unesco. executive board; 160th; proposal by the...

160 EX/INF.6PARIS, 22 September 2000English & French only

UNITED NATIONS EDUCATIONAL,SCIENTIFIC AND CULTURAL ORGANIZATION

EXECUTIVE BOARD

Hundred and sixtieth Session

Item 6.5 of the provisional agenda

PROPOSAL BY THE DIRECTOR-GENERALTO SET UP A UNESCO INTERNAL OVERSIGHT SYSTEM

DRAFT REPORT BYTHE INSTITUTE OF INTERNAL AUDITORS (IIA)

SUMMARY

This document has been produced for the information of the Members of theExecutive Board in connection with the Board’s examination of document160 EX/23. It contains the draft report presented by the Institute of InternalAuditors (IIA) following its Quality Assurance Review (QAR) of theinternal audit, evaluation, investigation and related functions in UNESCO,undertaken at the request of the Director-General and as he so informed theBoard at its 159th session (159 EX/5).

(i)

CONTENTS

Page

EXECUTIVE SUMMARY ................................................................................................... 1

Highlights of the recommendations ............................................................................ 1

Organizational issues for UNESCO management ...................................................... 1

Priority issues for the internal oversight function ....................................................... 2

Opinion as to conformity with the Standards ............................................................. 2

Looking to the future ................................................................................................... 3

GENERAL OVERVIEW OF QAR ...................................................................................... 4

ENVIRONMENT FOR OVERSIGHT AT UNESCO ......................................................... 5

OBSERVATIONS AND RECOMMENDATIONS ............................................................ 6

Part I ORGANIZATIONAL ISSUES FOR UNESCO MANAGEMENT ........ 7

1. Define and measure risks; enhance management controlsand accountability processes .................................................................... 7

2. Improve the tools and processes to manage information technology ...... 8

3. Develop a charter for the new internal oversight (IO) functionand define its structure ............................................................................. 9

4. Commence implementation of the IO function now ................................ 11

5. Define the IO relationship and information linksto the Executive Board ............................................................................. 12

Part II ISSUES SPECIFIC TO THE INTERNAL OVERSIGHT FUNCTION . 13

6. Define the oversight universe and assess the related risks ....................... 13

7. Prepare long-range and annual IO plans .................................................. 14

8. Enhance evaluation oversight activitiesthrough their integration into IO ............................................................... 15

9. Establish appropriate IO methodologiesand a new policies and procedures manual .............................................. 16

10. Assess staff numbers, sources and skills;expand continuing professional development .......................................... 17

(ii)

Page

11. Assess report format(s), review process and distribution;improve follow-up of implementation of agreed remedial actions .......... 18

12. Give priority attention to strengthening the information technology (IT)audit capabilities of IO and coverage of activitiesthroughout UNESCO ............................................................................... 19

13. Implement an internal quality assurance process within IO .................... 20

14. Enhance coordination with the external auditorsand their reliance on IO ............................................................................ 21

ADDITIONAL OBSERVATION FOR UNESCO MANAGEMENT .............. 21

Annex I Model internal auditing department charter

Annex II Framework for risk management and management control

Annex III Sample policy statement for controlling an organization

160 EX/INF.6

EXECUTIVE SUMMARY

The Institute of Internal Auditors (IIA) conducted a Business-Focused Quality AssuranceReview (QAR) of the internal audit, evaluation, investigation and related functions – primarily theOffice of the Inspector General (IOM) and the Central Evaluation Unit (CEU) – of the UnitedNations Educational, Scientific and Cultural Organization (UNESCO). UNESCO is planning tocombine those internal audit, evaluation, investigation and related functions into an integratedinternal oversight (IO) function in the near future and plans to take the results of QAR intoaccount as part of that restructuring process.

Prior to our on-site review in August 2000, we made a preliminary visit to become familiarwith UNESCO, gather background information and conduct brief interviews with selectedexecutives. Some relevant parts of the QAR Self-Study Report were completed by CEU andIOM, and a survey was sent to selected UNESCO executives. Results of the survey, includingthe comments returned with the survey responses and comments from our personal interviewswith a representative sample of management and national delegations, were provided toUNESCO (without identification of information from individual respondents and interviewees).

HIGHLIGHTS OF RECOMMENDATIONS

We agree that the decision to integrate all of UNESCO’s oversight functions into a singleunit is appropriate and should result in increased effectiveness of oversight of the Organization’ssector activities and support functions.

Our recommendations are divided into two classifications: those that concern UNESCO asa whole and/or require action by senior management and those that relate to the IO organizationalstructure, processes, staffing, etc., that would be implemented within IO, with some direction andsupport from senior management.

ORGANIZATIONAL ISSUES FOR UNESCO MANAGEMENT

• Enhance the processes for defining and measuring risks; establish/enhance theframework of management authorities, controls and accountability mechanisms,using a comprehensive risk management methodology. This comprehensiveframework can provide a necessary discipline to achieve better operating effectiveness,consistent performance measurement, and accountability at all levels of the Organization.For the specific purposes of IO, it is also a precondition for defining a comprehensiveoversight universe, prioritizing the deployment of IO resources, and preparing long-range and annual oversight plans.

• Improve the tools and processes to deal with the risks and opportunities related tothe management of information technology (IT) and the implementation of anadequate management information system. This should include the updating andeffective implementation of a long-range IT master plan, under the control of an in-housetechnology executive and the oversight of a permanent steering committee made up ofmajor users. This enhanced control over IT resources is also important for IO to performits function in a cost-effective manner.

160 EX/INF.6 – page 2

• Develop a charter for the integrated IO function which could be adopted on aprovisional basis pending arrival of the new Director of IO, in line with the model inAnnex I. We suggest that current CEU and IOM staff, under the close direction of seniormanagement of UNESCO, begin outlining and drafting the main features of this charterimmediately. There should also be due regard for the necessary transition time for fullyintegrating evaluation activities (separated from the evaluation functions under thecontrol of sector management), as well as for the clear definition of the specialinvestigation process and responsibilities. UNESCO should commenceimplementation of the new IO function now, even before the new Director of IO isappointed, at least with respect to identification of areas of common interest andoversight coverage, the design and testing of new methodologies, assessing andenhancing the skills of staff, determination of availability of appropriate technology, etc.

• Define the IO relationship and information links to the Executive Board (EB).Establish a process for furnishing to the Executive Board (EB) periodic summaries ofsignificant IO report items and plans, advising the EB of major changes in IO authority,scope and resources, and for consulting on the hiring or removal of the Director of IO.

PRIORITY ISSUES FOR THE INTERNAL OVERSIGHT FUNCTION

• Define the oversight universe and assess the related risks – aligning this universewith that of risk management and management control for UNESCO as a whole.Prepare annual and long-range IO plans, prioritizing the use of IO resources based onan oversight risk assessment and consultation with sector and support units acrossUNESCO.

• Apply the Standards for the Professional Practice of Internal Auditing (Standards) toIO and adopt appropriate best practices relating to IO staffing, engagementadministration, performance and documentation of field work, reporting, implementationfollow-up, and overall management of the function, each of which is discussed in moredetail in our report.

• Give priority attention to strengthening IT audit capabilities and coverage of ITactivities – including plans, operations, administration, security and other aspects of themanagement of IT and its utilization to provide management information throughoutUNESCO.

• Enhance coordination with the external auditors (EA) and their reliance on IO,through such means as better communications, sharing of work plans and reports, IOfollow-up to foster the prompt and effective implementation of EA recommendations,shared training and joint performance of audit work, along with demonstrating theenhanced professionalism of IO through implementation of the Standards and bestpractices mentioned above.

OPINION AS TO CONFORMITY WITH THE STANDARDS

It is our opinion that the current internal monitoring functions of UNESCO generally do notconform to the Standards for the Professional Practice of Internal Auditing.


In IOM, there are some areas of partial conformity with elements of the Standards andthere have been improvements, notably in organizing and supervising audit work, in recentmonths. There are major opportunities for improvement in IOM, relating to virtually all areascovered by the Standards.

In CEU, conformity to some elements of the Standards, such as professional proficiency,long-range plans and communicating results is evident. There are also major opportunities forimprovement in some areas, such as independent oversight of evaluation processes, following upto ensure implementation of recommendations, management of the function through a formalstructure, policies and processes, and appropriate continuing professional development.

We do not believe it useful to describe in detail the past structures, policies and practices,which we took into account in reaching our opinion, but we have considered the opportunities forimprovement, for both CEU and IOM, in developing our recommendations for the new IOfunction.

LOOKING TO THE FUTURE

We suggest UNESCO consider having a brief implementation review performedapproximately six to 12 months after the new Director of IO is hired. This might be done “in-house” by persons competent in IO matters and independent of IO, or could be done with externalassistance. We also recommend UNESCO have another QAR about three years from now, asspecified in the Standards.

We appreciate this opportunity to be of service to UNESCO. We will be pleased to respondto further questions you may have concerning this report and to furnish you any information youdesire about IIA publications, training, consulting, or its other services to internal oversightprofessionals and their organizations.

Lew Burnham, CPA Robert A. Ferst, CIA, CISA, CFEProject Manager Vice President, Global Services Integration

and Quality ProgramsThe Institute of Internal Auditors

Team members:José Bouaniche, CIA, CISADavid Kanja, CIA, CPA, ACAGerard Scalabre, CIA, CISADavid Woodward, Dir. Ext. Aud., United Nations


GENERAL OVERVIEW OF QAR

The Institute of Internal Auditors (IIA) conducted a Business-Focused Quality AssuranceReview (QAR) of the internal audit, evaluation, investigation and related functions – primarily theOffice of the Inspector General (IOM) and the Central Evaluation Unit (CEU) – of the UnitedNations Educational, Scientific and Cultural Organization (UNESCO). UNESCO is planning tocombine those internal audit, evaluation, investigation and related functions into an integratedinternal oversight (IO) function in the near future and plans to take the results of our QAR intoaccount as part of that process of restructuring its internal monitoring (IM) activities.

Our QAR was conducted in accordance with the IIA’s Business-Focused QAR Manual.We made appropriate adaptations of our work programme to accommodate the particularcircumstances of UNESCO. We also made adaptations to accommodate UNESCO managementrequests that we direct our attention to specific areas of interest or perceived needs of UNESCO’smanagement, both in the planning stages of the review and during the course of our field work.Our preliminary visit was in April 2000 and the field work was performed in the period of 11-29 August, culminating in reviews of our findings and the expected content of our report with theDirector-General and appropriate members of UNESCO senior management.

Our preliminary visit and our subsequent review of a variety of relevant documentationserved to help us become familiar with UNESCO, gather background information and conductbrief interviews with selected executives. As part of that preliminary work, some relevant partsof the QAR Self-Study Report were completed by CEU and IOM, and a survey was sent toselected UNESCO executives. Results of the survey, including the comments returned with thesurvey responses and comments from our personal interviews with a representative sample ofmanagement and national delegations, were provided to UNESCO (without identification ofinformation from individual respondents and interviewees). The interviews, covering a widerange of management control, sector and support operational practices, along with interviewswith IOM and CEU personnel and reviews of their policy guides, working papers, reports, etc.,form the principal basis of the observations and recommendations in this report

The objectives of QAR included the following:

• Assess the efficiency and effectiveness of UNESCO’s recent internal monitoringactivities, including the current level of satisfaction of the customers of CEU and IOM,and the plans for their restructuring into a new, integrated IO function.

• Identify opportunities for improving the performance and credibility of current internalmonitoring and planned future IO activities, including coordination with the externalauditors and their increased reliance on IO work.

• Evaluate the proposed organizational structure and IO framework and comment on thesematters, as well as the needed staffing and other resources.

• Provide an opinion as to whether or not the current IOM activities conform to theStandards for the Professional Practice of Internal Auditing.

The objectives shown in our QAR proposal to UNESCO also included “review your audituniverse and the method followed for annual risk assessment ... annual and long-range auditplans ...”, as well as “examine internal auditing techniques and methodology ... policies and


practices ...”. We did only limited work relating to these objectives, as the relevant universes,risk assessments, plans, techniques and methodology do not exist, or their practical applicationwas so limited that it was not useful to try to review or evaluate them. However, we havecommented on these matters as they relate to the planned restructuring of IO and implementationof such processes and techniques in the future.

In connection with the first objective above, we relied primarily on the survey andinterviews of selected UNESCO executives (42 survey responses and about 20 interviews),interviews with representatives of national delegations (5), discussion with the external auditor, arepresentative of the Auditor General’s Office of Canada (EA), a review of recent internal reportsand documents prepared for the Executive Board (EB). With respect to the first three objectives,we took into account relevant “best practices” on internal oversight functions, as collected andevaluated by IIA, along with ideas from the diverse background and experience of the membersof the QAR team.

We have identified opportunities for application of “best practices” and otherimprovements to the planned integrated IO function. These are presented in our report under twoheadings: (1) organizational, policy and management control issues for UNESCO as a whole, tobe resolved by the Director-General or under his direct guidance, and (2) issues to be dealt within planning, organizing, staffing and managing the integrated IO function.

ENVIRONMENT FOR OVERSIGHT AT UNESCO

In performing our review and formulating recommendations, we have borne in mindUNESCO’s uniqueness as an organization and the special circumstances and requirements underwhich it operates. The QAR team members were selected, in part, because they have a greatvariety of experience with international organizations. This has been useful in addressing thebroad range of oversight activities that will be under the authority of the new IO function, as wellas in understanding the evolving structure and management processes of UNESCO as a whole.

Several strengths of UNESCO, important to its future, were apparent to us – particularly inthe context of the planned reform of management structures and controls, as well as thestrengthening of its internal oversight activities. These include:

• A widely recognized mandate covering a broad range of important activities, along witha history of valuable work and good credibility with most of UNESCO’s stakeholders.

• Extensive networks and contacts, along with the expectation that UNESCO will continueto make use of these in pursuit of its objectives.

• A broad base of knowledge and expertise among UNESCO’s executives and staff, andthe operational and administrative structures, capable of enhancement, to make effectiveuse of that knowledge and expertise.

• The will and executive direction to reform and enhance the management structure andprocesses.


As will be discussed in further detail in our comments and recommendations, successfulestablishment of the new IO function is very dependent on implementation of the plans to reformthe structure and management controls at UNESCO, including significant improvements inmanagement information. The reforms include a new UNESCO focus on strategic planning,clearer delegation of authority and related accountability processes, results-based programmemanagement, decentralization and improved coordination of field activities (including a moreextensive staff-rotation programme), and related efforts to strengthen management controls at alllevels. In effect, if these reforms are successfully implemented, there will be an almostcompletely new framework for identifying and managing the risks and opportunities of theOrganization.

UNESCO management should be the full “owner” of the processes of identifying, assessingand managing these risks. If the related management controls are well-designed, fullyimplemented, and followed consistently at the various management and operational levels, therecan be a less extensive additional layer of control provided by an oversight function. Thisillustrates the principle that cost-effective oversight is applied by exception, as a testing, quality-assurance and special-investigation mechanism. It should not be considered as an integral part ofthe primary system of management controls and accountability mechanisms.

In Annex II, there is a brief conceptual outline of our suggested framework for riskevaluation, management control and oversight for UNESCO. That outline discusses further theconcept that risk management, management control and accountability mechanisms should beentirely the responsibility of (“owned by”) management. Internal oversight should be functionallyand organizationally distanced from those management responsibilities, but at the same timeshould align with those management processes the definition of its oversight universe, riskassessment, planning and application of oversight resources. In this way, managers become morecontrol conscious and make better use of management tools and control processes, while theoversight function can deliver optimum added value in a cost-effective manner. This concept isexpanded in several of our detailed recommendations.

We also suggest that UNESCO consider adopting a general policy statement onmanagement control concepts and responsibilities, based on Annex III.

OBSERVATIONS AND RECOMMENDATIONS

Our observations and recommendations are presented in two parts: (I) broad issues thatconcern UNESCO as a whole, requiring significant management decisions and actions, and/orthat depend on the implementation of broad reform initiatives, and (II) those more specificallydirected at the planned establishment of an integrated IO function and, while some of them mayalso be dependent on resolution of broader management issues, can be undertaken within the newIO function, with some direction and support by senior management.


PART I – ORGANIZATIONAL ISSUES FOR UNESCO MANAGEMENT

1. DEFINE ANDMEASURE RISKS;ENHANCEMANAGEMENTCONTROLS ANDACCOUNTABILITYPROCESSES

Enhance the processes for defining and measuring risks;establish/enhance the framework of management authorities,controls, and accountability mechanisms, using a comprehensiverisk management methodology.

As mentioned earlier, in formulating our recommendations, wehave taken into account UNESCO’s extensive plans to reform thestructure and management processes of the Organization. To theextent we have had an opportunity to familiarize ourselves withthem, we concur with those reform plans and have tried to alignour recommendations with them.

A comprehensive risk management framework, withcomplementary controls and processes, can provide a necessarydiscipline to achieve better operating effectiveness, consistentperformance measurement, and accountability at all levels of theOrganization. For the specific purposes of IO, it is also aprecondition for defining a comprehensive oversight universe,prioritizing the deployment of IO resources, and preparing long-range and annual oversight plans. See Annex II for a conceptualoutline of a suggested framework and how the IO universe, riskassessment and planning would be aligned with it. The externalauditors have also included useful comments in their long-formreports on the objectives and processes of a management controlframework.

In this reform context, we emphasize an important issue that waspointed out to us by a number of interviewees from bothUNESCO management and the Executive Board: there is a needto fully integrate the deployment and administration ofextrabudgetary funds into the new management framework.These “trust” activities should be under the related sectormanagement responsibility and covered by the same level ofaccountability as is applicable to the regular sector programmesand projects. They should also be included in the systems ofmanagement information, budgetary and expenditure controls,results measurement, review and reporting by sector evaluationfunctions, internal oversight coverage, etc.


Audit management’sresponse

2. IMPROVE THETOOLS ANDPROCESSES TOMANAGEINFORMATIONTECHNOLOGY

Improve the tools and processes to deal with the risks andopportunities related to the management of informationtechnology (IT) and the implementation of an adequatemanagement information system.

This process improvement should include the updating andeffective implementation of a long-range IT master plan, underthe control of an in-house technology executive and the oversightof a permanent steering committee made up of major users. Thisenhanced control over IT resources is also important for IO toperform its function in a cost-effective manner.

We are aware that there have been IT master plans developed inthe past and that, to some extent, various elements of them havebeen put into effect. Some users have tried to manage the ITresources for their particular sectors or functions, directly orthrough reliance on consultants. With respect to SAP,responsibilities have been assigned and extensive work,particularly by consultants, has been done. The Director ofInformation Technology (DIT) also has been involved in some ofthese activities, along with routine systems maintenanceresponsibilities. However, we do not believe that all of theseefforts, individually or taken together, constitute adequate overallmanagement of IT resources or of individual projects such asSAP and SISTER.

We have concluded that UNESCO must significantly enhance itsmanagement information at all levels, in order for adequatesystems of management control and accountability to function.Unfortunately, there is likely to be a period of up to two years in“limbo” before that can happen. The “legacy systems” areoutdated and it is not feasible to enhance them or even maintainthem adequately. SISTER, while very good in concept andimplemented to a degree, does not appear to have access to thefull range of data needed and its effective application across theOrganization does not appear to be occurring. It appears thatSAP implementation can fill a major part of UNESCO’smanagement information needs, provided these needs can bedefined in a consistent manner across the control andaccountability framework and management and provided staff areproperly trained to use the system at a reasonably advanced level.

We emphasize that DIT should have more involvement in themanagement of IT resources, under the direction of a seniorexecutive such as a Chief Information Officer and with an IT


steering committee of users to exercise strong oversight. On anongoing basis, the steering committee and DIT should apply astrong central discipline to the major elements of the IT masterplan. These elements include:

• the overall IT budget and user needs assessments (not just leftto individual users),

• acquisition/development and implementation of significantnew IT resources (enforcing requirements such as systemcompatibility, operating economy and effectiveness, andmanagement of IT consultants – particularly to ensure thattheir knowledge and tools are retained by UNESCO, not lostwhen the consultants leave),

• ongoing risk assessment and effectiveness evaluation ofsoftware currently in use, along with reviews of controls toensure data integrity and logical and physical security, and

• overall IT risk management, including implementation andtesting of a disaster recovery and business resumption plan.

We have furnished to DIT extensive information of managementof IT resources, particularly on the COBIT (Control Objectivesfor Information and related Technology) framework, from theInformation Systems Audit and Control Foundation. See also theessentials of IT management shown in Annex II.


3. DEVELOP ACHARTER FOR THENEW INTERNALOVERSIGHT (IO)FUNCTION ANDDEFINE ITSSTRUCTURE

Develop a charter for the integrated IO function and define itsstructure, which could be adopted on a provisional basis pendingarrival of the new Director of IO (DIO), in line with the model inAnnex I. We suggest that current CEU and IOM staff, under theclose direction of senior management of UNESCO, beginoutlining and drafting the main features of this charterimmediately.

In addition to the standard elements of the charter in Annex I,UNESCO should give consideration to the following:

• Define the authority and role of IO in the coordination andoversight of the evaluation functions that are to be theresponsibility of management. Cover such matters asguidance for sector and support unit evaluators and theconsultants they may hire (eventually in the form of a policyand procedure manual to be adopted by the sector and supportunit evaluation functions), review of the two-year evaluation


master plan, tracking and follow-up of implementation of therecommendations and agreed action plans resulting fromevaluation reports, preparation of a semi-annual summary ofsignificant report matters, etc.

• Set out the responsibilities and boundaries of IO investigationactivities, including when they should turn the responsibilityover to the Legal Department (e.g. when IO finds evidence orhas strong suspicions of serious violations of UNESCOregulations or criminal actions), when the PersonnelDepartment should be involved, and how IO should continueto cooperate in such investigations.

• Describe the formal and informal processes by which IOshould take into account the advice and requests ofmanagement, in assessing its oversight universe, settingpriorities and planning work. One of the alternatives beingconsidered is to have a formal “internal oversight committee”made up of the heads of support services with controloversight responsibilities (Bureau of the Budget, StrategicPlanning, and Bureau of the Comptroller) and of the sectorheads. This committee would function as an IO advisorypanel and help IO gain wider acceptance of its work. It wouldalso help spread best practice ideas arising from IO reportsand ensure that agreed action plans are implemented.

We think this internal oversight committee is a good concept,and, in fact, it is considered a best practice by manyorganizations. But, we wonder whether at UNESCO such ahigh-powered group would be willing to regularly attendmeetings (or would send low-level delegates and defeat thecommittee’s purpose). Also, such a committee might give theimpression that IO is controlled, or unduly influenced by, thesubjects of its oversight work.

At UNESCO, it would appear that a better alternative may beto occasionally give IO a place on the agenda of regularmanagement meetings. Those would be valuable opportunitiesto communicate with and receive advice from management asa group. More targeted communication and input from IOcustomers would be by means of periodic meetings of theDIO and/or designated IO liaison persons with individualheads of sectors and support services units.

• Establish a staff rotation policy to move high-potential peoplewith operational (especially field) experience into IO. Thecharter should also mention IO’s authority to obtain short-term resources and cooperation, through temporaryassignments of appropriate staff to “partner” with IO staff onteam engagements in selected areas of the organization.


Further, it should mention, and complement with budgetresources, IO’s authorization to outsource some of its work,employ short-term consultants, secondees from otherorganizations, etc.

In establishing the organization chart for IO, UNESCO shouldrecognize that while multiple functions or disciplines can bedescribed, it is not necessary to segment the Organization alongthose multiple lines. Given the likely priorities of IO, as isindicated by the outline of risks in Annex II, we believe IO willhave to concentrate more on operational controls, programmeeffectiveness, quality assurance, process improvement,management information, etc. Also, it will need to recruit and/ortrain multidisciplinary staff and its senior staff will have to beable to work and supervise in all areas. The staff will be smallerinitially, with uncertainties as to how many will stay and whatwill be the source and qualifications of their replacements.Consequently, we suggest that an interim sub-director beappointed only for the ongoing evaluation work, to ensure itscontinuity and credibility, and that other potential posts at thatlevel be left open until the organizational picture is clearer.

An important supplement to the charter will be the positiondescription of the DIO – in alignment with the charter anddesigned as a document to communicate to UNESCOmanagement the importance of IO. With respect to themanagement level of the DIO, we believe the D-2 grade isappropriate, but suggest that future consideration be given toelevating the position to the ADG level.


4. COMMENCEIMPLEMENTATIONOF THE IO FUNCTIONNOW

UNESCO should commence implementation of the new IOfunction now, even before the new DIO is appointed. Some areaswhere we believe this would be worthwhile, particularly for theDirector of CEU and the acting Inspector General workingtogether, would be:

• Consider areas of common interest and oversight coverage,both with respect to a tentative outline of a combined universeand identifying the potential synergies from using combinedteams on oversight engagements.


• Begin the process of identifying the complete audit universeand performing risk assessments which will lead to anappropriate schedule for 2001. Assistance may be required forthis effort.

• Compare policies and procedures and identify gaps that willneed to be covered when a new departmental manual isprepared.

• Design and test new methodologies.

• Assess the skills of staff, their needs for additional guidanceor supervision, and determine the short-term training that maybe feasible to enhance those skills, make them moremarketable (if they are deemed not to fit into IO). Arrange tohave the required short-term training conducted. Discusspotential internal and external sources of new staff.

• Determine IO’s needs for new technology and the alternativesavailable to fill those needs (including the requisite training).

• Meet with IO stakeholders (principally management ofsectors and support services) to explain how IO is changingand get their preliminary input to assist in identifying andevaluating elements of the IO universe. Consider what theDirector-General should be asked to say to management atthis time, both formally and informally, to help the IO reformprocess along.


5. DEFINE THE IORELATIONSHIP ANDINFORMATIONLINKS TO THEEXECUTIVE BOARD

UNESCO has been considering various alternatives in this matter,ranging from no direct relationship or reporting to theestablishment of a formal audit committee to which the DIOwould have a link (along with a primary reporting line to theDirector-General). We believe a reasonable compromise, whichimproves transparency while leaving the reporting line to theDirector-General essentially undisturbed, would have thefollowing features:

• Have the DIO prepare a semi-annual report of significant IOrecommendations and remedial actions. Address it to theDirector-General, with copies widely distributed to othermembers of senior management, as a routine means ofkeeping them informed of IO activities and spread bestpractices and other good ideas across the Organization. Havethis report coincide with the Executive Board meetings and


include it in the package of advance information to ExecutiveBoard Members. Include a cover letter of comments,additional information, etc., from the Director-General, if hedeems this desirable.

• Similarly, have the DIO prepare an annual summary of the IOannual plan (including comments on adequacy of resourcesand accomplishment of the prior year’s plan), also directed tothe Director-General and senior management. Furnish a copyof this annual summary in the advance package for theExecutive Board meeting.

• Advise the Executive Board of major changes in IO authority,scope, or resources.

• Advise the Executive Board of plans to appoint a new DIO orto remove the incumbent.

PART II – ISSUES SPECIFIC TO THE INTERNAL OVERSIGHT FUNCTION

6. DEFINE THEOVERSIGHTUNIVERSE ANDASSESS THERELATED RISKS

Define the oversight universe and assess the related risks –aligning this universe with that of risk management andmanagement control for UNESCO as a whole. The concept andsteps to be taken are summarized in Annex II, along with thesubsequent steps applicable to our recommendation No. 7 onoversight planning, below.

After an initial generalized outline of the oversight risk universe,we suggest IO obtain an audit risk assessment software packageto assist in evaluating and comparing oversight risks among themany different units of the universe.

Our recommendation is based partly on numerous commentsfrom the survey and interviews of UNESCO management. Theysaid that IOM needs to redirect its resources to “more important”and “higher risk” work, by which the interviewees usually meantmore “operational audits”, as opposed to transaction andadministrative compliance audit work. It is also based on ourconclusions as to what would likely be of most value toUNESCO – in areas where the significant control risks are (asindicated in Annex II) – as well as being in line with current bestpractice of the profession.

The same comments on the subject of extrabudgetary funds inNo. 1, above, would also apply to the process of defining theuniverse and assessing the risks for IO. These extrabudgetaryactivities would be incorporated into IO risk assessment andplanning, in alignment with the way management responsibilitiesand accountability processes are restructured.



7. PREPARE LONG-RANGE AND ANNUALIO PLANS

Prepare long-range and annual IO plans, prioritizing the use of IOresources based on an oversight risk assessment and consultationwith sector and support units across UNESCO.

IO should use a comprehensive structure of risk factors andweighting (which can be provided by an audit risk assessmentsoftware package, mentioned above) for overall setting ofpriorities and managing changes in the annual plan of IOengagements. This formal modelling process imposes a strongdiscipline both on the initial allocation of resources and ondetermining whether potential expansion of the scope of aplanned engagement, agreeing to a management request foradditional work, or substituting an unplanned engagement shouldtake precedence over engagements already planned. Forillustrative purposes, a description of some of the significantprocesses and information relevant to the universe and resultingplans is given below:

• The oversight universe should list its units in terms ofpotential oversight engagements (subsector activities,programmes, major projects, regions, offices, support serviceareas, systems, transaction cycles, etc.), with appropriatesubclassifications by types of work (scope). An indication ofrelevant factors such as materiality, nature and magnitude ofpotential threats and opportunities, other relevant indicators ofrisk (of various types such as: strategic, operational,reputation/credibility, financial) and management concerns,should also be shown for each unit. Eventually, there shouldbe built up a history for each unit, showing date of previousIO work (with information about scope, person in charge,major findings and/or other indicators of the quality ofmanagement controls).

• The long-range plan should show how all of the higherpriority units will be covered over the long-range planningcycle and how the lower priority units will be tested bycoverage of a representative sample of them. It need showonly summary information. It should be updated (“rolledforward”) each year.

• The annual plan should show the scope of work, timing, typeand amount (e.g. person days) of staff resources to beallocated, tentative assignment of IO staff person in charge,and similar summary information for each plannedengagement.


As already mentioned in No. 3 above and Annex II, IO shouldconsult frequently with management of the sectors and supportservices, both as a group and individually, with respect topreparation and subsequent modifications of its annual plan.


8. ENHANCEEVALUATIONOVERSIGHTACTIVITIESTHROUGH THEIRINTEGRATION INTOIO

The survey and interviews with management and ExecutiveBoard Members indicated that CEU and the sector evaluation andcoordination activities generally are held in high regard. Therewas some concern expressed that the evaluation function might“disappear into the combined IO function” or might “loseeffectiveness or credibility through a weakening of its mandate”(paraphrased). For this reason, it is essential that there be promptcommunication to those concerned that these fears will not cometo pass. And, on the contrary, that evaluation in UNESCO will bestrengthened through a clear separation of sector evaluation toserve management process improvement and accountabilitypurposes from evaluation oversight. The merging of evaluationinto IO will be an orderly, well-thought-out process. In addition,there will be a continuation and eventual enhancement of theevaluation capabilities of IO (through better rotation of capablestaff with sector and field experience) and it will exercise astronger discipline on the process through:

• independent review and challenging of the two-year sectorevaluation plan and expansion of oversight to such areas asreview of strategic policy analysis,

• more specific and consistent guidance to sector evaluationand coordination staff (and the consultants they may employ)through the completion and issuance of an evaluation policiesand procedures guidebook,

• participation in and supervision of selected evaluations thatare in the two-year plan, as well as independent performanceof a few additional evaluation reviews,

• extraction of significant issues, recommendations, practicesapplicable across other sectors, etc., from sector evaluationreports and publish them in a “semi-annual report ofsignificant oversight matters” (which will be sent to theDirector-General, widely distributed to UNESCOmanagement, and furnished to the Executive Board as part ofthe document package for their regular meetings), and


• tracking and implementation follow-up of recommendationsand/or agreed action plans.

In addition, we suggest the Director-General consider having IOattest annually as to the adequacy of UNESCO’s evaluationprocesses for sector activities.


9. ESTABLISHAPPROPRIATE IOMETHODOLOGIESAND A NEWPOLICIES ANDPROCEDURESMANUAL

These methodologies and the related policies and proceduresshould reflect adherence to professional standards and bestpractices (from the IIA and relevant Evaluation Associationliterature – on hand or readily available to UNESCO). Some ofthe significant areas to be included in this upgrading effort are:

• planning individual engagements (preliminary discussionswith relevant management and staff; preparation of a briefplanning document covering items carried over from priorengagements, priorities, scope, objectives, timing, timebudget, staffing, other relevant engagement administrationmatters and reporting matters),

• process for modifying the engagement plan(e.g. expanding/decreasing scope),

• direction and oversight of staff/consultants from sourcesoutside IO,

• work paper standards including general form and content,indexing and cross-referencing, type of information to beretained, memoranda of work done and conclusions, andobservations and potential recommendations,

• reporting matters and person assigned to review workingpapers and report draft, and

• engagement management, including travel policies andexpense reporting, time budgeting and budget/actual control,performance evaluation and process improvement, etc.

Some of these matters have been drafted and/or exist in final form(though not being consistently applied) in IOM and CEU. Theseshould be collected, reviewed, considered for updating and/orcombining, etc., so as to have them ready for review by the newDIO.

Additional policy/procedure matters, relating to staffing,reporting and quality assurance are covered in Nos. 10-14, below.



10. ASSESS STAFFNUMBERS, SOURCESAND SKILLS; EXPANDCONTINUINGPROFESSIONALDEVELOPMENT

We understand the current combined headcount of IOM and CEUis 10 (professional staff). We believe this is not a sufficientnumber to staff the new IO function. It is difficult to judge at thistime how many of the current staff have the capabilities toperform satisfactorily in the new IO environment or, indeed, howmany will wish to remain in IO. In No. 4, above, we mentionedsome preliminary steps to review current staff, consider training,determine potential sources of new staff, etc., prior to the arrivalof the new DIO. In addition, we have the following suggestionsrelating to longer range staff management:

• Prepare job descriptions of staff, with a focus on broader skillsets and with the target of having staff with capabilities towork on a wide variety of assignments. Cross-train staff withboth internal audit (IIA and others) and evaluation(Evaluation Association) materials.

• Hold frequent (at least quarterly) staff meetings, fordiscussion of IO policies and practices and presentation ofnew ideas and techniques (by staff members or outsideprofessionals).

• Make staff responsible for their own continuing professionaleducation plans, subject to review by the DIO or a designatedspecialist, for reasonableness and consistency. Providetraining opportunities above the IIA average (60 hours peryear according to GAIN, the IIA’s benchmarking service) foran initial “catch-up” period and at the level of 40-60 hours peryear thereafter.

• Provide all staff with IT tools and training, particularly fordata extraction and analysis, general IT controls andeffectiveness reviews (at a moderate technical level), andautomated preparation of routine work papers. (See alsoNo. 12, below.)

Given the likely priorities and changes of emphasis of the newIO, we believe that new additions to its staff should come morefrom internal operational areas than from recruitment outsideUNESCO (although initial recruitment of a few staff with broadinternal audit backgrounds will be appropriate). IO shouldbecome an important career development step for high-potentialoperations and support services staff, as this will provide one ofthe best opportunities to learn about management controls andprocesses across the whole of UNESCO.


We have been asked to comment on the approximate numberneeded and potential sources of staff for IO. The numbers aredependent on several variables of reform actions and timing, butwith that caveat, we would estimate that permanent professionalstaff should be in the range of 12-15, with sources outside IOproviding staffing resources to bring the equivalent total toaround 18-20. Those outside sources could be:

• short-term assignment of staff from sectors and supportservice units to assist IO with specific evaluations, reviews,etc., in their own or other areas – team audits or “partnering”with IO customers,

• short- or long-term secondment of staff from other UnitedNations agencies or member countries,

• joint engagements with oversight units of other UnitedNations agencies, in operations areas of common interest,

• external consultants and other professionals contracted on ashort-term basis, and

• engagements outsourced to professional firms, under theterms of reference and other oversight of IO.


11. ASSESS REPORTFORMAT(S), REVIEWPROCESS ANDDISTRIBUTION;IMPROVEFOLLOW-UP OFIMPLEMENTATIONOF AGREEDREMEDIAL ACTIONS

In the professional literature of internal auditing and evaluationthere are plenty of good ideas about report formats and processes.We do not propose to recommend any particular reporting stylefor UNESCO, except to suggest three ideas for consideration:

• Adopt the policy that the field work on an engagement is notto be considered complete until the recommendations havebeen finalized sufficiently to present them in the closingconference and discuss (if possible, agree) the remedialactions to be taken.

• Include the action plans in the report, to the extent they can beagreed; if they can’t be agreed, at least set forth the factorsthat prevent this (budgetary considerations, further study to beundertaken, difference of opinion or interpretation, etc.) andplans to resolve these matters.

• Use the report to promote and reinforce management plans ordesired actions (with which IO agrees); if these are in theform of recommendations or agreed action plans, be sure togive credit where it is due.

We understand past policy/practice has been that reports are notissued without advance review and approval by the Director-


General, especially if there are recommendations. We agree thatreports involving significant decisions and/or resources may needto be handled in this way. However, we believe most reportsshould be issued directly to the sector ADG or head of thesupport service unit, particularly where there is agreement onrecommendations or actions. Such a change would be not only astep to make reporting more timely, but would also be a signalthat the new decentralization and delegation of authorityinitiatives are taking effect.

The concept and purposes of the semi-annual summary report ofsignificant matters are covered in No. 5, above. In addition, wewould suggest that this report will encourage implementation ofrecommendations (action plans), facilitate IO follow-up, promotetransparency of management activities, and increase both thevisibility and credibility of IO.


12. GIVE PRIORITYATTENTION TOSTRENGTHENINGTHE INFORMATIONTECHNOLOGY (IT)AUDIT CAPABILITIESOF IO AND ITSCOVERAGE OF ITACTIVITIESTHROUGHOUTUNESCO

As can be inferred by our comments in No. 2 above, Annex I, andelsewhere in our report, IT resources and the related managementinformation are very important to UNESCO. The management ofthese resources will be strengthened by the reform initiativesunder way, including adoption of our recommendations in No. 2.As a complement to those control and quality improvements, theyneed to be part of the coverage of the new IO function. Inparticular, they need to be considered as an important part of theoversight universe, oversight risk assessment, and planning,discussed in Nos. 6 and 7 above.

Only limited IT audit work has been performed during the pastseveral years. There is a staff member with EDP auditbackground and experience. That staff member’s capabilities andeffectiveness need to be enhanced through training, supervisionand direction of those capabilities into high-priority oversightwork. This should include plans, system development andimplementation, operations, administration, security and otheraspects of the management of IT as well as the utilization of ITresources to provide management information throughoutUNESCO.

We believe the scope of IT audit work in UNESCO, includingassistance to IO management and other staff in better usingtechnology for performing IO work, will require the services of atleast one more IT auditor. We suggest the necessary steps toobtain this additional staffing from within UNESCO orrecruitment from outside be undertaken promptly.


Extensive internal control and oversight ideas concerning IT areavailable from many sources, including the IIA, EDP auditorsassociations, COBIT materials (mentioned in No. 2 above, andalso furnished to the EDP auditor currently in IOM) and variousInternet sites. For example, the COBIT materials includechecklists which would be useful to understand the controlframework for management of IT and defining the IO universeunits. We suggest that, as part of the preliminary work to beginimplementing IO now, these sources and materials be reviewedand tentative training plans, outline of the IT portion of the IOuniverse, IT audit methodologies, etc., be undertaken promptly.


13. IMPLEMENT ANINTERNAL QUALITYASSURANCEPROCESS WITHIN IO

Implement an internal quality assurance process within IO. Theelements of such a process would include:

• establishment of IO policies and procedures (e.g. thosementioned in No. 9 above), together with appropriatedirection and supervision of staff,

• “peer” reviews of individual engagement work papers andreports, as well as more general cross-reviews within IO, as atest of compliance with the policies and best practices,

• close communication with customers, including customersatisfaction surveys at the end of each engagement or periodicsurveys of all customers (covering both staff performance andthe engagement processes and results), and

• periodic reviews by UNESCO staff from outside of IO, aslimited tests of the areas mentioned above, the first of whichcould be an implementation review of the establishment of thenew integrated IO function and adoption of ourrecommendations – say six to 12 months after appointment ofthe new DIO.

In addition, we recommend that UNESCO have anotherindependent QAR about three years from now, as specified in theStandards.



14. ENHANCECOORDINATIONWITH THEEXTERNALAUDITORS ANDTHEIR RELIANCE ONIO

Our review indicated that there is some communication andcoordination with the external auditors (EA). It also indicated thatEA has placed only minimal reliance on IOM in the past. Webelieve there is considerable scope for EA to make its work moreeffective, reduce work in some areas, and achieve betterimplementation of recommendations through such reliance.

Some areas of improvement for IO, particularly short term,include better communications, sharing of work plans andreports, IO taking full responsibility of follow-up to foster theprompt and effective implementation of EA recommendations,shared training, joint performance of audit work, etc.Furthermore, demonstration of the enhanced professionalism ofIO over the longer term, through better implementation of theStandards and best practices mentioned above, should sustain andenhance this reliance by EA.


ADDITIONALOBSERVATION FORUNESCO MANAGEMENT

We have a further observation, outside the scope of our review,but significant with respect to strengthening the internal controlsof UNESCO. Bureau of the Comptroller (BOC) and Bureau ofthe Budget (BB) are the keys to budget and expenditure control inthe Organization. In our interviews in those units and elsewherein UNESCO, there were indications of excessive work to review,analyse, adjust and enter transactions, especially from fieldoffices. It was suggested that these bureaux, especially BOC,need more resources to be able to adequately exercise theircontrol functions. In the short term, that may be the case and itmay be necessary for BOC, BB and even IO to get involved inshoring up and remedying the control problems that shouldnormally be handled by line management.

We believe, however, that the current situation is anotherindicator of the urgency of UNESCO’s implementation of newcontrol structures and processes – and making them more theresponsibility of line management. We suggest that UNESCOconsider the implementation of a control assessment andaccountability process, based on COSO/COCO/Cadburyprinciples and using an overall tool such as that used by theComptroller of World Bank, which we have shown to anddiscussed with BOC. UNESCO should also consider linking sucha control assessment process to the implementation of a generalpolicy statement on management control concepts and


responsibilities (per Annex III). We believe this will lead to bettercontrols and allow BOC and BB to redirect resources to moreuseful and cost-beneficial activities.

160 EX/INF.6Annex I

ANNEX I

MODEL INTERNAL AUDITING DEPARTMENT CHARTER

MISSION AND SCOPE OF WORK

The mission of the internal auditing department is to independently examine and evaluatethe ongoing control processes of the Organization and to provide counsel and recommendationsfor improvement whenever they are identified.

The scope of work of the internal auditing department is to ascertain that the Organization’snetwork of control processes, as designed and represented by management, is adequate andfunctioning in a manner to ensure:

• resources are adequately protected;

• significant financial, managerial and operating information is accurate, reliable andtimely;

• employee’s actions are in compliance with policies, standards, procedures andapplicable laws and regulations;

• resources are acquired economically and used efficiently;

• programmes, plans and objectives are achieved;

• quality and continuous improvement are fostered in the Organization’s control process.

Opportunities for improving the profitability and image of the Organization may beidentified during audits. They will be communicated to the appropriate level of management.

ACCOUNTABILITY

The chief audit executive (CAE), in the discharge of his/her duties, shall be accountable tomanagement and the audit committee to:

• provide annually an assessment on the adequacy and effectiveness of the Organization’sprocesses for controlling its activities;

• report significant issues related to the processes for controlling the activities of theOrganization and its affiliates, including potential improvements to those processes, andprovide information concerning such issues through resolution;

• periodically provide information on the status and results of the annual audit plan andthe sufficiency of department resources.

160 EX/INF.6Annex I – page 2

INDEPENDENCE

To provide for the independence of the internal auditing department its personnel report toCAE, who reports functionally and administratively to the president and periodically to the auditcommittee in a manner outlined in the above section on accountability.

RESPONSIBILITY

The CAE and staff of the internal auditing department have responsibility to:

• develop an annual audit plan based on significant exposures to loss or failure and submitthat plan to management and the audit committee for review and approval;

• implement the annual audit plan, as approved, including any special tasks or projectsassigned by management and the audit committee;

• maintain a professional audit staff with sufficient knowledge, skills and experience tomeet the requirements of this Charter;

• evaluate and assess significant merging/consolidating functions and new or changingservices, processes, operations and control processes coincident with their development,implementation and/or expansion;

• issue periodic reports to the audit committee and management summarizing results ofaudit activities;

• assist in the investigation of significant suspected fraudulent activities within theOrganization and notify management and the audit committee of the results;

• consider the scope of work of the external auditors, as appropriate, for the purpose ofproviding optimal audit coverage to the Organization at a reasonable overall cost.

AUTHORITY

The CAE and staff of the internal auditing department are authorized to:

• have unrestricted access to all functions, records, property and personnel;

• have full and free access to the audit committee;

• allocate resources, set frequencies, select subjects, determine scopes of work, and applythe techniques required to accomplish audit objectives;

• obtain the necessary assistance of personnel in units of the Organization where theyperform audits, as well as other specialized services from within or outside theOrganization.

160 EX/INF.6Annex I – page 3

The CAE and staff of the internal auditing department are not authorized to:

• perform any operational duties for the Organization or its affiliates;

• initiate or approve accounting transactions external to the internal auditing department;

• direct the activities of any Organization employee not employed by the internal auditingdepartment, except to the extent such employees have been appropriately assigned toauditing teams or to otherwise assist the internal auditors.

STANDARDS OF AUDIT PRACTICE

The internal auditing department will meet or exceed the Standards for the ProfessionalPractice of Internal Auditing of the Institute of Internal Auditors.

160 EX/INF.6Annex II

ANNEX II

FRAMEWORK FOR RISK MANAGEMENTAND MANAGEMENT CONTROL

INTRODUCTION

Successful establishment of a new IO function is dependent on implementation of the plansto reform the structure and management controls at UNESCO, with major improvements in themanagement information system. The reforms include a new focus on strategic planning andclearer delegation of authority. Further plans include stronger accountability processes, results-based programme management, decentralization and improved coordination of field activities(including an extensive staff-rotation programme), and other efforts to strengthen managementcontrols at all levels.

If these reforms are to be successfully implemented, there should be an almost completelynew framework for identifying and managing the risks, opportunities and strategies, along withthe companion management controls and accountabilities of the Organization. Consequently, itfollows that there must be a comprehensive redesign of these processes, resulting in a fullredefinition of the elements of risk management and management control applicable to thereformed Organization.

DESCRIPTION OF UNESCO RISKS

Based on comments of UNESCO executives and Executive Board Members and relevantdocuments setting forth future plans, UNESCO’s significant risks, and the accompanyingpotential benefits from properly managing them, could be described as follows:

• Strategic or “opportunity” risk, involving major decisions that include:

making crucial choices among various potential strategies;

establishing and maintaining priorities for particular elements of perceived UNESCO“global mandates”, as well as for its sectors, regions, countries, etc.;

entering into long-range commitments and accepting funding, cooperative arrangements,and related conditionalities; and

making decisions on specific programmes or major projects.

• Reputation/credibility risk, including actual and perceived:

effectiveness in the “marketplace of ideas”, the influencing of key political andeconomic decision-makers, and achieving optimum, fairly balanced results in serving“stakeholders” (particularly the effective delivery of benefits to the most disadvantagedgroups); and

160 EX/INF.6Annex II – page 2

compliance with all applicable laws, regulations and ethical standards.

• Funding/liquidity risk arising from, for example:

unexpected reductions in commitments or failure of donors to deliver committed funds;

inability to compete effectively for desired co-funding or gain access to other sources offunds for major new strategies or programme initiatives; and

inability to match funding with desired projects, initiatives, etc., because of donor orExecutive Board restrictions or specific directives. (This would include potential“highjacking” of UNESCO mandates or programmes, through funding directives orother “micro-management” by donors.)

• Effectiveness risk – arising from potential threats and opportunities (similar to those forthe strategic and funding/liquidity risks, above), as well as risks related to planning andexecution. It would also involve effective utilization of management information (e.g. toprovide effective management control, supervision, results measurement, and otheraccountability tools).

• Information technology (IT) and management information risk, covering:

A large range of potential threats and opportunities arising from IT decisions (onhardware, software, communications networks, management information tools, etc.),including those decisions specifically involving design, selection and implementation ofIT resources;

The design and cost-effective use, across the Organization, of all types of managementinformation (which needs to be complete, accurate and timely). This would include boththe periodic reports and the real-time information needed to effectively support decisionsat all levels, to monitor operating activities and budgetary controls, and – in particular –to enable those responsible to “manage by exception”;

The tools and processes selected for ongoing operational control of IT resources,customization of software to facilitate utilization, training users and support staff, etc.;and

The key administrative elements of IT management: system security, data integrity,disaster recovery and business resumption planning, and similar administrative controlfeatures of a comprehensive technology management process.

• Transaction risk – relating to the appropriateness, authorization, documentation,recording, monitoring and reporting of all types of transactions affecting theOrganization. It also concerns the safeguarding of the resources of the Organization andfostering their effective utilization, and must be managed without excessive cost or“over-controlling” of sector and support activities.


• Policy/procedure effectiveness and related compliance risk – a comprehensivecategory relating to the quality and completeness of controls and procedures, along withfull compliance therewith. To a large degree, this risk could be considered part of all theother risks, but is not usually at the same order of magnitude as those risks. The samecomment about avoiding excessive cost and over-control, mentioned under transactionrisk, also applies here.

DESIGN OF THE FRAMEWORK

There is a hierarchy of the purposes of risk management, controls and accountabilities,along with the sequence of steps in designing and implementing an overall framework,summarized as follows:

• Conceptualize the vision, strategies and objectives of the Organization and refinethem by challenging the interrelations, comparative values, and inner logic of thestrategies and objectives. Restate them in both negative and positive terms: the threatsor obstacles to their satisfactory achievement and the opportunities to optimize them.

Also state and compare these elements in terms of desirable results, based on applicationof a consistent “value” measurement system. Select those that with the highest “values”that are likely to be achievable with the resources expected to be available to theOrganization.

This is, of course, an abbreviated and simplistic version of a risk identification andevaluation process (which would usually be done with the help of risk modelling tools).But it should suffice for purposes of illustration of how the highest value strategies andobjectives can be selected by a systematic process.

• Use the resulting strategies and objectives as the basis for selecting the managementcontrol policies and processes that, applied as a whole package, are most likely toachieve the objectives in a cost-effective manner. Insist that agreed-upon, measurableresults be established in advance of adoption of strategies and objectives – and certainlyin advance of authorizing the commencement of the related programmes, projects andsupporting activities.

• Establish the activities and relationships that will effectively apply thosemanagement controls; then further complete the documentation of the controlmethodologies through organization charts, delegation of authority documents (or termsof reference, charters, etc., for operational and support units), and positiondescriptions.Take a “big picture” look at the whole control package, challenging it forgaps, duplications, lack of clarity and excessive costs.

• Establish processes for self-assessment and reporting, supervisory review andevaluation, and similar tools for measuring performance and/or results. These processesshould be “owned” by management – not by Bureau of the Budget, the Comptroller, orInternal Oversight. They should be designed so that, if they were to function with fulleffectiveness, there would be only a limited need for monitoring or oversight functions.


• Finally, design and implement an integrated internal oversight function,encompassing evaluation of programme effectiveness and results (including “value-for-money”), quality assurance and process improvement, compliance review (bothoperational and financial), investigation, etc. Follow a logical sequence, that includesthese steps:

Define the oversight universe in alignment with the risk and management controlframework described above.

Perform a risk identification and evaluation to determine the programmes, processes,systems, operational and transaction cycles, etc., which are likely to represent the highestexposure and/or greatest opportunity to add value through application of internaloversight resources. This audit risk assessment process can be done cost-effectivelywith the aid of a variety of available software. (However, the first time it is carried out,this exercise could be a generalized assessment, based mostly on professional judgement,to achieve an overview of the likely IO resources needed and the major IO universeareas to which they should be applied.)

Prepare a long-range oversight plan in which the coverage of the oversight universe,through potential evaluations, reviews, etc., would be effected in a systematic manner(over a period of, say, three years). For example, oversight work might be performed onvery high-risk/high-priority universe units every year; those at the next level every twoyears; at the next level every three years; and oversight work might be performed ononly a small sample of units at the lowest level of priority during each year of the three-year plan. Update the plan each year.

Prepare an annual oversight plan, specifying the scope of work, objectives, time to bespent, staff to be assigned, etc., for each of the different types of oversight engagementsplanned.

Make the long-range and annual plans flexible, on the assumption that changingconditions and management needs will result in substitutions and/or inincreases/decreases in scope of the planned engagements. They should have extensiveinput from UNESCO’s management (including guidance from those responsible formanagement’s comprehensive sector evaluation plans) as well as input from the externalauditors.

Prepare an annual IO planning report for senior management, summarizing thecurrent status of the “rolling” long-range plan and the one for the current year,specifying the available IO resources, including those to be obtained outside IO, and ajudgement as to their adequacy.

160 EX/INF.6Annex III

ANNEX III

SAMPLE POLICY STATEMENTFOR CONTROLLING AN ORGANIZATION

1. Management is charged with the responsibility for establishing a network of processescontrolling the operations of “XYZ Organization” in a manner which provides the board ofdirectors reasonable assurance that:

• The organization’s resources (including its people, systems, data/information bases andcustomer goodwill) are adequately protected.

• Data and information published either internally or externally is accurate, reliable andtimely.

• The actions of directors, officers and employees are in compliance with theorganization’s policies, standards, plans and procedures, and all relevant laws andregulations.

• Resources are acquired economically and employed profitably.

• The organization’s plans, programmes, goals and objectives are achieved.

• Quality business processes and continuous improvement are emphasized.

Controlling is a function of management and is an integral part of the overall process ofmanaging operations. As such, it is the responsibility of managers at all levels of theorganization to:

• Identify and evaluate the exposures to loss which relate to their particular sphere ofoperations.

• Specify and establish policies, plans and operating standards, procedures, systems andother disciplines to be used to minimize, mitigate and/or limit the risks associated withthe exposures identified.

• Establish practical controlling processes that require and encourage directors, officersand employees to carry out their duties and responsibilities in a manner that achieves thefive control objectives outlined in the preceding paragraph.

• Maintain the effectiveness of the controlling processes they have established and fostercontinuous improvement to these processes.

2. The internal auditing function is charged with the responsibility for ascertaining that theongoing processes for controlling operations throughout the organization are adequatelydesigned and are functioning in an effective manner. Internal auditing is also responsiblefor reporting to management and the audit committee of the board of directors on the

160 EX/INF.6Annex III – page 2

adequacy and effectiveness of the organization’s systems of internal control, together withideas, counsel and recommendations to improve the systems.

3. The audit committee is responsible for monitoring, overseeing and evaluating the dutiesand responsibilities of management, the internal auditing department, and the externalauditors as those duties and responsibilities relate to the organization’s processes forcontrolling its operations. The audit committee is also responsible for determining that allmajor issues reported by the internal auditing department, the external auditor, and otheroutside advisers have been satisfactorily resolved. Finally, the audit committee isresponsible for reporting to the full board all important matters pertaining to theorganization’s controlling processes.

unesco. executive board; 160th; proposal by the...

Documents