Going Global: Russia’s Accounts Chamber Audits UNIDO

• The Accounts Chamber has reached a new level by performing its first international audit. The subject of the audit was the United Nations Industrial Development Organization (UNIDO). How did you manage to beat the competitors? 

To win the position of UNIDO's External Auditor, the Accounts Chamber had done a lot of preparatory work in close cooperation with the Ministry of Foreign Affairs of the Russian Federation. We studied in detail the practices of other Supreme Audit Institutions (SAIs) moving on to the international arena, conducted multilateral negotiations with UNIDO member countries, and studied the experience of 'competitor countries' to build a winning strategy and identify our strengths and weaknesses. It was this multifaceted work that allowed us to achieve our objective and gain the position of UNIDO's External Auditor.

I would also like to commend the work of our UNIDO team. In order to perform properly at the international level, we held an extensive three-month training programme. Our colleagues studied English every day, took intensive courses on international accounting and auditing standards, and learned the basics of the SAP system. Moreover, our department had quickly (over the summer of 2020) to develop from scratch effective in-house methods based on international standards, determine strategic approaches to international auditing and prepare working document templates to be used by the UNIDO team during the audit. Throughout the preparatory phase, we were under time pressure. The fact that the Accounts Chamber was doing an international audit for the first time and that the auditors had no previous relevant experience added to the tension, too.

• This international debut happened to coincide with the global coronavirus pandemic. How did it affect your work: did you have to use unconventional or even new methods in international practice?

COVID-19 certainly made a difference. Initially, we had planned to conduct the interim audit directly at UNIDO headquarters in Austria. We had booked a hotel in Vienna and bought tickets for all team members but one cannot foresee everything. We had to cancel our trip because of the lockdown. Yet there is no such thing as a hopeless situation so we promptly updated our audit approach and changed the arrangements and, in some cases, even the audit procedures themselves. In particular, we obtained the remote access we needed to all UNIDO’s IT systems to do the job off-site, and agreed on a communication procedure, including by appointing responsible persons, agreeing on the frequency and timing of requests, and selecting a platform for online communication.

All communication with UNIDO staff was done through online platforms, with active correspondence along various electronic channels.

This format has its undeniable advantages. The written communication helped in formulating questions in advance and getting detailed answers. Given that this was the first time for us that all communication was in English, this format worked very well for many.

The flip side of this coin is that it takes longer to get answers to the auditor's questions. Normally, questions can be sorted out quickly without even scheduling a meeting but, in a remote setting, you have to schedule video conferences, which are sometimes postponed for days or even weeks.

As a result, more than 60 online meetings were held with UNIDO representatives and more than 2,500 questions resolved in writing. This intensive work produced impressive results: some 150 irregularities were identified, of which the 34 most important were reflected in the External Auditor's Report on UNIDO's accounts for 2020.

• Speaking about the UNIDO audit, you used the word "first" more than once. Can we say that the Accounts Chamber has become a pioneer in scrutinizing the key IT systems used by the organization?

Doing IT audits is, indeed, a new trend for the UN External Auditors. For example, in 2020, cyber security audits were conducted by only a few auditors, including the Russian Federation. This is an area of incredible interest because, in 2020, millions of people switched to remote working, meaning they were using their organizations’ IT platforms from home. In this situation, it is critical to ensure security of communication channels.

I am glad we chose IT as one of the main audit areas because our results were of great interest to the UNIDO management. We found that UNIDO's systems are more reliable than those of other non-profit organizations. Even so, they are not without their flaws: some user accounts of UNIDO's email service and statistics portal, which is operated by a third party, proved vulnerable to hacking. On the basis of our cybersecurity analysis, we made our recommendations. The UNIDO management agreed with them and will allocate additional funds in its budget for 2022–2023.

Given that organizations are moving rapidly to remote working schemes, IT audits are becoming a priority area we are keen to develop not only at the United Nations.

• A third of the comments you identified in the report are critical. Are they specific to UNIDO's area of work or do they also apply to any other organization or country?

Significant irregularities were found in each of the three audit areas (financial audit, performance audit and IT audit). And despite certain specifics of UNIDO's activities, these observations can certainly be applied to any UN organization, as well as to Russian reality. These are errors in application of international financial reporting standards for the public sector, the equivalent of which is also applied in the Russian public sector.

For example, we found during our IT audit that access to enterprise resource planning systems was not properly secured. A significant number of users had been given 'advanced access', including ability to enter data manually, bypassing the controls in place. So, the configured functionality increased the risk of fraudulent activities. As well as the lack of control over accounting adjustments and manual transactions, the audit of such settings in accounting systems could be an interesting topic for Russian audit platforms, too.

In the area of performance auditing, the most significant observations related to organizational structure and project management. As the audit revealed, the current location of UNIDO’s regional offices does not correspond directly to the organization’s project activities but rather echoes its historical development. This has resulted in some offices having a purely nominal (representative) function, whereas there are no regional offices in more than half the countries where UNIDO runs its projects. In addition, the existing functions of the offices tend to be top-down and a number of functions are not performed in practice. This entails risks of function overlapping. All the above points to inefficiencies in the organizational structure.

As part of project management, we assessed UNIDO's project management maturity against 12 key criteria. Overall, the organization performed well. At the same time, some areas were identified as being in need of improvement. In particular, we highlighted the lack of project typing/classification, lack of internal monitoring of project implementation and inadequate quality control procedures.

• What recommendations did the Accounts Chamber make to eliminate and prevent such flaws in the future, and will they help avoid similar risks outside UNIDO?

The breakdown of the recommendations issued varies mostly according to the area audited. For example, with regard to financial audit observations, recommendations were made primarily on the need to comply with specific requirements of the International Public Sector Accounting Standards (IPSAS), to automate certain processes in order to avoid errors, and to develop new UNIDO regulations.

Recommendations in the area of performance audit mainly centred on application of global best practices and optimization of business processes. As for the IT audit, recommendations tended to focus on strengthening system controls and enhancing information security.

I would like to note that every recommendation proposed in the External Audit Report is backed up by the requirements of the relevant standards and best practices, and reflects the potential risks for the organization. For our part, we not only provided a list of irregularities identified, but also held a number of roundtables to ensure that the UNIDO management builds an effective remediation plan in line with global best business practices.

In our view, the recommendations provided can be followed both by other UN organizations and by any other public sector organization.

• You have identified material errors relating to historical financial statements. Tell us more about this.

As part of our financial audit, we paid close attention to how revenue from voluntary contributions is recorded as the most important item in the financial statements, and we also drew attention to significant amounts of receivables and deferred income at the end of 2020.

Having audited these statement items, we found that UNIDO had applied incorrect accounting treatment to voluntary contribution revenue. There are several reasons for this: first, the UN system has developed different practices with regard to international financial reporting standards and, second, the wording of the standards themselves is ambiguous and complex, requiring exceptional expertise.

As a result, we corrected errors in the financial statements totalling approximately EUR 200 million, around 20% of the balance sheet total, which is certainly significant for users of the statements.

• The Accounts Chamber has already established itself as a competent partner in its home country. Will the UNIDO audit help gain this status in the international arena as well?

Undoubtedly, the audit of UNIDO has enabled the Accounts Chamber to gain considerable experience in international auditing since UNIDO’s accounts are prepared in accordance with IPSAS, as well as the UNIDO and UN Financial Regulations and Rules, this being similar to the financial reporting guidelines applied by other UN organizations. Moreover, as many of the UN business processes are generic in nature, it has provided an opportunity to gain experience of the approaches not only taken at UNIDO but also across the UN system. In this regard, the UNIDO audit allows the Accounts Chamber to immerse itself quickly and effectively in the international audit of other UN bodies. In view of the positive feedback from UNIDO’s senior management, as well as the Audit Advisory Committee, on the performance of the Accounts Chamber, we expect a further increase in our portfolio of international audits and extension of our mandate as UNIDO's External Auditor in the near future.

In the past six months, we have submitted bids to audit a number of UN organizations, including the IAEA, Interpol, UNIDO (re-election for another term), and the World Food Programme, with mandates ranging from two to six years.

Click here to view the full version of the report.