSA exercise. Recommendation 3: HRM to include guidance on CSA process and methodology while designing the induction programme for new managers. 3

5 Recommendation 4: The Risk Management Committee (RMC) to provide additional guidance on risk registers in field offices/other entities. Furthermore, building upon Action 9 Para. 50 of the IOS Advisory on ERM, the RMC should review the CSA results in order to identify risks at the entity level as well as at the corporate level in order to advance ERM practices in UNESCO. Recommendation 5: BFM provide the respective business process owners with detailed guidance including good examples of self-assessments and action plans, for their follow up with the concerned managers where required. Recommendation 6: BFM conduct an internal feedback survey of all entities completing CSA, in order to improve focus and alignment of the questionnaire. 4