(A) Detection and prevention of fraud

(A1) At its 64th session (March 1986) CCAQ(FB) considered a letter from the Executive Secretary of the Panel of External Auditors, suggesting the establishment of a focal point to receive reports on cases of fraud in the system and to promote general awareness of such cases. UN, which had referred the letter to CCAQ, indicated that in its understanding the aims envisaged were to prevent re-hiring by one organization of a person found guilty of fraud in another and to encourage an exchange of information among the organizations that might facilitate the detection of cases of fraud. The Committee believed the detection and prevention of fraud were a vital responsibility of financial management, and inseparable from the organizations' insistence on integrity in their staff. It was also aware that there was a substantial number of cases of fraud in the system. It considered, however, that exchanges of information had to be approached with caution, and that mechanisms through which the problem of fraud was already addressed should be taken into account. Exchanges of information on types of fraud might also help in combatting it. The Committee requested information on action at meetings of internal auditors in respect of fraud cases for study at its next session, and agreed that the subject of financial controls in general should be regularly scheduled for discussion at its future sessions (ACC/1986/4, paras. 55-58).

(A2) Possible central arrangements for the exchange of information on staff dismissed for serious misconduct were considered at the 65th session of CCAQ(PER) (June-July 1986), further to discussion by JSPB of a particular case of fraud. CCAQ(PER) asked the Secretary to study the matter of a possible central register of persons summarily dismissed or terminated on disciplinary grounds, or of all persons recruited by organizations of the system (ACC/1986/10, para. 136). CCAQ(FB) noted this development at its 65th session (September 1986), together with a summary of the views on the subject of fraud which had been expressed at recent meetings of the chiefs of internal auditing services of the organizations. After a private exchange of information on recent cases of fraud, it was agreed to pursue the matter further at the next session on the basis of the report to be prepared by the Secretary (ACC/1986/12, paras. 51-53).

(A3) This report, submitted to CCAQ(PER) at its 66th session (March 1987), concluded that the establishment of a general register of persons recruited by the organizations was not feasible. The circulation of information on staff summarily dismissed gave rise to some uneasiness, although UN had made arrangements to inform other organizations of staff summarily dismissed or separated from service who still owed money to it. It was suggested that the possibility of ascertaining previous participation of job applicants in UNJSPF through reference to UNJSPF records should be further considered (ACC/1987/4, paras. 97-99). At the 66th session of CCAQ(FB) (March-April 1987), participants expressed interest in pursuing the arrangements made by UN, which they believed could be an important deterrent. The Committee requested that the UN lists should be sent periodically (say, twice a year) to all members of CCAQ, who might thus be able to compare them with their own records, assist in obtaining recovery of funds and take any other appropriate action. Finally, it was agreed that cases of fraud should be individually reviewed during the Committee's regular closed discussions of deposit and investment arrangements (for which see section 19.3) (ACC/1987/6, paras. 28-30).

(A4) During the discussion at its 67th session (September 1987) CCAQ(FB) expressed interest in examining any relevant observations that might be put forward by the internal auditors at their next inter-organization meeting, notably as regards areas calling for particular vigilance (ACC/1987/12, para. 46).

(A5) The observations expressed by the internal auditors at their nineteenth meeting, held in October 1987, were noted by the Committee at its 68th session (March 1988), in the course of a private exchange on matters relating to fraud (ACC/1988/5, para. 46).

(A6) At the 72nd session (March 1990) the Committee decided to discuss at its next session security aspects of inter-office payment instructions, on the basis of data from UNDP on the volume of payment instructions handled by it (ACC/1990/5, para. 66). At the 73rd session (September 1990) it took note of the UNDP data (ACC/1990/12, para. 58).

(A7) At its February 2004 meeting (CEB/2004/HLCM/12/Rev.1, paras. 22-23) the FB Network was presented by WHO, the lead organization, with a paper on fraud prevention mechanisms and invited members to comment upon their own policies, practices and experiences in the area of fraud and fraud prevention and also upon a proposal for the creation of a Working Group to identify: categories and types of fraud, best practices and roles, responsibilities and the relationship with internal audit and oversight functions. It was noted that fraud prevention policies had to be developed within a risk assessment framework. Many organizations had introduced new systems which meant that fraud prevention measures needed to be assessed differently. The detail of this discussion was not recorded for reasons of confidentiality. The Network requested all organizations to share policy documents and other guidance on fraud prevention, including advice and materials used in management training and agreed to the creation of a Working Group which would, as a priority, develop a common framework for risk assessment and a shared definition of fraud, its types and categories. The risk assessment should include security issues surrounding issues of financial data being handled through electronic means. The Working Group was also requested to: (a) produce a best practice booklet on fraud controls and prevention and (b) consider the matter of training, including the production of CD-ROM based training materials. Legal and internal audit colleagues should be brought in to assist in the work, as needed. The ITC Network should be consulted in approaches that might be taken to mitigate risks identified in electronic data exchanges.

(A8) At its September 2004 video-conference (CEB/2004/HLCM/28, para. 9) the FB Network agreed that organizations (a) should inform FAO, the lead agency, of their interest in joining a working group on common definitions of fraud, which would involve the preparation of a compendium of organizations' definitions and an analysis of common aspects, and (b) might ask their respective internal audit and oversight departments to participate as responsibility for this issue was often crosscutting.

(A9) At its March 2005video-conference (CEB/2005/HLCM/8, paras. 10-15) the FB Network wasupdated by FAO, Chair of the Working Group on fraud prevention. Awork plan had been drafted and submitted to members of the Group forcomments. The next step would be to organize a teleconference tofinalize the work plan, define responsibilities and discuss initial keyissues. The work was being carried out in consultation with theInternal Audit and Legal Offices of FAO, and it was agreed that similarfeedback should be sought from corresponding functions of organizationsparticipating in the working group. It was suggested that therecent World Bank report on fraud prevention could serve as a usefulreference for work on this subject. It was also agreed thatfurther activities of this working group would proceed in closecollaboration with the Task Force on Accounting Standards, so as totake into consideration the broader emerging issue of transparency andaccountability.

(A10) At its July 2005 meeting (CEB/2005/HLCM/26,paras. 17-25) the FB Network considered a progress report on theactivities of the Working Group on Fraud Prevention. The effortto reach an agreement on a common definition of fraud based onalternative definitions, mainly issued by authoritative standardsetting bodies, had proved to be a difficult one, although certaincommon elements were present in most alternatives. The Group hadalso developed a draft Risk Assessment framework, exploring thepossibility that such a framework could be subsequently implemented inmember organizations. This work was only at its initialstages. The Group sought advice from the FB Network members onthe direction to follow, i.e. whether to aim at reaching agreement on acommon definition of fraud for proposed adoption throughout the UNsystem or to produce an analysis of different definitions and commonelements aiming at providing best practice advice to organizationsworking on developing their fraud policy. It was noted that manyorganizations had recently adopted a definition of fraud, either aspart of a full-fledged fraud policy or as a working definition, andwould be reluctant to change it for the time being, given the extensiveprocess of change that required approvals at high levels, including bytheir governing bodies in some cases. The UN Secretariat alsodescribed its on-going activities in developing a fraud and corruptionprevention policy, due by September 2005 for approval by the GeneralAssembly at its 60th session. UNDP expressed interest inparticipating in the work of the UN Secretariat on the subject, sinceonce approved by the General Assembly any framework would also beapplicable to the UN Funds and Programmes. The Networkconcluded that it was desirable for the Working Group to continue itsactivities with a full scale mandate, i.e. developing a definition offraud and a risk assessment framework, as part of a comprehensive fraudprevention policy and should organize its work in coordination with theHLCM working group about to be established on Governance,Accountability and Transparency. Organizations agreed that,should they not develop an internal fraud prevention policy by 30 June2006, they would adopt the framework to be proposed by the WorkingGroup by that date.

(A11) At the fifth meeting of the FB Network (CEB/2006/HLCM/6, paras.47-52),  in connection with the subject of governance and accountability, the Chairman of the FB Network proposed a review of the working arrangements on the subject of fraud prevention.  As work was being undertaken on an organisation-by-organisation basis already, it was suggested that the developments be pooled through the FB Network and that the CEB Secretariat perform a check at the next face-to-face meeting to assess progress. The proposal was unanimously accepted. By end February 2006, HLCM was requested to define working arrangements and reporting mechanisms of the review of governance arrangements and auditing and oversight systems. 

(B) Arrangements for operational activities

(B1) At its 37th session (March 1973: CO-ORDINATION/R.985, paras. 41-43) CCAQ reviewed draft rules prepared by ILO for the use of project vehicles. The discussion showed that organizations were generally in favour of establishing a policy along the lines of a draft text submitted by WHO, coupled with guidelines as set out in the ILO draft. This would assist in drawing up local rules, based on local conditions. These differed so widely that no more could probably be expected in the way of uniformity. The CCAQ secretariat was asked to prepare a new draft and seek the comments of organizations. If agreement could be reached by correspondence CCAQ would not need to review the matter again.

(B2) At the 39th session (March 1974: CO-ORDINATION/R.1032, paras. 37-38) CCAQ agreed to a revised text for a set of guidelines on the use of project vehicles. UNESCO and WHO stated a preference for the simpler statement previously submitted by the latter organization.

(B3) The Committee agreed at the 63rd session (September 1985: ACC/1985/17, para. 50) that questions concerning the use of grants to finance small-scale operational activities should be studied on the basis of information to be collected by its secretariat. Information provided by several organizations was noted at the 64th session (September 1986: ACC/1986/4, para. 46).

(C) Aspects of computer systems

(C1) At the 68th and 69th sessions (March and September 1988) CCAQ considered recommendations from the Panel of External Auditors that the organizations give greater priority to overcoming weaknesses in five aspects of the control and security of computer systems. Written comments from the organizations showed, in its view, that they took the recommendations very seriously; however controls were costly and limitations were imposed by shortage of resources. Commenting on a suggestion by the Panel that exchanges on the incidence of risk to the control and security of computer systems might be handled through central clearing arrangements, the Committee observed that such information must be treated with great care, since its disclosure could lead to greater risk. It agreed to include exchanges on important cases that came to light in its regular private discussions on cases of fraud (ACC/1988/5, paras. 46, 47; ACC/1988/13, paras. 61-65).

(C2) At the 71st session (September 1989) the Committee returned to the subject discussed above in the context of a proposal that ACCIS establish a technical panel to examine problems of computer security and draw up relevant guidelines for the organizations. It expressed encouragement to ACCIS in this project, on the understanding that the resulting guidelines were reasonable and affordable; it also believed that links should be established in this area between ACCIS, CCAQ and the internal auditors (ACC/1989:15, paras. 65, 66). On the latter subject the Committee at its 72nd session (March 1990) proposed that the Executive Secretary of ACCIS invite the current Chairman of the internal auditors' inter-organization meetings to consider arrangements for their participation. It did not think that direct representation of CCAQ on the panel was necessary, but asked to be kept informed of its work (ACC/1990/5, paras. 67, 68). CCAQ later noted that representatives of the organizations' internal auditors had indeed attended the first meeting of the technical panel (73rd session, September 1990: ACC/1990/12, para. 59). A Handbook containing guidelines on information security growing out of the work of the ACCIS Technical Panel on Information Security, as it had by then come to be known, was adopted by ACCIS at its sixth session, in September 1991, and was subseqeuntly issued as an ACCIS publication. This was transmitted at the request of ACCIS to the members of CCAQ(FB), as well as to the organizations' internal and external auditors.

(C3) On the basis of a suggestion by UNESCO, at the 72nd session (March 1990) the Committee agreed to prepare a questionnaire as a first step towards identifying computer systems in the financial and budgetary area that might have potential for sharing among organizations (ACC/1990/5, paras. 71-73). The Committee's workload at subsequent session prevented this suggestion from being pursued.

(C4) At its 81st session (August - September 1994), in the context of a discussion on the subcontracting of work to cut costs, CCAQ(FB) requested its secretariat to gather information on firms which organizations had employed to prepare computer programmes (ACC/1994/15, para. 34).

(C5) At its 83rd session (August - September 1995), CCAQ(FB) held an initial discussion on financial computer systems as a result of a suggestion by UNESCO under the proposal made at the last session to hold regular discussions on management issues. It decided to examine the subject of general administrative computer sessions on a regular basis at each of its sessions (ACC/1995/20, paras. 42-44).

(C6) At its 84th Session, Rome, February 1996, (see documents ACC/1996/FB/84/CRP.1 and Add.1), the Committee welcomed Dr. Gelbstein, Director of the International Computing Centre, who made a presentation on some of the key managerial challenges and opportunities faced by the United Nations system in making optimum use of information technology. FAO made a presentation on information systems developments currently being undertaken and the United Nations showed a video on Release 3 (Finance, Procurement and Travel) of the IMIS. The Committee was also briefed on the status of development of a CCAQ(FB) mailing list and FTP site hosted by ITU, and given a demonstration of possible use of Internet by CCAQ members to access a CCAQ Home Page providing such information as session documents, reports and the CCAQ Handbook.

(C7) The Committee was briefed by UNDP on a proposal to introduce electronic transfer of Inter Office Voucher (IOV) data and thus to cut down on the flow of documentation in support of UNDP disbursements in the field on behalf of other organizations. This was already in place with regard to disbursements made on behalf of UNFPA/UNOPS/UNV and it was suggested that other organizations would benefit from extension of the service. It was agreed that the Committee would revert to this subject at its next session after the views of External Auditors had been obtained and organizations had consulted further internally and with UNDP on the software and other implications of such a move.

(C8) At its 85th Session, August 1996, the Chief of the United Nations Integrated Management Information System (IMIS) Project made a presentation on some of the key issues and challenges in successfully implementing IMIS, with special reference to Release 3. The ensuing discussion covered the extent of involvement of finance staff in the development of the project, substantial additional costs to be incurred well in advance of the benefits to be obtained from the project, and the major impact on work methods and staff patterns. FAO briefed the Committee on the status of the information systems developments currently being undertaken. WHO briefed the Committee on the outcome of an inter-organization meeting held in Geneva in July 1996 on the subject of Information System Support in the areas of finance and administration. Information was exchanged on existing information systems and major developmental activities in the area of administration and finance, including client-server applications and downsizing of mainframe applications. A new Health Insurance Information System, a joint UNOG/ILO/ITU/WHO development project, was under user acceptance test and was an example of potential cost savings and productivity improvements that can arise from the sharing of applications by organizations.

(C9). The Committee reviewed the status of UNDP's project for the electronic transfer of Inter Office Vouchers, which offered the potential for considerable savings and was at present being tested in a limited number of organizations. It was agreed that the Committee would revert to this subject at its next session after interested organizations had consulted further internally and with UNDP on the software and other implications of such a move. The Committee also discussed the potential savings from publishing manuals and other reference material using optical disk technology or an INTRANET. It also reviewed productivity and other issues associated with investment in personal computers.

(C10) At its 87th Session, August 1997, the Director of the International Computing Centre (ICC) made a presentation ( see Document: ACC/1997/FB/87/CRP.1 ) on key information technology issues with special reference to planning for the Year 2000 issue, which affects most organizations. Participants were interested in access to a list of commercially available software which is Year 2000 compliant. The secretariat was requested to liaise with ICC to identify specific Web sites which members could use as a source for this information. The Secretary of ISCC advised the Committee that the United Nations had requested the Gartner Group to undertake a risk assessment review of plans for the Year 2000 compliance. ISCC agreed to keep members informed of system-wide involvement of the Gartner Group, via the CCAQ secretariat.

(C11) Representatives of the United Nations made presentations on the IMIS project which covered problems that have arisen in implementation, issues with regard to interface with other information systems and the latest schedule for roll out of additional modules at present under development. Release IV of IMIS, the Payroll module, was scheduled for end 1998. The importance of adequate training and the establishment of a dedicated implementation team was stressed. The Committee was assured that IMIS was Year 2000 compliant.

(C12) Representatives of UNICEF made presentations on the status of the SAP project which would interface with a new field office system and with the Personnel and Payroll modules of IMIS. Information was also exchanged on the status of FAO's Oracle project, including lessons to be learned from FAO's previous experiences. Information was also exchanged on development of financial systems by ITU (with respect to its SAP project), WFP and UNHCR. It was emphasized that in all systems development work the prerequisites for successful implementation included top management support and commitment to provision of adequate funding; early participation of end users in the planning process and clear ownership of the project; and a dedicated end user team for testing applications as they are developed and before they are put into production.

(C13) At its 88th Session, New York, 4 September 1998 , ( see Document:ACC/1998/FB/88/CRP.13), UNICEF made presentations on the status of the SAP project, which will interface with a new field office system and with the Personnel and Payroll modules of IMIS. Representatives of the United Nations made presentations on the IMIS project, which covered issues with regard to interface with other information systems and the latest schedule for roll out of additional modules at present under development, in particular Release IV of IMIS, the Payroll module. FAO provided a status report on their Oracle system. IAEA reported on a new system called "Agresso"; WFP briefed the Committee on their plans for implementation of SAP; ITU reported on the implementation of SAP in time for the start of the 1998-99 biennium. To enhance cooperation and to avoid duplication of efforts, organizations were encouraged to exchange information on implementation of their respective information software packages. One common theme that emerged from the discussions was that the complexity of United Nations system rules and regulations, particularly pertaining to entitlements, and other administrative requirements was leading to high costs of systems implementation and consequential delays which in many cases appeared to be avoidable and unnecessary if a simpler and more standard approach to administrative procedures were adopted.

(C14) The United Nations has requested the Committee to review the use of UNDICS by organizations and the necessity for urgent action to make UNDICS Year 2000 compliant if organizations wish to continue its use. The Secretary was requested to undertake a survey of organizations using UNDICS before December 1998 so that appropriate measures can be taken in time.

(C15) At the Committee's 89th Session, February 1999 , the United Nations provided information on the latest development of, and improvements to, IMIS. Representatives of UNICEF, WFP and ITU briefed the Committee on the status of their use of SAP software and proposals for the future. ITU had implemented the financial modules in January 1998 and was working on a project for the complete administration of the sales of ITU's Publications. UNICEF had successfully implemented its SAP project in January 1999. WFP's SAP project was scheduled for implementation by mid-2000. FAO advised the Committee that implementation of their ORACLE-based system was scheduled for April 1999. The new fully-integrated financial system should greatly improve management information and control and streamline, simplify and reduce the cost of administration and finance. IAEA briefed the Committee on its Agresso project, implementation of which is scheduled for September 1999. IAEA also suggested that a User Group be set up for the ATLAS travel system which had been acquired first by IAEA and subsequently by FAO and WHO.

(C16) Participants noted that the involvement of several organizations in developing systems based on software from one vendor had produced considerable benefits arising from exchange of information and experience. The Committee strongly encouraged this kind of collaborative system development wherever possible.

(C17) At its October 2002 session (CEB/2002/5, paras. 18-19) HLCM discussed information security. The discussion and HLCM's decisions are reported in section 15.5, para. 35.