OIG REPORT ON ITS AUDIT OF GLOBAL FUND INTERNAL FINANCIAL CONTROLS
Oliver Campbell WhiteArticle Type:
Article Number: 5
ABSTRACT The OIG report on its audit of Global Fund Internal Controls concludes that, while the Global Fund has continuously improved its internal financial control processes over time, improvement is needed in grant financial controls and in the management of financial risks. It also reports on adaptations to internal financial controls deemed necessary during the COVID-19 pandemic.
On 15 March 2021, the Office of the Inspector General (OIG) published its report on its audit of Global Fund internal financial controls.
The audit’s overall objective was to provide reasonable assurance to the Global Fund Board on the adequacy and effectiveness of internal financial controls at the Secretariat. The audit did not cover financial related controls over recoveries and grant closure, which have been covered in other OIG reports.
The report outlines the Global Fund’s Annual Funding Decision (AFD), disbursement and forecasting processes:
- The Secretariat monitors grant performance and budget execution through the AFD, which determines when funds will be disbursed to Principal Recipients (PRs). A schedule is set up, on a staggered basis and according to the grant agreement, to determine when funds are released. In many cases, PRs also disburse funds to smaller organizations who serve as Sub-recipients and Sub-sub-recipients. All financial commitments are processed through the AFD, except for health product procurements through the Pooled Procurement Mechanism (PPM);
- An annual decision-making form (ADMF) specifies the amount to be disbursed over a specified 12-month period (the “execution period”); this may include a buffer period of up to six months. Each grant’s progress is reviewed in terms of programmatic achievements, financial and management aspects, and an overall grant rating is assigned. Before the ADMF is submitted for approval, the Risk Department reviews it to ensure that risks have been identified and appropriately prioritized, mitigation measures are adequate, and appropriate assurance mechanisms have been identified. Country Teams, however, remain the overall risk owners and responsible managers for all grant risks; and
- The Secretariat forecasts grant disbursements, to monitor the organization’s corporate asset and liabilities over the implementation period, three times a year, with a mid-term plan updated twice a year. There are procedures and a framework to guide financial forecasts and budgets, and controls to ensure forecasts are accurate and adjustments are approved at the right level. Forecast information is reported on a regular basis to the Management Executive Committee (MEC) and Audit & Finance Committee (AFC) for key decision making.
The report goes on to explain that the Country Teams use the Integrated Risk Management (IRM) module, an online platform within the Grant Operating System, to manage, prioritize and monitor grant-specific risks, as well as corresponding controls and mitigating actions, throughout the grant lifecycle. The IRM groups risks into four categories: (i) programmatic and monitoring & evaluation (M&E); (ii) financial and fiduciary; (iii) health product management and supply chain; and (iv) governance, oversight and management. This audit focused on the six financial and fiduciary risks: (1) flow of funds and arrangements; (2) internal controls; (3) financial fraud, corruption and theft; (4) accounting and financial reporting; (5) value for money; and (6) auditing arrangements.
These six risks are assessed and rated at the grant level. Grant risk ratings are then aggregated using the risk rating methodology to generate an organization risk rating, which is tracked in the Organizational Risk Register. Risk ratings captured in the IRM also feed into decision making documents, such as Country Risks Management Memoranda and Country Portfolio Reviews. Grant risks in High Impact and Core portfolios are updated on a regular basis when either: mitigating actions or assurance activities are completed or revised; a new risk or root cause is identified; risk levels or implementation arrangements change; or Country Teams recognize an important change in the grant risk profile.
Adaptations to internal financial controls during the COVID-19 pandemic
The OIG notes that, in response to COVID-19, the Secretariat adopted a range of contingency measures and policy exceptions, including financial controls to ensure continuity and mitigate disruptions to operations. These include:
- Grant flexibilities, e.g., waiving escalation approval for exceptions in the AFD; extending the AFD disbursement period by three months; allowing an additional 30 days for Progress Update and Disbursement Request (PU/DR) submission/validations; allowing more time for external audit report submissions; waiving Local Fund Agent (LFA) mid-year performance assessments;
- Risk contingency planning, e.g., prioritizing assurance activities, allowing assurance providers to conduct remote reviews rather than performing reviews at implementer offices; and
- Institutional business continuity, e.g., designation of essential staff, delegation of authority on key workflows facing bottlenecks due to staff unavailability.
The Secretariat developed and rolled out a country monitoring survey to ensure timely assessment of in-country disruption levels resulting from the pandemic. The Finance Department conducted a survey to obtain information from Finance Specialists and Fiscal Agents to understand COVID-19 disruption to the financial objectives.
The report lists three main findings:
- While processes and systems are available to support AFDs, disbursement, and forecasting, some improvements are needed to resolve: the limitations in the Grant Operating System; disbursement delays and missing information, which are hindering funding decisions and programme implementation.
- Various processes and tools exist for financial risk monitoring, including some introduced as a result of COVID-19, but gaps were noted in the implementation of these controls, impacting the monitoring and mitigation of financial-related risks.
- While financial controls are available to prevent and detect fraud risk in payments, additional guidelines are needed to ensure their consistent implementation. Policies and procedures are yet to be updated with new mitigating controls put in place following an e-mail fraud.
Improvement needed in the Annual Funding Decision and disbursement processes
The report explains that “there are no automated controls to monitor whether exceptions, including deviations of +/-10% of agreed forecasted amounts, are identified and escalated by Country Teams to Regional Finance Managers. As a result, 75% of AFDs/disbursements to the eight countries sampled contained exceptions which were not appropriately escalated for approval. Explanations for not escalating for approval are not documented in funding decision forms. Insufficient documentation in the AFDs and the lack of exception alerts are responsible for issues not being escalated. This results in funding decisions not being sufficiently documented and justified, with the risk that decisions are made without the necessary information”. It goes on to say that “There are no controls to track and explain deviations/differences between AFD and actual disbursements, or cancellations of planned disbursements. Of the countries sampled, 45% of AFDs for non-PPM activities had variances without appropriate justifications. For example, in 2019 the average difference between the actual disbursement and the AFD amount for a high-impact country was 54% ($12.8 million). Requirements regarding the escalation of exceptions in the AFD policy are unclear, and there is no regular AFD compliance review”.
AFDs are being cleared by the Risk Department without justification
The OIG noted that 38% of AFDs sampled were approved by the Risk Department without documented justification, despite delayed or unmet key mitigation actions not reported or flagged in the AFD by Country Teams.
Implementation challenges are impacting timely disbursements
The report notes that funds disbursed were not being fully utilized by PRs, impacting or delaying further disbursements. All 43 sampled disbursements reviewed were made within or near the end of the grant execution period; 21% were disbursed in the final month of the execution period or later. Examples provided in a table in the report show that there have been disbursement delays varying between 72-130 days after the execution period start date. The disbursement control framework and delays: in receiving funding requests from PRs; in PRs providing further clarifications on their disbursement requests; and in implementation of activities by PRs, contribute to delays in disbursements.
However, the report also noted that “Mechanisms are being introduced to ensure the rapid release of quarterly disbursements, such as pulse check reporting with summary snapshots of forecasts and cash balances. This will enable quarterly releases without the need for detailed forecasts or extended due diligence and is intended to encourage Country Teams to rely more on AFDs approved with quarterly releases, based on a summary snapshot from PRs”.
According to the OIG: “Secretariat forecasts of implementers’ needs differ significantly from what they actually disburse. While corporate-level forecast accuracy as of December 2019 was -8%, within the established key performance indicator (KPI), it varied significantly at grant and PPM level. Two high-impact regions which contribute more than 50% of the PPM portfolio had forecast variability of over 24% (against the corporate KPI of +/-10%). The lack of a standardized approach means forecasts are performed inconsistently between PPM activities (within the Global Fund control) and non-PPM activities (at the country level). Forecast accuracy varies, due to the nature of the Global Fund’s business and implementers’ capacity to provide accurate information, necessitating in-depth understanding from portfolio finance specialists”.
Misalignment between data used by the PPM, Wambo and disbursement processes
Explaining this misalignment, the report states that “there was a variance of $127 million between the second annual disbursement forecast in 2020 and the ring-fenced PPM-committed funds in the Global Fund System (GFS). Differences were also noted between PPM forecasts and actual orders placed; one grant had a difference of $12 million four months before grant-end. Although the variance is considered in corporate-level portfolio optimization as part of financial performance, proactive identification of the variance between Supply Operations and Finance departments could trigger timely in-country optimization and reprogramming during grant implementation, to avoid a high variance at the end of the grant cycle. Contributing factors include the lack of an automatic link between health product lists and the PPM/Wambo earmarked amount, and the use of different, unsynchronized systems to monitor forecasts and committed funds. Country Teams and Sourcing staff do not coordinate sufficiently to obtain up-to-date order information on PPM/Wambo health products, meaning unutilized funds are not identified in a timely manner for reprogramming”. However, in mitigation, the report continues: “As of April 2020, the Secretariat has been performing a triangulation of cross-system information between actual orders received through the Wambo/PPM platform and forecasting data from the Hyperion and GFS systems. In addition, the Secretariat is working on a project to improve health product demand and financial visibility. This is expected to improve forecast accuracy for health product investments”.
The report continues: “For PPM procurements, there are delays in reconciling final invoices. Purchase orders (POs) can only be closed after products have been received by PRs and all Procurement Service Agent payments have been made. Delays averaged 221 days (against a target of 60 days) in reconciling POs with their respective final invoices from 2018 – 2020. As a result, 7% of remaining committed funds could not be reprogrammed for other activities. The possible unutilized funds from closing POs for reprogrammable grants ending in December 2020 represent $130 million”.
Management of risks and mitigation actions needs to improve
The audit found that “key mitigation actions are not implemented or followed up effectively due to: missing root causes and lack of prioritization when key mitigation actions are set up; mitigation actions being too generic; system limitations in terms of alerts and escalations; or lack of regular monitoring. In consequence, key issues remain open at portfolio levels”. The report provides some examples and explains the root causes of the problem but goes on to note that the Secretariat is currently undertaking several initiatives, including a project to enforce the accountabilities of Second Line functions over risk management and enhance its integrated risk management tool.
Delays in grant reporting and in communicating performance/management letters
This is an area where there is clearly a need for improvement. The report states that “There are long delays in the submission and validation of reports, such as PU/DRs and external audits by PRs and the Secretariat respectively. In December 2018 and December 2019, only 9% and 4% of PUDRs were validated on time, respectively. Delays were due to various factors, including the capacity of PRs to produce good-quality reports, Grant Operating System issues and challenges (e.g., incorrect data uploaded in the system and system bugs) and delays in circulating the PU/DR template to PRs. Similarly, there are delays in communicating performance/management letters to PRs. In our sample, 34% of letters were sent to PRs more than six months after the reporting end date, while 25% of PU/DRs were not communicated to PRs through performance letters. On average, it took 91 days for Country Teams to provide feedback on external audit reports to PRs. This is largely due to the lack of a policy on the expected timeframes for communicating performance/management letters to implementers”.
The importance of these delays is explained: “These gaps in managing and mitigating risk could impact the timely feedback and resolution of issues….(and) could also result in assets not being properly traced, as highlighted in OIG audits in DRC, Liberia and Sudan”.
Additional guidelines are needed to ensure consistent implementation of financial controls
In April 2020, the Global Fund experienced a loss of $110,000 due to a ‘phishing’ incident, a form of e-mail fraud. The Secretariat quickly put in place a number of measures to prevent and detect fraud risk in the payments process. Organisational policies and procedures remain, however, to be updated to take account of the interim controls/measures (and related workflows) put in place following the phishing incident.
Importantly, the audit report notes that “The Secretariat identified that not including fraud risk among key management risks was a key contributor to the phishing loss. The OIG’s review of the incident noted a lack of fraud risk awareness and sensitization at all levels, and at all stages in the invoicing and payment process. The Secretariat has subsequently included fraud risk monitoring in payment procedures and conducted fraud and cyber security risk training for the finance department and business focal persons, as well as general phishing awareness training for Global Fund staff. The Secretariat has contracted a consultancy firm to support the updating of financial procedures on cash management and financial data incorporating the new interim measures”.
Agreed Management Actions
Four Global Fund management actions have been agreed with the Secretariat:
- The Secretariat will implement a business process improvement based on gaps identified to ensure increased automated controls on the exception management process and the integration and availability of consistent data for corporate forecasting, procurement, Annual Funding Decision and GOS disbursement.
- The Secretariat will strengthen the processes to improve management of health product demand and budget/forecast to optimize the use of funds throughout the grant cycle by:
- Defining the processes, including the roles and responsibilities of Grant Management, Finance and Supply Operations departments, in the management of health product budget and forecast to identify unutilised funds for reprogramming; and
- Strengthening oversight over PPM process by establishing KPIs on PPM forecast accuracy and purchase order/invoice reconciliation.
- The Secretariat will strengthen implementation and second line oversight as well as the Integrated Risk Management (IRM) tool by:
- Issuing guidance to Country Teams and Second Line functions to ensure clearer accountability, and better consistency in prioritization, monitoring and oversight of risk mitigation actions; and
- Performing IRM diagnosis and use the conclusions to improve application controls for reporting, tracking and monitoring portfolio risk information by Country Teams, Assurance Providers and the Risk Department.
- The Secretariat will establish exception management and reporting requirements for the newly established controls/procedures introduced during the COVID-19 pandemic to demonstrate proactive monitoring and oversight of the new measures.
The OIG audit report is not an easy read for a non-accountant and/or someone unfamiliar with Global Fund systems and processes; but it is welcome for four reasons. First, from an external perspective – and of particular interest to financial contributors to the Global Fund – it demonstrates that there are regular reviews of the organisation’s internal financial controls. While highlighting where improvements can be made, this audit report makes it clear that the Global Fund Secretariat has made progress in applying and strengthening those controls and further improvements are already under way.
Second, the report explains how, during COVID-19, the Secretariat adopted contingency measures and policy exceptions, including financial controls, to ensure continuity and mitigate disruptions to operations. A frequent criticism of the Global Fund is its inflexibility; but the COVID-19 experience shows that the Secretariat can be – and is – flexible when it is really necessary.
Third, PRs will welcome the report’s findings – and agreed corrective action – concerning the Secretariat’s delays in grant reporting and in communicating performance/management letters to PRs.
Lastly, everyone will welcome the identification of unutilised funds for reprogramming which is anticipated by the second agreed management action. However, what is not clear to those of us outside the Secretariat is the process and timeframe for reallocating unutilised funds and reporting thereon.