By nature, the audit of infrastructure is a complex and multi-faceted activity, particularly in the case of megaprojects where early shortcomings cascade down with significant impacts in later stages. Complexity is exacerbated in emergencies, where authorities are under intense pressure to react quickly and control the damages and risks created by, for example, natural disasters, pandemics, or the effects of climate change.

Emergencies can lead to environments where controls are relaxed or bypassed in an attempt to timely react to the consequences of the disaster. This can lead to increased risks of waste, fraud, and corruption at times when government agility and public resources are precious. SAIs have a critical role in resisting the attempts to weaken accountability, but they should also strive to facilitate a timely reaction to crises. This is a delicate and hard to achieve balance.

The disaster management cycle, as conceived by the 5500 series of International Standards of Supreme Audit Institutions (ISSAI), illustrates the complexities of auditing infrastructure during emergency times (see Figure 5.1).

The cycle groups the different stages in two blocks: previous and after the disaster. On the one hand, the activities before the disaster concentrate on assessing and mitigating risks, as well as on preparedness and building resilience, all of them under a long-term approach. On the other hand, the post-disaster activities refer to the immediate responses, as well as those dealing with rehabilitation and reconstruction (medium to long-term). For example, the EUROSAI Audit of Response to COVID-19 Pandemic Project Group organised the responses to the pandemic in four stages: Preparation, response, exit strategy, and management of long-term effects.1 As a cycle, every step should provide feedback to the others and here is where SAIs can play a critical role in improving performance, enhancing transparency, ensuring accountability, promoting public trust, and fostering the efficient and effective use of public resources.

While the traditional role of SAIs lies on oversight and holding government to account for the use of public resources, the OECD has found that their activities have recently evolved to provide a broader perspective as to how programmes function, what works, and what does not. Indeed, previous OECD work with SAIs found that they are taking more cross-cutting views to identify systemic issues and trends in the short-term (insight) and forecast policy implications and anticipate risks in the medium and long-term (foresight) (OECD, 2016[2]).

Insight and foresight are valuable governance contributions, as governments need evidence to assess the impact of their investments and programmes and SAIs are well positioned to provide an objective and independent perspective on programme formulation, implementation, and evaluation. On the contrary, public managers may be influenced by biases and incentives that do not always favour good infrastructure governance, for example, in the selection of projects (see Box 5.1). In fact, INTOSAI’s Policy Finance and Administration Committee’s COVID-19 Initiative recommends SAIs should consider serving in an advisory role to their national governments in the mitigation of emergencies.2

Insight and foresight stemming from infrastructure audits are key for Mexico as its exposure to emergencies such as natural disasters is significant, with important costs in terms of lives and economic consequences (see Figure 5.2).

Infrastructure audits can produce strategic insight and foresight contributing to good governance and well-being in three ways:

• Assessing risks: Infrastructure audits can be useful to identify systemic risks affecting the resilience of critical infrastructure. For example, ASF could evaluate the risks stemming from materials in seismic regions, the quality and integrity controls applied to such works, and the scope to apply innovations such as Building Information Modelling (BIM)3 and those related to “smart infrastructure” (see Box 5.2). Indeed, in a Deloitte survey4 of 351 executives from around the world conducted in April-May 2020, 90% of respondents felt that management could benefit from audits to assess risks stemming from “black swan events”.5 For example, strong internal control and entrenching a culture of ethics and integrity can help infrastructure agencies remain resilient and control corruption risks.

• Upgrading preparedness and crisis management practices: After emergencies, ASF can contribute to preparedness and crisis management through audits of the resilience of infrastructure and government responses to control damages. For example, ASF could analyse the efficiency, integrity, and effectiveness of repairs of critical infrastructure immediately after emergencies. Likewise, ASF could evaluate the use of specific tools to build preparedness to respond to crises, for example, framework agreements to quickly mobilise contractors for repairs and the usefulness of the e-procurement platform CompraNet. Furthermore, ASF could assess the interdependencies of preparedness plans across sectors (e.g. the resilience of dams and water management infrastructure might affect hospitals and other health infrastructures, as just happened in September 2021 in the city of Tula, Hidalgo).6

• Documenting lessons learned from emergencies: While emergencies challenge the capacities of state institutions and societies in general, they also create opportunities to identify areas for improvement. The audit of infrastructure during emergency times can build on lessons learned regarding, for example, emergency building regulations, abuse of emergency procedures, the functioning of national or regional emergency plans, the effectiveness of whole-of-government co-ordination, compliance, and integrity failures. ASF audits could look specifically at issues such as adherence to procurement procedures and inadequate management and maintenance of infrastructure assets.

Mexico’s National Auditing System (Sistema Nacional de Fiscalización, SNF) brings together national and sub-national accountability actors, including the SAIs and internal control bodies of the federal states, providing a platform for co-ordination, information sharing, and strategic steering. ASF co-presides over the SNF, along with the Ministry of Public Administration (Secretaría de la Función Pública, SFP). The SNF has established working groups to carry out its different initiatives. In this context, ASF could organise a working group to take stock of lessons learned relative to infrastructure audit practices during emergencies.

In order to gather the most relevant experiences, the working group could include the SAIs and the internal control bodies of those federal states more exposed to natural disasters and those which have found themselves in the middle of emergencies most recently. The initial objectives of the working group may include the following:

• Assessing sub-national SAIs capacities to carry out infrastructure audits during emergencies, based on recent experiences.

• Identifying good practices and resources that could be shared to enhance capacities throughout the country.

• Taking stock of issues, lessons learned, and solutions to common challenges, contributing to insights and foresight produced by ASF.

• Analysing legal and operational limitations to carry out timely, effective, and efficient infrastructure audits during emergencies.

• Providing inputs to develop a national framework for the auditing of infrastructure during emergencies (see Section on “An emergency-tailored framework for infrastructure audits”).

In order to put together the working group, ASF could take advantage of the experience of the U.S. Government Accountability Office (GAO) in organising a COVID-19 lessons learned discussion group under the auspices of INTOSAI (see Box 5.3).

ASF follows the same process for conventional infrastructure audits as for audits during emergencies, except for the planning stage. As a first step, ASF audit units (UAA) formalise the audits and kick off the work through an initiation act (acta de inicio). Auditors then carry out the audit and obtain the evidence to support the results, recording it in audit fiches (cédulas de auditoría). UAAs conclude the audit procedures preparing a results fiche (cédula de resultados) and a preliminary report and verifying fulfilment of the objectives, scope, and audit procedures. If the results fiche and the preliminary report meet the requirements, UAAs will organise a meeting for the presentation of final results and preliminary observations. The minutes of the presentation (acta de presentación de resultados) are then drafted. If there is a need for adjustments, UAAs document the analysis in a modified results fiche (cédula de resultados modificada) and a modified preliminary report, which closes the execution stage.

The next step is preparing the audit report. UAAs prepare the final audit report and integrate the audit file and the documents for review. UAAs review the reports and turn them to the general directors and the Special Auditors for authorisation in the Audit Control and Follow up System (Sistema de Control y Seguimiento de Auditorías, SICSA). Once the electronic authorisation is granted, the reports enter the editorial process.

ASF could review this process to develop a new framework for infrastructure audits during emergencies, which defines the scope of its work responding to emergencies and responds to legislative concerns to establish appropriate plans and roles in advance. The framework should consider audit standards and guidelines to be used during emergencies, particularly about remote auditing and the transparency of emergency works procurement activities. It should also pay attention to the following criteria:

• “No harm” principle: ASF will need to define how much data it needs to request from infrastructure agencies addressing emergencies and through which means to ensure “no harm” (i.e. hindering or delaying emergency responses) during its audit work. That said, OECD does recommend subjecting specific emergency procedures, such as those related with works procurement, to audit and oversight.

• Leveraging ICTs: In its stocktaking report of integrity in country responses to the COVID-19 crisis, OECD recommended adapting audit and oversight strategies, as well as analyses of potential corrupt patterns in relation to the emergency (OECD, 2020[6]). Given that agility and even remote exchanges may be necessary during crises, ICTs become ideal tools to simplify and speed up the audit processes and the related collection of comprehensive and quality information and evidence. This is consistent with the Moscow Declaration, issued after the INTOSAI Congress in 2019, which calls for using IT instruments and open data resources for auditing practices, as well as building remote auditing capacities.7 In fact, leveraging ICTs will support the “no harm” principle. ASF has already taken steps to leverage ICTs through a Digital Mailbox (Buzón Digital) and TransferASF, which allow audited entities to electronically share large numbers of documents. Likewise, ASF is working with several platforms, such as the System for the Control, Administration and Audit of Federal Expenditure Resources (Sistema de Control, Administración y Fiscalización de los Recursos del Gasto Federalizado, SiCAF) to share information with ministries and entities of the public administration (OECD, 2022[7]).

• Comprehensiveness: Responses to crises may involve not only public resources, but also private ones managed by charities, funds, civil society organisations (CSOs), and even private institutions. Unfortunately, these funds are also subject to risks of fraud and corruption. In fact, for example, news outlets casted doubts on the management of funds for relief from the 2017 Mexico City earthquake. Such questions may undermine responses by weakening trust. While ASF mandate does not include auditing or controlling those funds, the regulatory framework of ASF could be reformed to allow it to support the accountability of the institutions managing them. Indeed, in many countries, the SAI does not automatically have the mandate to audit donor funds or private resources. A solution in some countries has been to provide the SAI with a temporary mandate to audit all development funds during crises; however, this kind of measure should be mindful of limited resources (INTOSAI, 2020[7]). ASF could opt for a “softer” approach in which it shares lessons learned and helps building capacities for CSOs and private institutions to be able to control and advance accountability for their funds invested in responses to emergencies.

• Co-ordination: In order to avoid duplication, widen the audit universe, and strengthen the message that abuse will not be tolerated, infrastructure audits under emergencies would benefit from co-ordination between the different control and audit bodies such as ASF, the SFP, the SAIs in the federal states (entidades de fiscalización superior estatales, EFSE), and the control bodies of the federal states (órganos de control estatales (OCEs). The National Anti-corruption System (Sistema Nacional Anticorrupción, SNAC) and the National Auditing System (Sistema Nacional de Fiscalización, SNF) could also play a role in enhancing co-ordination.

• Timeliness: Real-time audits are key to ensure the timeliness of SAI’s interventions during emergencies, hence the next recommendation.

Infrastructure audits in emergencies are called to be fully justified to observe the “no harm” principle and add value as the response to the crisis unfolds. The SAI capacity (i.e. legal and operational) to carry out real-time audits allows it to provide quick and timely feedback on how responses are working and the risks and challenges faced. For example, they can concentrate on works procurement for reconstruction and maintenance after a natural disaster, contract management, and payment controls to identify potential sources of malpractice. ASF, for example, could look at the unequal impact of access to critical infrastructures for different segments of the population.

By definition, infrastructure audits during emergencies will be activities out of the formally planned audit cycle and with shorter timeframes. ASF should pursue the capacity to carry out real-time audits (without the need for a claim or report) to ensure timeliness. Likewise, it should anticipate the resources needed to facilitate quick reporting and useful feedback to the infrastructure agencies responding to crises and, in that way, contribute to tackle issues that may hinder the impact of responses. Short and special audit reports stemming from infrastructure audits in emergencies, including simplified messages, have the potential to control risks, strengthen resilience, and improve the quality of the infrastructures and/or repairs undertaken after emergencies.

Real-time infrastructure audits in emergencies are also powerful means to maximise the deterrent effect of audits and send a clear message that abuse will not be tolerated. The audits would impact not only by letting government officials know that they are being observed, but also by reinforcing positive behaviours:

• Ensuring government officials are clear if and when emergency expenditure rules (including for works procurement) are applicable.

• Reminding officials about integrity rules in the use of public money, the need to be clear about authority to approve contracts and spending, and to keep verifiable evidence of contracts entered into, payments made, fund flows, and works delivered.

• Ensuring management teams physically check that key controls are actually being applied.

• Deterring against corruption by maintaining an expectation that use of public money during the emergency will be subject to transparency, scrutiny and oversight, and those in authority will be held accountable in due course. This means ensuring that auditors have the right, responsibility and access to records to audit emergency spending (INTOSAI, 2020[6]).

The first point above is particularly relevant. Emergency measures should include sunset clauses establishing specific periods during which extraordinary procedures are applicable, for example, non-competitive works procurement. Then, the SAI can jump in and warn officials that it will verify that such limits are respected and abuse is punished. For example, ASF’s Superior Auditor could issue a public statement after emergencies to remind infrastructure ministries and entities about the importance of integrity in the responses and providing reassurance that ASF will be vigilant, just like the Auditor General of New Zealand did in 2020 (see Box 5.4).

While the message should be clear about the importance of respecting the rules and procedures for emergency responses, it should also provide reassurance that ASF will strive to not hinder the response by adapting its infrastructure audit procedures, for example, by leveraging on the Digital Mailbox and TranferASF.

[4] Controller and Auditor-General of New Zealand (2020), Covid-19: Important governance matters to consider, https://oag.parliament.nz/media/2020/covid-19-governance.

[7] Deloitte (2020), Building Resilience: The importance of audit during times of disruption, https://www2.deloitte.com/bg/en/pages/audit/articles/the-importance-of-audit-during-times-of-disruption.html.

[3] Goldsmith, S. and A. Betsy Gardner (2021), Toward a smart future: Building back better with intelligent civil infrastructure - Smart sensors and self-monitoring civil works.

[9] INTOSAI (2020), Accountability in Times of Crisis, https://www.idi.no/elibrary/covid-19/986-accountability-in-a-time-of-crisis/file.

[1] INTOSAI (2019), Audit of disaster-related aid, http://intosaijournal.org/the-disaster-resilience-framework-a-tool-to-promote-foresight-and-accountability/ (accessed on 13 October 2021).

[8] OECD (2022), Strengthening Analytics in Mexico’s Supreme Audit Institution: Considerations and Priorities for Assessing Integrity Risks, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/d4f685b7-en.

[6] OECD (2020), “Public integrity for an effective COVID-19 response and recovery”, OECD Policy Responses to Coronavirus (COVID-19), OECD Publishing, Paris, https://doi.org/10.1787/a5c35d8c-en.

[5] OECD (2016), Supreme Audit Institutions and Good Governance: Oversight, Insight and Foresight, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264263871-en.

[2] OECD (2013), OECD Reviews of Risk Management Policies: Mexico 2013: Review of the Mexican National Civil Protection System, OECD Reviews of Risk Management Policies, OECD Publishing, Paris, https://doi.org/10.1787/9789264192294-en.