top of page

The UNOPS Scandal: How Did the Three Lines of Defense Breakdown?

19 March 2023

By Katja Hemmerich


How the UN's Audit Mechanisms Should Function: An Overview.


Next week, WFP’s Independent Oversight Advisory Committee holds its 162nd session, last week, the UNDP/UNFPA/UNOPS Executive Board was briefed on UNOPS Internal Audit and Investigation Group (IAIG) and the review of UNDP Office of Audit and Investigations, and throughout its resumed session the Fifth Committee is reviewing several reports of the Joint Inspection Unit (JIU).

man at desk with calculator, $100 bills and papers with graphs

It’s not hard to be confused by the plethora of internal and external auditors, inspectorates and other control mechanisms. This week, we spotlight these different mechanisms to help our readers understand their functions by asking the question of how these mechanisms were unable to prevent the financial mismanagement of UNOPS’s Sustainable Investments in Infrastructure and Innovation (S3i) initiative.


UNOPs, like all other UN entities, has multiple layers of internal and external controls intended to prevent, identify and correct mismanagement and strengthen accountability. UNOPS adheres to the three lines of defense model for oversights, which is considered a UN standard and endorsed by the UN System Chiefs Executive Board (CEB). The first layer for any organization is ensuring that there are management processes in place to ensure adherence to rules and regulations and monitor compliance, i.e. Enterprise Resources Planning systems (ERP), approval processes, certifying officers, delegated authority etc. To reinforce these systems, good governance frameworks dictate that there should be additional internal audit functions to monitor compliance and external auditors as an additional layer of control.


In the case of UNOPS, this consists of its own Internal Audit and Investigation Group (IAIG), the Office of Internal Oversight Services (OIOS) which provides additional investigative support to the IAIG in certain circumstances, as well as the UN Board of Auditors and JIU as external audit functions. Like most other UN entities, UNOPS also has an Audit Advisory Committee (AAC) which provides strategic advice on audit related matters and coordinates with other oversight bodies across the UN system. With five different audit mechanisms in UNOPS' accountability system - which is not entirely uncommon for UN entities - how then, could the financial mismanagement scandal of the S3i initiative even come about?


According to the International Framework on Good Governance in the Public Sector, internal audit functions should be reinforced with external auditors and through an audit committee, which oversees internal audit functions and supports the quality of their activities while also reinforcing the objectivity and importance of external audits. Independence is a key feature of internal and external auditors as well as the audit committee. According to the KPMG review of the internal control mechanisms in UNOPS in relation to S3i, however, “There were deficiencies in the independence structures of the oversight bodies which affected their ability to effectively monitor the S3i related activities”.


More specifically, KPMG indicated that “a combination of technical, operational, oversight and governance deficiencies, choices in risk taking and elements of a culture of fear created an environment that was vulnerable to management override of controls”. The KPMG report, in combination with the JIU’s 2019 review of audit and oversight committees in the UN System starts to illustrate some of the features of oversight mechanisms that can enable management override of controls.


The JIU review highlights that international best practice is for audit committees to report to both to Executive Heads of an entity as well as the governing body to help reinforce independence, and which also provides a safeguard against management override of controls. Yet, when it published the report in 2019 UNDP, UNESCO, UNFPA, UNICEF, UNOPS, UNRWA and UNWomen all had audit committees that reported only to the Executive Head. All except UNESCO also required only the Executive Head’s approval for changes to the ToRs of the audit committee. To date, there are still UN entities which have not yet implemented these, or all of the other JIU recommendations.


The KPMG review of UNOPs internal controls goes further and highlights that the Audit Advisory Committee “was not performing an oversight role and instead had a mandate and role in practice to advise, rather than monitor, the ED.” Moreover, when a whistleblower complaint was made to OIOS in 2019, the investigation was handed over to the IAIG, despite the fact that IAIG had no mandate to investigate the Executive Director or her Deputy, who had both been named in the complaint.


While the JIU report accepts that an advisory role is sufficient for audit committees and does not explicitly call for monitoring or oversight of executive heads, it does indicate that it is a good practice for audit committees

  • to advise on “the adequacy of the investigations strategy, policies, standards” (para. 64) and

  • to “review the adequacy of the management response to the [audit] observations and recommendations issued” (para. 69).

A thorough implementation of those elements of the JIU report would likely have mitigated some of the institutional vulnerabilities that enabled the UNOPS' management's override of controls.


From our brief review of audit functions, we would like to highlight a few practical takeaways for further consideration by our readers - both UN managers and members of governing bodies:


  1. Implementation of JIU recommendations on audit and oversight might have helped catch the S3i problems earlier: Where does your entity stand with respect to implementation of the 2019 JIU recommendations on audit and oversight committees?

  2. Layers of control are important, but they shouldn’t create unnecessary duplication: If it feels like there is duplication of control mechanisms and audits in particular, is this to reinforce independence; does it reflect that an issue of concern has not been corrected; or is more coordination needed from your audit committee?

  3. Audit Committees are not infallible and as indicated by the JIU, they should be subject to evaluation: When is the next performance evaluation of your audit committee scheduled? If it has already taken place, do you have access to the report? It may be worth reading.



bottom of page