Frequently asked questions

What are the main functions of IOS?

The Office provides audit and investigation services to WHO, to some WHO-hosted entities (for example, the Joint United Nations Programme on HIV/AIDS (UNAIDS), the United Nations International Computing Centre, and UNITAID) and to the International Agency for Research on Cancer. In the WHO Region of the Americas, the Office relies on the work performed by the Office of Internal Audit of the Pan-American Health Organization for the coverage of risk management, control and governance.

The Office is authorized full, prompt access to all records, property, personnel, operations and functions within the Organization which, in its opinion, are relevant to the subject matter under review.

The Office, which reports directly to the Director-General, conducts its work in accordance with the International Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors and adopted for use throughout the United Nations system, and with the uniform Principles and Guidelines for Investigations endorsed by the 10th Conference of International Investigators. The audit plan of the Office is based on the Office’s independent risk assessment and in consideration of the WHO Principal Risks.

The Office maintains regular contact with the Organization’s External Auditor to coordinate audit work and avoid overlaps in coverage. The Office also maintains regular contact with other departments of the Organization and continues to work with WHO’s accountability functions in order to further contribute to the strengthening of WHO’s corporate values.

What is the difference between an internal audit and an investigation?

An internal audit is an independent, objective assurance and advisory activity designed to add value and improve WHO’s operations. It helps the Organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management and control processes.

Investigations are risk-based, value-added, timely and result-oriented functions that support WHO in managing the risk of fraud and other wrongdoing. They contribute to the prevention, detection, and deterrence of wrongdoing, including fraud, waste, sexual misconduct and all forms of abuse.

Internal audits are planned, based on the results of a risk assessment exercise performed by IOS. Investigations, on the other hand are unplanned as they are the result of complaints raised by members of the workforce, beneficiaries, implementing partners, etc.

What are advisory services?

Advisory services are reviews of draft policies, guidance, systems and work processes within WHO. However, IOS does not participate in the decision-making process. IOS may provide advisory services to WHO management to the extent that IOS' independence and objectivity are not compromised.

How is IOS’s work governed?

Audits

• IOS conducts its internal audits based on a flexible audit plan, developed using a risk-based methodology, including risks or control concerns identified by management. The purpose of the risk-based work plan is to ensure that the Office assignments are directed at areas where achievement of the WHO objectives is at higher risk. The audit plan is reviewed by the Independent Expert Oversight Advisory Committee and is reviewed and approved by the Director-General.
• The work performed in the audits is carried out in accordance with the International Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors and adopted for use throughout the United Nations system.
• The results of the audit work are reported periodically to WHO’s Management, the Independent Expert Oversight Advisory Committed, the Programme Budget and Administration Committee, and the World Health Assembly.
   

Can IOS enforce laws, or does it have judicial jurisdiction?

No. IOS investigations are administrative in nature and relate only to the work of WHO. WHO may refer, where appropriate, matters to the local authorities.

Is IOS independent? How does it operate independently?

Yes, the Office of Internal Oversight Services is independent. WHO ensures the independence of IOS in a variety of ways:

• the IOS Director is appointed by the Director-General after consultation with the Executive Board. They serve a single term with a maximum of seven years. The IOS Director reports and is accountable to the Director-General;
• the Office is free from interference in determining the scope of its audits and investigations, performing related work and reporting related results;
• IOS is provided with the necessary resources to fulfil its responsibilities under its Charter and maintain its independence;
• IOS’s Director and staff abide by the WHO Code of Ethics and will avoid situations of conflict of interest which may impair their judgement related to their assigned responsibilities;
• annually, IOS staff members must file a statement of objectivity and independence; and
• IOS staff has no managerial authority over or responsibility for any activities they audit or investigate. They shall not perform any other operational functions for WHO.

Is information about IOS investigations and/or audits publicly available?

No. The disclosure of reports to external parties outside of WHO is regulated by the Organization's information disclosure policy. IOS’s audit and investigation reports are not publicly disclosed but are made available to member states upon request. The Office uses a secure web-based platform to provide remote access to internal audit reports, upon requests from Member States and other parties, as authorized by the Director-General. The Office includes a list of recent audit reports on the Organization’s website, so that Member States may obtain updated information on audit reports issued during the year. The annual Report of the Internal Auditor to the World Health Assembly includes a summary of each audit conducting during the year and summary information on the audit results.

IOS has three dashboards with information on investigations and audits that have taken place at WHO. The dashboards are updated on a monthly basis and can be found at the following links:

• Sexual misconduct and abusive conduct
• Financial misconduct
• Status of implementation of Audit Recommendations

Does IOS cooperate with other UN organizations and partners to conduct audits and investigations?

Yes, where appropriate.

According to its Charter, IOS shall be allowed access by vendors, implementing partners and/or other contracted third parties to the records, property, personnel, documents and information pertaining to their contractual relationship with WHO, which IOS considers to be pertinent to its work, subject to appropriate terms and conditions being included in their contractual agreements with WHO.

If a UN agency acts with WHO as an implementing partner for a programme, then WHO may also require their cooperation with an audit or investigation.

What are my rights and obligations as a witness/victim* in an investigation?

Rights

• To be heard.
• To be accorded due respect during participation in the investigation process.
• Be advised on how to access psychosocial, medical and other forms of support, subject to the services provided/allowed by WHO.
• Be advised on how to claim reimbursement for medical treatments/intervention for incidents related to IOS investigation, subject to approval by Staff Health Insurance and other related functions.
• Be advised on the possibility of being accompanied to your interview with IOS by a neutral (moral) support person.
• To be informed of the status of IOS investigation process and timelines for the investigation.
• To be informed of the status of the investigation, provided such update would not breach the rights or confidentiality requirements for investigation.

Obligations:

• Cooperate with the investigation by participating in the investigation process (applies only to witnesses).
• Provide requested information that could assist IOS in its investigation of the allegations.
• Respond truthfully to questions asked concerning the allegations.
• Keep confidential the information known or that becomes known during the course of your participation in IOS investigation process.

What are my rights and obligations as the subject of an investigation?

Rights

• To be presumed innocent in the course of the investigation.
• To be heard and allowed to provide your version of the alleged incidents.
• Be treated respectfully and with open mind.
• Be advised on how to access psychosocial, medical and other forms of support, subject to the services provided/allowed by WHO.
• Be advised on how to claim reimbursement for medical treatments/intervention for incidents related to IOS investigation, subject to approval by Staff Health Insurance and other related functions.
• Be advised on the possibility of being accompanied to your interview with IOS by a neutral (moral) support person.
• To be informed of the status of IOS investigation process and timelines for the investigation.
• To be informed of the status of the investigation, provided such update would not breach the rights or confidentiality requirements for investigation.

Obligationen

• Cooperate with the investigation by participating in the investigation process.
• Provide requested information that could assist IOS in its investigation of the allegations.
• Respond truthfully to questions asked concerning allegations.
• Keep confidential the information known or that became known during the course of your participation in the IOS investigation process.

Why does IOS conduct investigations?

Because it is a required part of the IOS mandate and it is a tool used to root out wrongdoing, deter misconduct and to provide assurances to Member States.

The investigative function supports the Organization in managing the risks of fraud and other wrongdoing by providing risk-based, value-added, timely and results-oriented investigations and by contributing to the prevention, detection and deterrence of wrongdoing.

What does IOS investigate and what does it not investigate?

IOS investigates allegations of misconduct, such as fraud, corruption, collusion, theft, sexual exploitation and abuse, workplace harassment, sexual harassment, retaliation, and other acts or omissions, which are contrary to the general obligations of WHO staff and other personnel. It may also investigate indications of fraud, corruption, and other wrongdoing by contractors, implementing partner and other third parties which are committed to the detriment of WHO and contrary to the terms and conditions of their contractual agreements with WHO. IOS does not investigate allegations that do not constitute misconduct but instead indicate managerial or performance issues.

Where do investigations take place?

IOS has full and free access to all records, property, personnel, assets and official premises within the Organization and may conduct its investigations remotely and/or at any location under the supervision, control or authority of WHO.

What does WHO consider “wrongdoing” and “misconduct”?

Misconduct is the failure by a staff member to comply with his or her obligations under the WHO Staff Regulations and Staff Rules, Financial Regulations and Financial Rules or other relevant policies, or to observe the standards of conduct expected of an international civil servant. Such a failure may be deliberate (intentional or wilful act) or result from an extreme or aggravated failure to exercise the standard of care that a reasonable person would have exercised with respect to a reasonably foreseeable risk (gross negligence) or from a complete disregard of a risk which is likely to cause harm (recklessness).

Wrongdoing can refer to the misconduct committed by a WHO staff member as well as to the intentional illegal, dishonest or unethical conduct committed by contractors, implementing partner and other third parties to the detriment of WHO and contrary to the terms and conditions of their contractual agreements with WHO.

Who carries out the investigations?

Investigations are conducted by staff members of IOS, or persons authorized by IOS. An investigator may also be authorized directly by the Director-General.

How are investigations conducted?

IOS works to take proactive steps to investigate misconduct in a timely manner. Once a report is received, an allegation must first be assessed to determine whether it gives rise to a reasonable indication that wrongdoing has occurred.

During investigations, investigators may request cooperation from WHO staff members and other personnel, as well as that of contractors, implementing partners and other third parties.

At the conclusion of each investigation, the Office prepares a detailed report and makes recommendations to the Director General, or the Regional Directors, in accordance with its Charter. When appropriate a complainant will be informed in general terms of the close of a case or completion of an investigation.

How do I report wrongdoing or misconduct?

All allegations of wrongdoing must be reported to IOS through the established reporting mechanisms ([email protected]) or through the WHO Integrity Hotline. In the event that an allegation of misconduct involves the Director of IOS, or any other staff member assigned to IOS, the allegation shall be reported to the Director-General.

What happens after a report of wrongdoing is made?

IOS will normally send the complainant an acknowledgement in writing, unless the complaint has been submitted anonymously or the complainant has otherwise indicated that they do not want to receive a response. IOS conducts a preliminary review of every credible complaint to determine whether there are sufficient grounds to justify a full investigation. Where, in the opinion of IOS, the information obtained during the preliminary review does not give rise to a reasonable indication that misconduct occurred or would not otherwise merit the conduct of an investigation, IOS will close the case and inform the complainant accordingly.

If, in the opinion of IOS, the preliminary review determines that the matter should be investigated, IOS will conduct an investigation. The primary objective of the investigative process is to establish the facts material to each case. IOS reports the results of its work to the Director-General or concerned Regional Director, who makes the decision whether to initiate disciplinary action.

Can I report wrongdoing to IOS if I am not employed by WHO?

Everyone who has knowledge of wrongdoing involving WHO personnel or activities is encouraged to submit a report.

Does IOS accept anonymous reports of wrongdoing?

IOS accepts anonymous reports of wrongdoing but does encourage complainants to include a valid email address or other contact information to allow IOS to obtain additional information about the complaint. An anonymous complaint should include enough detailed information to allow IOS to obtain independent corroboration of the facts. If it is not possible to independently corroborate the information provided by anonymous sources, IOS will not be able to investigate the allegations and will close the case.

Will the person I reported to IOS for wrongdoing know I filed a complaint?

All reports are treated confidentially. However, during the course of an investigation, it will be necessary for IOS to share investigation-related information to individuals or entities with a “legitimate need to know” to allow necessary action to be taken. This may include information provided to subjects to allow them to fully respond to allegations and to provide countervailing evidence, and to witnesses or other persons to whom investigators speak or communicate in order to verify facts. When appropriate, (for example, to mitigate risk to the Organization) information may be shared with senior management during the course of the investigation to allow necessary action to be taken prior to the conclusion of the investigation, with appropriate restrictions on dissemination as required.

I have something to report but I am not sure if I should report it to IOS. What can be reported to IOS? What are other reporting mechanisms at WHO I may turn to instead?

All allegations of wrongdoing must be reported to IOS. If you are not sure about whether an allegation constitutes wrongdoing, it is better to report it and allow IOS to make that determination, as long as the allegation is being made in good faith. In the event that an allegation of misconduct involves the Director IOS, or any other staff member assigned to IOS, the allegation should be reported to the Director-General.

I am a victim of retaliation for having reported misconduct and co-operated with an investigation. Should I report this to IOS?

Absolutely. WHO has zero tolerance for retaliation and is committed to providing a workplace where everyone feels safe and confident to speak-up against wrongdoing without fear of negative consequences. Retaliation, as defined in the WHO Policy on Preventing and Addressing Retaliation, constitutes misconduct.

I am hesitant to report to IOS because I am afraid that I might face sanctions if the content of my report turns out to be wrong/unsupported by evidence. In what instances are reports considered in “bad faith” versus in “good faith”?

Any report of concern filed with the knowledge of its falsity is malicious and subject to investigation by IOS and is considered in bad faith. However, reports of concern filed in utmost good faith - suspicion or under the impression that it could be true - are not considered as malicious.

Do staff have a duty to report if they are aware of wrongdoing?

Yes. Failure to report wrongdoing may itself be considered misconduct.

Why should I report wrongdoing to IOS?

Reporting wrongdoing is part of the responsibility of WHO staff members to adhere to the highest standards of efficiency, competence and integrity.

Is there a time limit to reporting?

No, but allegations should be reported as soon as possible to enable them to be effectively investigated.

Does IOS help mediate situations?

No, IOS’s role is that of a neutral fact finder, not a mediator. The Office of the Ombudsperson and Mediation Services can provide mediation.

Can IOS recommend or take disciplinary action against WHO personnel?

IOS cannot take any disciplinary action against WHO personnel. The decision to take disciplinary action is made by the Director-General or the relevant Regional Director.

What is the meaning of “duty to cooperate”? What is the meaning of “duty to report”?

Duty to cooperate requires all WHO staff members to participate fully and in good faith with any investigation by answering questions, providing documentation and other evidence in their possession and treating matters relating to the investigation confidentially. Staff members must not interfere in the investigation by withholding, destroying or tampering with evidence or trying to influence or intimidate the complainant or any potential witness. Staff members may not condition their cooperation in investigations on the confidential treatment of their identify.

Duty to report is the obligation imposed on staff members to report any breach of the WHO Staff Regulations and Staff Rules, Financial Regulations and Rules and related policies to IOS.

How long can I expect an investigation to take? Will IOS notify me of steps taken along the way?

The timeframe for an investigation will vary depending on its complexity and the caseload of IOS. IOS aims to complete investigations of sexual misconduct within 120 days from the initiation of an investigation and all other investigations within 180 days. However, some investigations may take longer for reasons outside of IOS’s control.

How does IOS prevent (re-)traumatization during an investigation when victims are questioned?

This is a continuous process during interviews and interactions with IOS that entails deliberate respect for and enforcement of the rights, safety and needs of the victims. Specifically, the victims are given space to state their version of the alleged incident in their own time and pace. They also choose what and how much they want to share during the investigation.

Why does IOS conduct audits?

Because it is a required part of the IOS mandate and it is a tool used to provide assurances to Member States.

How are internal audits conducted?

Internal audits are based on a flexible audit plan, which is developed through a risk-based methodology.

The Annual Internal Audit Plan of the Office is reviewed by the Independent Expert Oversight Advisory Committee (IEOAC) and approved by WHO’s Director-General.

At the conclusion of each audit assignment, IOS prepares a detailed report and makes recommendations to management designed to help manage risk, maintain controls and implement effective governance within the Organization.

How does IOS select which areas, country offices or headquarters/regional offices departments are audited?

Internal audits are planned, based on the results of a risk assessment exercise performed by IOS. The purpose of the risk-based work plan is to ensure that the Office assignments are directed at areas where achievement of the WHO objectives is at higher risk.

What is the difference between internal audits and external audits at WHO?

Internal Audit is an independent, objective assurance and advisory activity designed to add value and improve the Organization’s operations. It helps the Organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management, and control processes.

Internal audits are conducted or supervised by WHO personnel.

External audit refers to audits carried out by a body that is external to, and independent of, the organization being audited and has direct reporting responsibility to the relevant Governing Body.

The External Auditors of WHO follow the International Standards of Auditing (ISA) and their reports are submitted to the WHA with an opinion and report on the organization’s accounts and financial statements, and a long form report on the Organization’s overall management and performance in accordance with the applicable financial regulations and rules and other administrative instructions.

How are stakeholders informed of audit findings? (The stakeholders in an audit are Member States/auditees and how they find out about the findings)

At the end of each assignment, an audit report is issued, including recommendations, to the relevant manager responsible for action and to senior WHO management. The Office uses a secure web-based platform to provide remote access to internal audit reports, upon requests from Member States and other parties, as authorized by the Director-General. The Office includes a list of recent audit reports on the Organization’s website, so that Member States may obtain updated information on audit reports issued during the year. The annual Report of the Internal Auditor to the World Health Assembly includes a summary of each audit conducting during the year and summary information on the audit results.

How do audits contribute to WHO’s accountability?

Internal Audit is an independent, objective assurance and advisory activity designed to add value and improve the Organization’s operations. It helps the Organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management, and control processes.

What are the different types of internal audits?

The Office conducts operational audits, integrated audits and performance/cross cutting audits.

How are internal audits conducted?

Internal audits are based on a flexible audit plan, which is developed through a risk-based methodology.

The Annual Internal Audit Plan of the Office is reviewed by the Independent Expert Oversight Advisory Committee (IEOAC) and reviewed and approved by WHO’s Director-General.

At the conclusion of each audit assignment, IOS prepares a detailed report and makes recommendations to management designed to help manage risk, maintain controls and implement effective governance within the Organization.

Who carries out these audits?

WHO internal audits are carried out by IOS internal audit staff or can be outsourced to companies or consultants, under the supervision of IOS.

To whom do the auditors report?

The internal auditors report to the Audit Head. The Audit Head reports to the Director of the Office of Internal Oversight Services.

How does IOS ensure its audit report recommendations are carried out? What happens if they are not?

Audit recommendations are tracked by the internal audit department. The Office maintains a web-based portal to facilitate the monitoring and follow-up of audit recommendations – by both management and audit staff members – which provides automated email notifications of upcoming milestones for action on the implementation progress. The Office reports on the status of outstanding recommendations using the target implementation date agreed for each recommendation. On a periodic basis, the Office follows up with management on the implementation status of internal audit recommendations and reports on open audit recommendations. Open audit recommendation information is also included in the annual Report of the Internal Auditor to the World Health Assembly.

Where can I find more information on the external audit function?

Visit the external audit web page.