‘Auditing accidents waiting to happen’
Interview with Arno Visser, President of the Netherlands Court of Audit
The COVID-19 emergency has been a test for many organisations on how to function, and supreme audit institutions (SAIs) have been no exception. But for several of them the issue goes well beyond just business continuity, since the pandemic has also been a litmus test on how to provide the most added value to decision-makers in times of crisis. In challenging circumstances, how can an SAI be seen — and used — as a partner for improvement? We interviewed Arno Visser, President of the Algemene Rekenkamer — the Netherlands Court of Audit — to find out about his SAI’s strategic focus on auditing ongoing processes rather than past events, how this helps with the need to shift quickly when emergencies occur, and how accountability principles can be upheld even in crisis situations.
By Derek Meijers and Gaston Moonen
Focus on agility
This interview with Arno Visser took place shortly before he completed sixth year as President of the Netherlands Court of Audit (NCA). Following a career in the private sector, local politics and the Dutch parliament, Arno Visser became a Member of the NCA, of which he was appointed President in 2015. Since then there have been a number of disasters and emergencies in the Netherlands and around the world — not only the COVID‑19 pandemic, but also storms, floods and humanitarian disasters.
When asked about the implications of crisis situations for public audit and their impact on transparency and accountability, Arno Visser immediately recalls the MH-17 disaster, the national tragedy in which a Dutch passenger airliner was shot down by Russian-backed rebels above eastern Ukraine in July 2014. Or hurricanes Irma and Maria, which caused major floods and large-scale destruction in the Dutch Caribbean. ‘Thanks to changes in the way the NCA operates, from a more traditional supreme audit institution to one that can respond in a more agile way to current events and that can provide parliament with more relevant reports, we have been able to cover those catastrophes with significant work’, says Arno Visser. ‘And this has made our reports more timely, usable, valuable for our stakeholders.’
According to the NCA President, an example of that changed approach and culture is that the Dutch SAI programmes its audits every month, rather than on a yearly basis, which is the more common practice among SAIs. ‘We work with a rolling planning schedule, which allows us to discuss and, if necessary, adjust our audit programme every month. This approach has taught us a sort of mental flexibility that enables us to be more responsive and put certain topics on ice when current affairs compel us to change direction. And as an agile SAI, we have positioned ourselves to focus on ongoing processes instead of auditing things that happened in the past, and in this way we can make a contribution to accountability and good governance when our auditees are still in a position to adjust their course.’
Auditing preparedness and prevention
The method increasingly used by NCA auditors is known as preparedness review. As an example of a topic that is very suitable for this approach, Arno Visser mentions the UN Sustainable Development Goals (SDGs). ‘Just like so many countries worldwide, the Netherlands will work towards achieving the objectives of the SDGs for the coming 30 years. It would not make much sense to wait until after that period to start auditing the measures taken in that context. Therefore we are auditing the related programmes now, to see if the Netherlands is well placed to address the SDGs.’
He explains that the NCA has taken the same approach to Brexit, its auditors having analysed the Netherlands’ preparedness for the UK’s exit from the EU three years before it actually happened, and the critical topic of cybersecurity. ‘The latter topic is a good example of auditing preparedness. Some audit institutions might find that exceptional but we think it is normal, as part of risk management assessment and disaster prevention. We have carried out audits on cybersecurity in sectors that are critical for society. Based on long experience of auditing information security compliance in central government, we saw added value in auditing the performance of policies and measures in practice.’ He refers to the first two sectors audited, water management and automated border controls. ‘The first being vital for a nation largely below sea-level, and the second due to the position of Amsterdam Schiphol Airport as an international hub and gateway to the country.’
The NCA President points out that this approach often prompts interesting discussions on the timing and role of SAIs with his colleagues throughout the EU. ‘We are one of the few SAIs that aim to make a contribution when events are still taking place and policies can still be adjusted, and I think this mind-set is also particularly important when it comes to auditing disaster relief measures, because, as auditors, we need to add value today!’
According to Arno Visser, an interesting consequence is that this method enables the NCA’s auditees to solve problems as they occur. ‘Perhaps this is not what has been traditionally called real-time audit, but we try to communicate audit findings when they can still have an impact. This can mean that, instead of publishing a report after concluding our work, we need to share confidential information with our auditee and point out major risks before they materialise. Literally to reduce risks … on time!’ He emphasises that this has revamped his SAI’s role of being a trusted third party, helping to increase its impact, as auditees understand they can benefit from the auditors’ information to plug gaps in the system before they cause bigger problems.
COVID-19 and lessons learned from the past
In Dutch, there is a saying ‘Nood breekt wet’ (necessity knows no law). A phrase which the executive sometimes utter to explain questionable decisions and justify the need to cut corners on rules and accountability requirements in times of crisis. And it is a phrase used by governments around the globe when criticised about their response to the COVID-19 pandemic, which simultaneously affected the audit work of SAIs worldwide.
‘For the NCA, the pandemic has had as much of a systemic impact as on any other institution,’ says Arno Visser. He recalls discussing with NCA management and staff what the sudden measures and the nationwide lockdown meant for the democratic system, and how the SAI should react. ‘One of our principles was that we should not get in the way of the crisis manager addressing the crisis, but focus more on how our knowledge and experience can help to solve crises. Our first questions were which past audits could be relevant under these circumstances , which topics we should look into right away and which should wait until after the pandemic has been brought under control.’ He explains that the NCA then started to answer each question in order to define how it should reflect the global health crisis in its audit programme. ‘One of the first consequences for us as public auditors was that we had to redraft parts of our annual report, which we published in May 2020. This was necessary as, given the major disruption and system-altering impact of COVID-19, issues from 2019 were no longer relevant enough to be included.’
Another NCA contribution to the Dutch government’s response to the pandemic was its collection of lessons learned from past crises. ‘We immediately compiled information from our audit reports, but also parliamentary inquiries from the past 50 years, to see how the government should act when the economy comes to a sudden and grinding halt.’ He adds that this information was already available, but that one cannot expect a minister, parliamentarian or civil servant to be aware of all the mistakes made by government in previous crises. ‘After that first publication on lessons learned, we immediately announced those would be the starting point for our follow-up audit of COVID-19-related state aid for large companies, which we published half a year later.’ He emphasises that proactively linking existing knowledge with future scrutiny has proved to be a very effective way of compelling government to navigate known pitfalls and improve its performance. ‘Nevertheless,’ he adds, ‘we have been less positive about our government’s crisis management in subsequent reports — unfortunately.’
Strategic crisis management
In previous interviews for the Dutch public Arno Visser has said that, in times of crisis, core weaknesses already present in society may surface, and that crises may be viewed as a test of strategies, systems and structures. And that sometimes the resilience and preparedness of public organisations to deal with crisis situations is not as good as many people in the Netherlands — including politicians — like to think. ‘Public institutions need to take a strategic approach , but strategies can only provide us with guidelines, with general directions. But we should always ask ourselves, how does it help us under the current circumstances? What is the added value of our work to citizens and companies, or how can we be relevant to them?’ In his view, this is another reason why the NCA plans its audits on a rolling basis.
‘During these monthly strategic dialogues,’ continues Arno Visser, ‘our auditors pitch proposals for audit tasks, and other auditors can come with arguments in favour or against those topics. And this leads to fruitful exchanges that help us in the Board of the NCA to form a substantiated opinion about which audits we should do now, which can wait until later, and which we should not carry out at all.’ These are what Arno Visser calls ingredients for a responsive SAI — one that deploys its limited resources where it can make a significant contribution to transparency, good governance and public accountability. ‘It helped us to publish our report on COVID-19 related state aid for large companies substantially earlier, increasing the relevance of our findings.’
Auditing humanitarian aid
Specific examples of situations where it can be useful to adjust an audit strategy to check measures that are still being implemented are audits of humanitarian and disaster-related aid. In the work of the NCA, the audits that stand out include those that covered the response to the natural disasters suffered in the Caribbean by Sint Maarten (Saint Martin) and Haiti, assistance to tsunami-affected countries around the Indian Ocean, and the delivery of humanitarian aid in Africa. Arno Visser points out that the main difficulty of such audit work is that, depending on the situation, the tools, institutions, organisations and arrangements through which support and funds are used are very different. ‘In parallel, this means that, as public auditors, we do not always have the same or sufficient audit rights.’ As an example, he mentions the limitations of the NCA’s audit mandate in Haiti, where humanitarian aid was mainly delivered indirectly through foreign relief organisations and NGOs. In contrast, in Sint Maarten, a part of the Kingdom of the Netherlands, aid was brought in directly by the Dutch Navy.
In its 2018 report on the reconstruction of Sint Maarten following hurricane Irma, the NCA is rather critical of the progress of reconstruction, and concludes that the island’s population have seen few outcomes from the World Bank’s management of the recovery trust fund. In this case, the NCA also identified the typical dilemma between, on the one hand, robustness in financial accountability systems and, on the other, the requirement for speed to address the urgent needs of those hit by the disaster. In this context, Arno Visser points out that, when auditing disaster relief measures abroad, SAIs need to take account of the views of local government (where structures still exist) and the local population, as these are crucial factors in the way things play out on the ground.
‘From a performance point of view,’ continues Arno Visser, ‘this meant that, regarding our audit on aid provided in Haiti, even though we could not carry out formal audits, we did manage to develop a dedicated methodology that enabled us to continuously make recommendations to those local partners. Here, one of the recurring recommendations we made in our ongoing dialogue with our — informal — auditees, was that they should gather uniform data to better understand their own performance, as well as that of others. Thanks to those discussions, we have helped to identify good practices in delivering humanitarian aid through third parties — for example that a part of the aid should always go directly to the organisations themselves, rather than to local governments, as that often leads to corruption and fraud.’ He adds that, by doing so for five consecutive years, the NCA has helped to improve the transparency and accountability of aid organisations, including, notably, new organisations acting in later crises.
Stretching the rules in times of crisis
In his 2021 presentation to the Dutch parliament on the traditional ‘Accountability Day’ in May 2021, when COVID-19 expenditure was the topic on everyone’s lips, Arno Visser insisted that purpose and financing need to be closely linked. He went on to observe that some rather elementary requirements were not being met, ranging from checks that goods have actually been delivered, to full government reporting to parliament. On whether the replies of the NCA’s auditees and the actions they have taken to address audit criticisms have been adequate and promising for the future, Arno Visser explains that the objective of Accountability Day is to highlight issues the executive should address and which are important for parliament.
When discussing the role played by audit guidelines, such as the one of the International Organisation of Supreme Audit Institutions (INTOSAI) GUID 5330 on auditing disaster management and earlier INTOSAI guidelines on disaster aid and preparedness, Arno Visser is very clear. ‘We used them to further develop how meaningful we want to be as a SAI, also when it comes to auditing disaster topics. But we did not use them as a detailed handbook for checking which specific guidelines we will use during an audit.’
‘To get that message across,’ he explains, ‘we learned that it is most effective to communicate the principles and concepts that are the foundation of the findings and recommendations we put forward in our audits.’ He adds that, this year, one main issue was the age-old principle of legality, according to which the government cannot spend any money until parliament has given its consent, even in times of crisis. ‘This is a fundamental pillar of our democratic system that should be respected under all circumstances. Yet, lamentably, over the last two years, the Dutch government has repeatedly violated this principle under the pretext of a crisis. And this is not a technicality, but a problem of principle.’ According to Arno Visser, this is not far short of a disaster in itself, because, although the emergency laws forced through parliament may have enabled the government to respond to the pandemic quickly, they have sidelined parliament, hampered democratic oversight, and significantly reduced public accountability and transparency.
In February 2021, the NCA initiated an ‘objection procedure’ (Bezwaarprocedure) regarding the financial management of the Dutch Ministry of Health, Welfare and Sport (see Box 1). This in view of the fact that, despite unresolved problems over many years, the ministry received substantial amounts of money to address the COVID-19 crisis. ‘What we saw was that the organisation, which already showed weak financial management, became responsible for crisis-related money without the organisational weaknesses being addressed. Therefore our recourse to an important instrument we have, yet rarely use, which is to issue a formal objection. A serious red flag, calling for attention from both the parliament and the executive.’
The EU’s reaction to emergencies leads to audit gaps
In the summer of 2021, large areas of Europe suffered extreme weather events that caused severe floods, in particular in Germany, Belgium and the Netherlands. The catastrophe took the lives of over 170 Europeans, caused widespread destruction and deprived thousands of people of their homes, possessions and livelihoods. Unfortunately, the Netherlands has ample experience of floods, but this means the country also has government programmes to aid the regions where these disasters took place and prevent them in the future. When discussing the main lessons from these sad events from an audit point of view, especially considering the transnational impact such disasters can have and the question of the EU’s role in addressing them, Arno Visser points out the EU does not have the best track record on disaster planning, prevention and management.
According to Arno Visser, ‘At the moment, there are still too many examples of mismanagement for me to rely on the EU. That is to say, from a democratic point of view.’ Elaborating on this, he gives as examples audit gaps and implementation issues at the European Central Bank, the European Peace Facility, the billions of euros that are spent outside the European budget, and the European Stability Mechanism. ‘Currently, we see that the EU often creates new audit gaps when it launches new programmes and policies, despite the audit lessons and recommendations that are available, in particular also in the context of crisis response, humanitarian aid and disaster relief. So when I think about closing audit gaps and the effective monitoring of implementation, the EU is not the first that springs to mind. And in the case of cross-border problems, or even disasters, they can only be dealt with effectively, in a cooperative manner and, jointly, by the governments of all affected countries, whether they are EU Member States or not.’
For the NCA President, increasing the EU’s competence will not automatically lead to better solutions on the ground. ‘For example, in the Netherlands we saw several differences between GGD (municipal health) regions. EU measures would not have resolved such differences.’
Cooperation is key
On the matter of auditing disaster relief, the response to crises such as the COVID-19 pandemic, and closing cross-border audit gaps in areas such as cybersecurity, Arno Visser strongly supports joint audits that cover EU-wide topics and are carried out by several cooperating SAIs. ‘Unfortunately, there are far too few good examples of successful joint audits within the EU context. The only good examples I know covered waste management and air pollution, but even those good examples took too long to complete, and we acted too slowly to add real value for our auditees.’
In this area he sees a lot of potential for EU SAIs to improve. ‘Instead of making our own methodology and conducting audits from our own narrow national perspective, we should aim to achieve collective results that can benefit our entire Union. I am very critical about this topic — and sadly I am also very sceptical as to whether we as EU SAIs will be able to overcome this problem in the short term. Nevertheless, I also believe this to be one of the key challenges and a top priority where the Contact Committee of EU SAIs, including the ECA, should show real leadership.’
For Arno Visser, this means making better use of the toolbox that SAIs have at their disposal for their audit work. ‘This includes raising awareness of risks before they materialise, so proper risk identification. Where can things go wrong, what are the weak elements in a system that can lead to a disaster? What are the weaknesses in the chain? In other words, auditing accidents waiting to happen! Be it related to cybersecurity, water management, health, or potential natural disasters.’ In his view, this is audit work that SAIs can increasingly undertake, both on their own and in cooperation. ‘Then, in a constructive way, we as auditors will be contributing to preventing disasters in the future, whether they are of a traditional character or related to the specifics of our modern age.’
This article was first published on the 3/2021 issue of the ECA Journal. The contents of the interviews and the articles are the sole responsibility of the interviewees and authors and do not necessarily reflect the opinion of the European Court of Auditors.