Embed Size (px)
Citation preview
INTERNAL AUDIT DIVISION
AUDIT REPORT
ICT systems’ readiness for implementing IPSAS and Umoja in peacekeeping missions
Overall results relating to the ICT systems’ readiness for implementing IPSAS and Umoja in peacekeeping missions were initially assessed as unsatisfactory. Implementation of seven important recommendations and one critical recommendation remains in progress
FINAL OVERALL RATING: UNSATISFACTORY
__ December 2012 Assignment No. AT2012/615/01
CONTENTS
Page
I. BACKGROUND 1
II. OBJECTIVE AND SCOPE 2
III. AUDIT RESULTS 2 - 12
A. ICT support systems 3 - 11
B. Change management 11 - 12
IV. ACKNOWLEDGEMENT 12
ANNEX I Status of audit recommendations
APPENDIX 1 Management response
AUDIT REPORT
ICT systems’ readiness for implementing IPSAS and Umoja inpeacekeeping missions
I. BACKGROUND
1. The Office of Internal Oversight Services (OIOS) conducted an audit of the information and communications technology (ICT) systems’ readiness for implementing the International Public Sector Accounting Standards (IPSAS) and the enterprise resource planning (ERP) system (Umoja) in peacekeeping missions.
2. In accordance with its mandate, OIOS provides assurance and advice on the adequacy and effectiveness of the United Nations internal control system, the primary objectives of which are to ensure: (a) efficient and effective operations; (b) accurate financial and operational reporting; (c) safeguarding of assets; and (d) compliance with mandates, regulations and rules.
3. IPSAS is a set of accounting principles that will replace the current United Nations Accounting Standards, and was expected to be rolled out in the context of the Umoja initiative. Umoja is expected to reduce the current fragmentation of applications and increase efficiency gains by replacing a significant number of existing systems used throughout the Organization. Given the delay in the implementation of the Umoja project at the time of reporting, the Organization had taken a transitional measure to calculate opening balances for IPSAS using existing ICT systems. Umoja is expected to be implemented by 31 December 2015. The first set of IPSAS-compliant financial statements for peacekeeping operations is planned for 30 June 2014, and for all other Secretariat operations is planned for 31 December 2014.
4. The Department of Field Support (DFS) provides field missions with support in the areas of finance, logistics, ICT, human resources (HR) and general administration. The Information and Communications Technology Division in DFS (ICTD/DFS) supports the following applications in the missions: Galileo and Mercury (supply chain), SUN (finance and payroll), ProGen and Nucleus (HR), Field Support Suite (FSS), and Business Objects. Each peacekeeping mission has a Communications and Information Technology Section (CITS) that provides local ICT services. The budget for ICT-related activities for the three missions audited, United Nations Organization Stabilization Mission in the Democratic Republic of the Congo (MONUSCO), United Nations Assistance Mission for Iraq (UNAMI), and African Union-United Nations Hybrid Operation in Darfur (UNAMID), for the period from 1 July 2010 to 30 June 2011 was $150 million: $108 million for communications and $42 million for information technology.
5. The Office of Information and Communications Technology (OICT) provides infrastructure support for enterprise-wide applications such as the Integrated Management Information System (IMIS), Procure Plus, Umoja, Inspira, electronic mail and the Official Document System. Other applications developed, implemented and/or supported by OICT include: fuel management, rations management, geographic information systems, and security-related and decision support systems.
6. The Department of Management (DM) is the lead office in the implementation of IPSAS and Umoja, mainly through the Office of Programme Planning, Budget and Accounts (OPPBA) and the Umoja Office.
7. Comments provided by OPPBA/DM, ICTD/DFS and the missions are incorporated in italics.
1
II. OBJECTIVE AND SCOPE
8. The audit of the ICT systems’ readiness for implementing IPSAS and Umoja in peacekeeping missions was conducted to assess the adequacy and effectiveness of the Organization’s governance, risk management and control processes in providing reasonable assurance regarding the readiness of the ICT systems for the IPSAS implementation.
9. This audit was selected because the readiness of current ICT systems in peacekeeping missions is critical to the success of IPSAS and Umoja implementation. Risks in the prioritization and execution of required tasks are high owing to the complexity of these initiatives.
10. The key controls tested for the audit were: (a) ICT support systems; and (b) change management. For the purpose of this audit, OIOS defined these key controls as follows:
(a) ICT support systems - controls that provide reasonable assurance that ICT systems to support IPSAS and Umoja exist and address the Organization’s needs.
(b) Change management - controls that provide reasonable assurance that there is a systematic approach to dealing with ICT reform initiatives from the conceptual stage until after the first few years of implementation.
11. The key controls were assessed for the control objectives shown in Table 1.
12. OIOS conducted the audit from 10 September 2011 to 31 January 2012 in three missions: MONUSCO, UNAMI and UNAMID. The audit covered the 2010-2011 biennium. This report addresses both systemic and mission-specific issues identified during the audit.
13. OIOS conducted an activity-level risk assessment to identify and assess specific risk exposures, and to confirm the relevance of the selected key controls in mitigating associated risks. Through interviews, analytical reviews and tests of controls, OIOS assessed the existence and adequacy of internal controls and conducted necessary tests to determine their effectiveness.
III. AUDIT RESULTS
14. The Organization’s governance, risk management and control processes examined were assessed as unsatisfactory in providing reasonable assurance regarding the ICT systems’ readiness for implementing IPSAS and Umoja in peacekeeping missions. OIOS made 10 recommendations in the report to address the issues identified in the audit. The legacy ICT systems used to support the financial reporting process were not ready for the implementation of IPSAS and Umoja in the three missions audited. Limited reliance could be placed on HR data and unliquidated obligations. Systems interface was generally inadequate and maintaining the systems required intensive manual processes and duplication of tasks. Automated mechanisms for tracking data related to inventory and valuation of non-expendable properties were inadequate. The Excel application was used extensively for recording, analysis and reporting, which did not provide adequate segregation of duties, data integrity and security controls. Management of MONUSCO had updated the staffing tables and all duplications identified had been resolved; UNAMID had been populating all the stages of the Nucleus system, reflecting the status of purchase orders in the supporting application and updated its disaster recovery plan.
2
15. The initial overall rating was based on the assessment of key controls presented in Table 1 below. The final overall rating is unsatisfactory as implementation of seven important recommendations and one critical recommendation remains in progress.
Table 1: Assessment of key controls
Control objectives
Businessobjective(s) Key controls Efficient and
effective operations
Accurate financial and operational reporting
Safeguarding of assets
Compliance with
mandates,regulationsand rules
(a) ICT support systems
Unsatisfactory Unsatisfactory Unsatisfactory Partiallysatisfactory
ICT systems’ readiness for implementingIPSAS and Umoja in peacekeeping missions
(b) Change management
Unsatisfactory Partiallysatisfactory
Partiallysatisfactory
Partiallysatisfactory
FINAL OVERALL RATING: UNSATISFACTORY
A. ICT support systems
Existence, configuration and functionalities of ICT applications supporting financial reporting
(A) Accounts payable, accounts receivable and unliquidated obligations
1. Several systems were being used in the missions: IMIS and the Field Personnel Management System (FPMS) for accounts payable and receivable including staff entitlements; Nucleus for recruitment; ProGen and SUN for payroll; and Matrix and e-Leave for attendance and end of service liabilities.
Limitations in Nucleus reduced reliance on HR data
2. IMIS was the only reliable source of information on the duty station of staff. Nucleus was used for recruitment, on-boarding, confirmation and post-management, and administration of national staff benefits. In MONUSCO there were discrepancies between IMIS and Nucleus records due to: (a) inadequate interface of IMIS with Nucleus, ProGen and SUN; (b) personnel separation actions not being recorded on a timely basis; and (c) duplication of staff profiles in Nucleus after staff reassignments to other missions. In UNAMID, as Nucleus could only record the start and end stages of the recruitment process, Excel was used for interim stages. In UNAMI, the HR Section used Nucleus and FPMS in parallel for storing and processing HR related data; however, Nucleus had some limitations for generating customized reports, and therefore, FPMS was still being used for generating the reports required for payroll processing, using the Crystal Report facility. Maintaining the two systems for similar purposes and multiple data entry increased the risk of error and inconsistencies in HR data.
(1) MONUSCO, UNAMI and UNAMID should liaise with ICTD/DFS to address the challenges encountered in using the Nucleus system, by improving the timeliness of data updates, avoiding data duplication, and supporting the generation of custom reports.
All three missions accepted recommendation 1. MONUSCO stated that it had implemented the recommendation and has updated its staffing table and all duplications have been resolved.UNAMID stated that it had implemented the recommendation and has been populating all the stages
3
of the Nucleus System since October 2012. UNAMI stated it will seek additional guidance from DFS on the use of Business Objects for custom reporting. Based on the action taken by the Missions, recommendation 1 has been closed.
Limitations in ProGen that prevented data security were addressed
3. ProGen had limitations that prevented the concurrent update of data by multiple users. Additionally: (a) input data in ProGen did not require a second level of review and validation by the HR Section before the payroll calculation; (b) the banking information of staff members was held in ProGen and was vulnerable to unauthorized access/modifications that could remain undetected; and (c) ProGen did not have a data store with historical information. Also, there was more than one installation of ProGen in UNAMID and MONUSCO; and a system glitch with ProGen created, in several cases, duplicate entries of staff data across the installations. In response to the audit recommendation issued to the missions for strengthening the security of data in ProGen, the missions’ management provided evidence that adequate compensating controls had been put in place to ensure security by segregating data input and validation, introducing manual reconciliations of the monthly payroll, and avoiding storing ProGen files in shared drives. Based on the recent actions taken by the missions, OIOS is not making any additional recommendation in this area.
Incomplete data in the Matrix attendance management system
4. Matrix was used for tracking unused vacations and for determining end-of-service liabilities. However, the leave balances in Matrix did not reflect leave requests pending approval and included negative leave balances. Although Matrix was replaced in UNAMI and UNAMID by the newly deployed eLeave system, which is part of the Field Support Suite (FSS), FPMS and Crystal reports were still being used to generate year-end reports. Recommendation 8 on the deployment of FSS addresses this issue.
Incomplete data pertaining to unliquidated obligations in SUN and Mercury
5. The Finance Sections in the three missions generated reports on unliquidated obligations using the SUN accounting system. The underlying information was provided as follows: Mercury was used by the Procurement Sections to generate purchase orders and change orders; Receipt and Inspection (R&I) Units for R&I reports; and Self-Accounting Units (SAUs) for service certification reports. While the uploading of purchase orders from Mercury to SUN is automated, the lack of full interface between these two systems affected the completeness and accuracy of unliquidated obligations in UNAMI and UNAMID, as evidenced by: (a) incomplete purchase order status, payment data and associated cost data; and (b) unreconciled data in SUN and Mercury.
(2) MONUSCO, UNAMI and UNAMID should ensure that all the information necessary for providing updated reports on purchase orders and their status (i.e., invoice matching and payment), are reflected in a timely manner in the supporting applications (i.e., SUN and Mercury).
All three missions accepted recommendation 2. MONUSCO stated that all invoice payments are matched against purchase orders in the Mercury system. However, it has observed that not all information has been uploaded in the Mercury system from purchase order fully received status to purchase order completed. The mission is taking steps to upload all missing information and complete the pending cases in the Mercury system. In addition, Mercury access and training on the invoice matching process will be extended to the field finance staff. UNAMID stated that it had implemented the recommendation since 29 February 2012; the mission reports on purchase orders and their status are reflected in the supporting application. UNAMI stated that the issue was being
4
addressed through a feature in Mercury called the data bridge to enable the transfer/importation of data to SUN. Recommendation 2 remains open pending receipt of evidence confirming the completion of the actions initiated by MONUSCO, UNAMI and UNAMID.
Inadequate training on the use of the reporting application Business Objects
6. The procurement function was supported by three systems: (a) Mercury for requisitions; (b) Galileo for receipt and inspection; and (c) Business Objects for reporting. However, UNAMID could not generate a comprehensive list of purchase orders processed for the mission (either by UNAMID or at UNHQ) for the period from July 2010 to June 2011, reflecting the lack of adequate technical capability in using Business Objects. There were no report templates in Business Objects for business users, and related training had not been provided to staff for using the reporting application. UNAMID has since provided training based on staff needs.
Lack of ICT systems for tracking the use of mobile telephone lines in MONUSCO
7. Telephone charges were tracked with separate systems for land and mobile telephone lines. The use of land telephone lines in the three missions was tracked with the application Ring Master, a call logging software. The use of mobile telephone lines in UNAMI and UNAMID was tracked and reconciled with data recorded in Excel. MONUSCO did not have in place any system for tracking mobile phone charges. The statements received from the mobile telephone providers were not reconciled with any internal records maintained in MONUSCO. MONUSCO has since developed a telephone billing application.
(B) Inventory and valuation of non-expendable property
Inadequate automated tracking mechanisms of data related to inventory and valuation of non-expendable property
8. Galileo, SUN and Mercury were not used to support the valuation of non-expendable property. The electronic Cargo Movement Request (eCMR) had not been deployed in the missions, and therefore the costs associated with insurance and movement of assets were not captured.
9. The Property Control and Inventory Units (PCIU) used Galileo for generating the inventory of non-expendable property. While a link existed between Galileo and Mercury for automating the transfer of the details of assets acquired through purchase orders issued by the missions, there was only a one-way link from Mercury to SUN. As a result, staff needed to trace manually and link the financial information of assets in SUN using the purchase order and invoice number recorded in Galileo.
10. In UNAMI, inventory records extracted from Galileo showed that the database contained some assets without purchase order number or invoice number. The R&I Unit explained that many of these records pertained to assets transferred from other missions and received without any invoice or purchase order information. Although the actual cost of assets was recorded in SUN when the Finance Section paid the invoice, the total cost did not match the total amount stored in Mercury. The Aviation Section manually prepared cargo manifests and service task orders for the shipping company using Excel. Cargo manifests were not recorded in Mercury. The Movement Control Unit manually recorded the charges of intra-mission shipments for sending assets to the final destination.
11. In UNAMID, the cost of intra-mission shipment of assets, such as freight forwarding and insurance were not captured in Mercury and Galileo.
5
12. In MONUSCO: (a) the underlying data for the 2010 financial year-end inventory report created from Galileo had fields that were not consistently populated; (b) more than one purchase order matched a particular asset; and (c) several fields in Galileo were used for recording the date of receipt and inspection of assets, without clear criteria for establishing which field should be used. In certain cases, for example, the date the SAUs signed/acknowledged the receipt of the assets was recorded as the inventory date. However, for assets purchased under the delivery clause, the delivery date, i.e., the date when the asset was handed over to the shipping agent, was not reflected in Galileo as the inventory date.
13. The Engineering Section in the missions did not have an application for tracking labour time and maintain/compute the costs associated with self-constructed assets. Except for MONUSCO, the project/programme management module of Galileo was not used for tracking the materials towards the costing of in-house/self-constructed projects, and therefore the total cost was not reflected in Galileo. Excel was used to manage the scope of works (bill of quantities, costs, etc.). In addition, the costs associated with enhancing the value of existing assets were not reflected in any system; work orders were handled manually. The lack of automated tracking mechanisms created exposure in terms of IPSAS compliance.
(3) MONUSCO, UNAMI and UNAMID should liaise with OPBBA and ICTD/DFS to determine how to record and process costs and inventory dates associated with non-expendable property and self-constructed assets.
(4) MONUSCO and UNAMI should establish adequate mechanisms to ensure that Galileo is updated with the pertinent information (i.e., purchase order, cost and invoice number) on all assets.
ICTD/DFS and all three missions accepted recommendation 3. DFS stated that the methodology of developing standard costs for non-expendable property (NEP), enhancements to Galileo to support IPSAS requirements, and the NEP codification projects are centrally being led by a Team comprising of ICTD and the Property Management Support Section of the Logistics Support Division. The role of missions is to contribute data and support the entire exercise according to instructions issued by the Team. DFS suggested that since action is being taken at the Headquarters, this recommendation should be addressed to DFS. Based on the information received, OIOS will assess the progress made in this area during the audit of the IPSAS opening balances that was recently started. In the interim, recommendation 3 remains open pending the assessment of the actions taken.
MONUSCO and UNAMI accepted recommendation 4. MONUSCO stated that the Receiving and Inspection Unit (R&I) has been entering the data in the Galileo system in accordance with the standard operating procedures. However, due to a lack of dedicated data fields for select information, some of the data is manually entered into the remarks section of the Galileo stock record. The matter has been raised to DFS and the modification of the Galileo system is underway to enable accurate recording of data. UNAMI stated that the physical inventory check was already being conducted twice a year and would be augmented with a more rigorous exercise to be performed by the R&I Unit and record all the associated purchase orders and invoice numbers to facilitate the complete recording of assets in Galileo. Recommendation 4 remains open pending receipt of evidence confirming the completion of the actions initiated by MONUSCO and UNAMI.
Inadequate configuration of Galileo for recording the write-off of assets
14. While the financial instructions issued by DFS in April 2011 established that assets should be written off on the basis of their depreciated value, Galileo was still configured to write off assets using the inventory value.
6
(5) ICTD/DFS should support missions in configuring Galileo in accordance with the DFS directive requesting that assets are written off on the basis of their depreciated value.
ICTD/DFS accepted recommendation 5 and stated that the requested configuration of Galileo for the write-off of assets is planned for implementation by the fourth quarter of 2012. Recommendation 5 remains open pending receipt of documentation confirming the reconfiguration of Galileo for the write-off of assets based on their depreciated value.
(C) Mission-specific transactions
Incomplete deployment of the suite of field applications
15. ICTD/DFS developed a set of applications (FSS) designed to support workflows, data collection functions and processes common to all missions with a standard and centralized ICT platform as part of its ICT strategic objective to reduce the number of independent local applications. Some of these ICT applications stored and processed data, such as leave balances and associated costs, that is relevant for the preparation of financial statements. Although ICTD/DFS started migrating information to FSS, the implementation of these applications in the three missions audited was still not complete, as shown in Table 2.
Table 2: Status of FSS implementation in MONUSCO, UNAMI and UNAMID
FSS Application MONUSCO UNAMI UNAMID
eLeave Not yet implemented. Data clean-up in progress.
Staff being trained. Implemented. Staff being trained.
eCMR – Electronic Cargo Movement Requests
Not yet implemented. Uses its own version of CMR.
Not yet implemented. Manually processed.
Not yet implemented. Manually processed.
eCBS - Asset Tracking Not yet implemented. Manually processed.
Not yet implemented. Manually processed.
Not yet implemented. Manually processed.
F10 - Electronic Travel Expense Claims
Not yet implemented. Manually processed.
Not yet implemented. Manually processed.
Not yet implemented. Manually processed.
EG2 - Education Grant Used in Entebbe. Not yet implemented. Processed in IMIS via Citrix.
Used in Entebbe.
PT8 - Travel Authorization Database
Using a locally developed application.
Not yet implemented in UNAMI. Processed with FPMS.
Not yet implemented. Using a locally developed application.
16. The recovery of travel advances and travel claims were not tracked in any ICT system in the missions. The F10 application was not used in UNAMI and UNAMID. Travel claims information was recorded on F10 and PT-8 manual forms. In MONUSCO, a technical glitch with the PT8 application used for processing travel requests resulted in the duplication of serial numbers.
17. In UNAMI, cargo flight data was manually kept and processed by the Aviation Unit. Aircraft use reports were manually processed. In UNAMI, Mercury was used for recording information pertaining to cargo contracts, ground handling and aircraft fuel. Shipments between mission offices were handled using cargo movement requests (in Excel), cargo manifests (in Excel) and service task requests (manual forms). The deployment of eCMR would support the recording and processing of this information.
7
(6) MONUSCO, UNAMI and UNAMID should develop a schedule for the deployment and implementation of the full set of applications included in the Field Support Suite.
All three missions accepted recommendation 6. MONUSCO stated that the Regional Service Centre in Entebbe is taking the lead in rolling out the Field Support Suite applications in the respective regional missions. In addition to the eLeave and eCheck-in/Check-out systems, five FSS modules are now operational in MONUSCO (e.g., EMOP, EPBS, ETMS, Ed-grant and CICO). The remaining modules will be rolled out in accordance with the schedule agreed between the United Nations Global Service Centre and ICTD/DFS. UNAMI stated that the mission had successfully deployed two modules at the time of the drafting of the audit report, namely the eLeave and the electronic Check-in/Check-out systems. A high level implementation schedule was already in place but was fully dependent on the development constraints of the FSS project team for: (a) eCMR, awaiting tentative timetable from FSS team (by the end of the second quarter of 2012); (b) eMOP, second quarter of 2012; and (c) EG2, third quarter of 2012. UNAMID stated that it had already deployed and implemented nine out of 14 applications which were in use. UNAMID confirmed that it is working with ICTD/DFS on the implementation plan for the deployment of the remaining applications. Recommendation 6 remains open pending receipt of evidence confirming the completion of the actions initiated by the missions for the deployment of the Field Support Suite.
Different ICT systems used for supporting fleet management
18. There was no system in place to adequately support fleet management. In UNAMI, the Transport Unit used an application called VAS (Vehicle Acquisition System) for the purchase of vehicles. This application was provided by UNHQ. Mercury and Galileo were used for procurement and tracking of vehicle spare parts. In UNAMID, Galileo was used for managing vehicles and spare parts. Reports were generated from Mercury for checking purchase orders and expenditures. The application Business Objects was used to generate reports on the availability of parts in Galileo. UNAMID and UNAMI used CARLOG for generating monthly reports that were sent to the Finance Section for recovering liberty charges (i.e., cost of using vehicle outside the established radius) from staff. The monthly fuel usage of all regional offices was consolidated in Excel files. Mercury was used for raising requisitions pertaining to shipping services, jet fuel and ground handling, and the related ground-handling charges were manually recorded in Excel files. Given that OICT planned to deploy a new electronic fuel management system (eFMS), OIOS is not making any recommendation in this area.
A new ICT system was being deployed for managing food rations
19. In UNAMID, an Excel-based system was used to manage food rations. The system was primarily manual and did not: (a) synchronize with the new weekly menu concept; (b) allow the automatic conversion of menu into food orders/requisitions, generation of weekly menu requisitions, price and verification against packaging sizes; (c) generate monthly summary reports; and (d) support the new contractual arrangements based on package sizing. Given that OICT planned to deploy a new electronic rations management system (eRMS), OIOS is not making any recommendation in this area.
A Lotus Notes application was used for managing contingent-owned equipment
20. Contingent-owned equipment (COE) was managed using a Lotus Notes database for recording data of major equipment belonging to troop contributing countries and to generate verification reports. In MONUSCO, paper worksheets were used to record inspections, the results of which were then typed into the locally developed COE application. The required volume of data entry resulted in an increased risk of input delays. In UNAMID and UNAMI, local applications were also used for managing COE, such as the Lotus-Domino application Field Mission Logistic System. Quarterly verification reports were prepared
8
manually and submitted to UNHQ for processing payments. OIOS was informed that a new electronic system (eCOE) was going to be deployed in the missions during the course of 2012. Therefore, OIOS is not making any recommendation in this area.
Inadequate ICT tools for timely reporting of data pertaining to Quick Impact Projects
21. In MONUSCO, the Quick Impact Projects (QIPS) team managed several projects a year and used Excel for reporting on the status of the projects. Excel did not provide reliable and timely financial information for managing/monitoring project implementation.
(7) MONUSCO should liaise with DFS to determine which system to use for capturing the financial information associated with the Quick Impact Projects, and implement it.
MONUSCO accepted recommendation 7 and stated that it would liaise with ICTD/DFS to determine which system to use for capturing the financial information associated with QIPs. Recommendation 7 remains open pending receipt of documentation confirming the adoption and implementation of a suitable system in MONUSCO for capturing the financial information of QIPs.
(D) Use of the Excel application
Risks associated with data entry in Excel
22. The missions used the Excel application extensively in support of a large number of financial processes, including for the recording of accounts receivable, electronic inter-office vouchers with the United Nations Development Programme, commitments against future financial periods and allotment accounts. The extensive use of Excel files exposed the missions to risks of unauthorized access to and modification of data. Additionally, since Excel does not provide data input rules and controls, this increased the risk of incorrect data entry.
(8) MONUSCO, UNAMI and UNAMID should design and implement procedures for improving the reliability of data contained in Excel files, such as: (a) creating an inventory of all Excel files used across the various sections; (b) determining materiality of content stored/processed; (c) standardizing name conventions; (d) enabling password protection and use of macros; and (e) performing periodic scans to detect new additions/modifications.
All three missions accepted recommendation 8. MONUSCO stated that the mission CITS is working on standardizing name conventions and password, including providing users with refreshers on how to enable the password protection on files. Guidance on periodic scans would also be provided on new additions/modification. UNAMI stated that Excel sheets generated by sections/offices were stored in a secure shared drive that only authorized staff from each section had access to. The mission will further establish the requirements at section level and conduct training on the standardization of formats, as well as protection of the files. UNAMID stated that the mission CITS will liaise with all sections to develop standard operating procedures governing the creation and protection of Excel files used across the mission. Recommendation 8 remains open pending receipt of documentation confirming the completion of the actions initiated by the missions.
(E) Security, integrity and reliability of ICT systems
23. OIOS tested the security of ICT systems to assess whether adequate controls were in place to ensure the availability and integrity of the data used for generating opening balances for IPSAS implementation and the migration/conversion process for Umoja.
9
Adequate connectivity between missions and UNLB
24. OIOS assessed that the connectivity and availability of network/applications hosted in UNLB was acceptable. Field offices (or sectors) were connected to the Internet via local service providers. Missions backed up their data in UNLB and Entebbe. HR and finance functions for MONUSCO and UNAMID were relocated to the Regional Support Centre in Entebbe.
Inadequate assessment of network vulnerabilities
25. Table 3 shows the results of the vulnerability scans conducted on the local servers hosting the ICT applications and shared drives (i.e., those storing the Excel files) used in each mission. The results indicate the number of instances of vulnerabilities per level of risks. The detailed results of these vulnerability scans were shared by OIOS during the audit with the respective CITS of each mission for further and immediate investigation and mitigation. Periodic vulnerability scans were not performed in the missions.
Table 3: Vulnerabilities of the servers hosting local applications in the three missionsVulnerabilities
MONUSCO UNAMI UNAMID Description High Medium Low High Medium Low High Medium Low
Servers Hosting Local Applications SUN; ProGen; FPMS; Matrix; Ring Master; local eCMR; Shared Drives -production and non-production servers
18 30 37 9 2 96 0 9 94
Total 85 107 103
Inadequate password controls
26. OIOS conducted password audits of all network accounts established in the missions. The results showed that, in large part, the structure of the passwords was not in compliance with the established criteria requiring an adequate combination and length of alphanumeric characters and symbols, and password change at predefined intervals.
Inadequate analysis of application logs
27. Logs of the applications locally hosted in the missions (i.e., SUN, ProGen, Ring Master, etc.) were not consistently enabled, protected and maintained. ICTD/DFS explained stated that in response to the previous OIOS audit of ICT governance and security management in peacekeeping missions (AP2011/615/01), they had stressed that ICT security management in the operational environments of peacekeeping missions was an ongoing process and required a phased implementation, and that it had been performing ICT-related aspects of risk management and control with limited resources. The subject report also acknowledged that the ICT security and compliance function in peacekeeping missions were understaffed, and that ICTD/DFS engaged with OICT on an enterprise security incident and event management (log management) solution to determine the requirements and find an appropriate solution for the Organization. For Umoja/IPSAS, field missions were in the process of implementing password requirements. However, with regard to the systems referred to in this audit, ICTD/DFS reiterates that since the applications belong to business units they are not within the purview of ICTD/DFS. Based on the explanation provided, OIOS is not making any recommendation.
10
Incomplete disaster recovery controls in UNAMID
28. UNAMID had not disseminated throughout the mission the business continuity plan it had developed in July 2011. Additionally, both the business continuity and disaster recovery plans did not cover the four sector regions, the United Nations country teams and other high risk areas such as medical and fuel management. The disaster recovery plan developed by CITS was based on surveys conducted with business owners. The disaster recovery plan had not been signed-off and formally adopted by Management and needed to be reviewed to ensure alignment with the business continuity plan that was subsequently developed. A test of the disaster recovery plan conducted in June 2011 showed that the established recovery time objective was not met.
(9) UNAMID should review, align and formalize its disaster recovery plan with the business continuity plan, ensuring that all high risk areas are covered.
UNAMID accepted recommendation 9 and stated that it had updated its disaster recovery plan in November 2012 and provided the revised plan. OIOS reviewed the updated disaster recovery plan prepared by UNAMID and confirmed its suitability. Accordingly, recommendation 10 has been closed.
B. Change management
Need for ICT support for training in the missions
29. The implementation of IPSAS and Umoja would require support from CITS in each mission. In this regard, several control weaknesses were noted across the three missions audited, including the absence of ICT focal points and the lack of awareness of the dependency of IPSAS and Umoja. DFS advised that the DFS IPSAS Implementation Support Team was working closely with the DM IPSAS team and mission focal points had been nominated and were working with the Chiefs and Directors of Mission Support (CMS/DMS) to manage all aspects of the implementation of the project in the missions. The CMS/DMS as the executive sponsor of the IPSAS implementation team would direct the mission IPSAS and CITS focal points on all aspects of the implementation plan. Additionally, the missions had neither started the training of staff nor developed training plans.
(10) MONUSCO, UNAMI and UNAMID should establish and implement a training schedule for fully deploying IPSAS and Umoja in the missions.
All three missions accepted recommendation 10. MONUSCO stated that it had established an IPSAS/Umoja implementation team, which ensures continued progress in meeting related training requirements. The mission has three certified IPSAS Trainers who are currently delivering a series of training to staff members. More than 150 eligible staff have been trained, with two additional training sessions scheduled for December 2012. Training is planned and delivered through an established training program and will continue as scheduled. UNAMID stated that 400 staff have completed the Computer Based Training IPSAS training program, while 181 staff members have completed the Instructor Lead Training. Training sessions are being conducted simultaneously in El-Fasher and Nyala. UNAMI stated that IPSAS basic training has been conducted for a major portion of the Mission Support staff. Recommendation 10 remains open pending receipt of evidence pertaining to the completion of the actions initiated by the missions.
11
AN
NE
X I
MO
NU
SCO
- A
UD
IT R
EC
OM
ME
ND
AT
ION
S
AT
2012
/615
/01
- Hor
izon
tal a
udit
of IC
T sy
stem
s and
con
trol
s in
peac
ekee
ping
mis
sion
s for
impl
emen
ting
IPSA
S an
d U
moj
a
Rec
om.
no.
Rec
omm
enda
tion
Cri
tical
1 /Im
port
ant2
C/
O3
Act
ions
nee
ded
to c
lose
rec
omm
enda
tion
Impl
emen
tatio
nda
te4
1M
ON
USC
O sh
ould
liai
se w
ith IC
TD/D
FS to
ad
dres
s the
cha
lleng
es e
ncou
nter
ed in
usi
ng th
e N
ucle
us sy
stem
, by
impr
ovin
g th
e tim
elin
ess o
f da
ta u
pdat
es, a
void
ing
data
dup
licat
ion,
and
su
ppor
ting
the
gene
ratio
n of
cus
tom
repo
rts.
Impo
rtant
C
2M
ON
USC
O sh
ould
ens
ure
that
all
the
info
rmat
ion
nece
ssar
y fo
r pro
vidi
ng u
pdat
ed re
ports
on
purc
hase
ord
ers a
nd th
eir s
tatu
s (i.e
., in
voic
e m
atch
ing
and
paym
ent),
are
refle
cted
in a
tim
ely
man
ner i
n th
e su
ppor
ting
appl
icat
ions
(i.e
., SU
N
and
Mer
cury
).
Impo
rtant
O
OIO
S re
ceip
t of e
vide
nce
conf
irmin
g th
e co
mpl
etio
n of
the
actio
ns in
itiat
ed b
y M
ON
USC
O.
Firs
t qua
rter o
f 20
13
3M
ON
USC
O sh
ould
liai
se w
ith O
PBB
A a
nd
ICTD
/DFS
to d
eter
min
e ho
w to
reco
rd a
nd p
roce
ss
cost
s and
inve
ntor
y da
tes a
ssoc
iate
d w
ith n
on-
expe
ndab
le p
rope
rty a
nd se
lf-co
nstru
cted
ass
ets.
Crit
ical
OTh
e pr
ogre
ss m
ade
in th
is a
rea
will
be
asse
ssed
du
ring
the
audi
t of t
he IP
SAS
open
ing
bala
nces
st
arte
d re
cent
ly b
y O
IOS.
Seco
nd q
uarte
r of
2013
4M
ON
USC
O sh
ould
est
ablis
h ad
equa
te m
echa
nism
s to
ens
ure
that
Gal
ileo
is u
pdat
ed w
ith th
e pe
rtine
nt
info
rmat
ion
(i.e.
, pur
chas
e or
der,
cost
and
invo
ice
num
ber)
on
all a
sset
s.
Impo
rtant
O
Rec
eipt
of e
vide
nce
conf
irmin
g th
e co
mpl
etio
n of
the
actio
ns in
itiat
ed b
y M
ON
USC
O.
Seco
nd q
uarte
r of
2013
6M
ON
USC
O sh
ould
dev
elop
a sc
hedu
le fo
r the
de
ploy
men
t and
impl
emen
tatio
n of
the
full
set o
f ap
plic
atio
ns in
clud
ed in
the
Fiel
d Su
ppor
t Sui
te.
Impo
rtant
O
Rec
eipt
of e
vide
nce
conf
irmin
g th
e co
mpl
etio
n of
the
actio
ns in
itiat
ed b
y th
e m
issi
ons f
or th
e de
ploy
men
t of F
ield
Sup
port
Suite
of
appl
icat
ions
.
Seco
nd q
uarte
r of
2013
1 Crit
ical
reco
mm
enda
tions
add
ress
sign
ifica
nt a
nd/o
r per
vasi
ve d
efic
ienc
ies o
r wea
knes
ses i
n go
vern
ance
, ris
k m
anag
emen
t or i
nter
nal c
ontro
l pro
cess
es, s
uch
that
reas
onab
le a
ssur
ance
can
not b
e pr
ovid
ed re
gard
ing
the
achi
evem
ent o
f con
trol a
nd/o
r bus
ines
s obj
ectiv
es u
nder
revi
ew.
2 Impo
rtant
reco
mm
enda
tions
add
ress
impo
rtant
def
icie
ncie
s or w
eakn
esse
s in
gove
rnan
ce, r
isk m
anag
emen
t or i
nter
nal c
ontro
l pro
cess
es, s
uch
that
reas
onab
le
assu
ranc
e m
ay b
e at
risk
rega
rdin
g th
e ac
hiev
emen
t of c
ontro
l and
/or b
usin
ess o
bjec
tives
und
er re
view
. 3 C
= c
lose
d, O
= o
pen
4 D
ate
prov
ided
by
OPP
BA
/DM
, IC
TD/D
FS a
nd th
e m
issi
ons
in re
spon
se to
reco
mm
enda
tions
.
Rec
om.
no.
Rec
omm
enda
tion
Cri
tical
1 /Im
port
ant2
C/
O3
Act
ions
nee
ded
to c
lose
rec
omm
enda
tion
Impl
emen
tatio
nda
te4
7 M
ON
USC
O sh
ould
liai
se w
ith D
FS to
det
erm
ine
whi
ch sy
stem
to u
se fo
r cap
turin
g th
e fin
anci
al
info
rmat
ion
asso
ciat
ed w
ith th
e Q
uick
Impa
ct
Proj
ects
, and
impl
emen
t it.
Impo
rtant
O
Rec
eipt
of d
ocum
enta
tion
indi
catin
g th
at Q
IPs
data
has
bee
n ca
ptur
ed
Seco
nd q
uarte
r of
2013
8M
ON
USC
O sh
ould
des
ign
and
impl
emen
t pr
oced
ures
for i
mpr
ovin
g th
e re
liabi
lity
of d
ata
cont
aine
d in
Exc
el fi
les,
such
as:
(a) c
reat
ing
an
inve
ntor
y of
all
Exce
l file
s use
d ac
ross
the
vario
us
sect
ions
; (b)
det
erm
inin
g m
ater
ialit
y of
con
tent
st
ored
/pro
cess
ed; (
c) st
anda
rdiz
ing
nam
e co
nven
tions
; (d)
ena
blin
g pa
ssw
ord
prot
ectio
n an
d us
e of
mac
ros;
and
(e) p
erfo
rmin
g pe
riodi
c sc
ans t
o de
tect
new
add
ition
s/m
odifi
catio
ns.
Impo
rtant
O
Rec
eipt
of
do
cum
enta
tion
show
ing
the
com
plet
ion
of
the
actio
ns
initi
ated
by
M
ON
USC
O.
Seco
nd q
uarte
r of
2013
10M
ON
USC
O sh
ould
est
ablis
h an
d im
plem
ent a
tra
inin
g sc
hedu
le fo
r ful
ly d
eplo
ying
IPSA
S an
d U
moj
a in
the
mis
sion
s.
Impo
rtant
O
Rec
eipt
of e
vide
nce
perta
inin
g to
the
com
plet
ion
of th
e ac
tions
initi
ated
by
MO
NU
SCO
. Se
cond
qua
rter o
f 20
13
2
UN
AM
I - A
UD
IT R
EC
OM
ME
ND
AT
ION
S
AT
2012
/615
/01
- Hor
izon
tal a
udit
of IC
T sy
stem
s and
con
trol
s in
peac
ekee
ping
mis
sion
s for
impl
emen
ting
IPSA
S an
d U
moj
a
Rec
om.
no.
Rec
omm
enda
tion
Cri
tical
1 /Im
port
ant2
C/
O3
Act
ions
nee
ded
to c
lose
rec
omm
enda
tion
Impl
emen
tatio
nda
te4
1 U
NA
MI s
houl
d lia
ise
with
ICTD
/DFS
to a
ddre
ss
the
chal
leng
es e
ncou
nter
ed in
usi
ng th
e N
ucle
us
syst
em, b
y im
prov
ing
the
timel
ines
s of d
ata
upda
tes,
avoi
ding
dat
a du
plic
atio
n, a
nd su
ppor
ting
the
gene
ratio
n of
cus
tom
repo
rts.
Impo
rtant
C
2 U
NA
MI s
houl
d en
sure
that
all
the
info
rmat
ion
nece
ssar
y fo
r pro
vidi
ng u
pdat
ed re
ports
on
purc
hase
ord
ers a
nd th
eir s
tatu
s (i.e
., in
voic
e m
atch
ing
and
paym
ent),
are
refle
cted
in a
tim
ely
man
ner i
n th
e su
ppor
ting
appl
icat
ions
(i.e
., SU
N
and
Mer
cury
).
Impo
rtant
O
OIO
S re
ceip
t of e
vide
nce
conf
irmin
g th
e co
mpl
etio
n of
the
actio
ns in
itiat
ed b
y U
NA
MI.
Seco
nd q
uarte
r of
2013
3 U
NA
MI s
houl
d lia
ise
with
OPB
BA
and
ICTD
/DFS
to
det
erm
ine
how
to re
cord
and
pro
cess
cos
ts a
nd
inve
ntor
y da
tes a
ssoc
iate
d w
ith n
on-e
xpen
dabl
e pr
oper
ty a
nd se
lf-co
nstru
cted
ass
ets.
Crit
ical
OTh
e pr
ogre
ss m
ade
in th
is a
rea
will
be
asse
ssed
du
ring
the
audi
t of t
he IP
SAS
open
ing
bala
nces
st
arte
d re
cent
ly b
y O
IOS.
Seco
nd q
uarte
r of
2013
4 U
NA
MI s
houl
d es
tabl
ish
adeq
uate
mec
hani
sms t
o en
sure
that
Gal
ileo
is u
pdat
ed w
ith th
e pe
rtine
nt
info
rmat
ion
(i.e.
, pur
chas
e or
der,
cost
and
invo
ice
num
ber)
on
all a
sset
s.
Impo
rtant
O
Rec
eipt
of e
vide
nce
conf
irmin
g th
e co
mpl
etio
n of
the
actio
ns in
itiat
ed b
y U
NA
MI.
Third
qua
rter o
f 20
13
6U
NA
MI s
houl
d de
velo
p a
sche
dule
for t
he
depl
oym
ent a
nd im
plem
enta
tion
of th
e fu
ll se
t of
appl
icat
ions
incl
uded
in th
e Fi
eld
Supp
ort S
uite
.
Impo
rtant
O
Rec
eipt
of e
vide
nce
conf
irmin
g th
e co
mpl
etio
n of
the
actio
ns in
itiat
ed b
y th
e m
issi
ons f
or th
e de
ploy
men
t of F
ield
Sup
port
Suite
of
appl
icat
ions
.
Seco
nd q
uarte
r of
2013
1 Crit
ical
reco
mm
enda
tions
add
ress
sign
ifica
nt a
nd/o
r per
vasi
ve d
efic
ienc
ies o
r wea
knes
ses i
n go
vern
ance
, ris
k m
anag
emen
t or i
nter
nal c
ontro
l pro
cess
es, s
uch
that
reas
onab
le a
ssur
ance
can
not b
e pr
ovid
ed re
gard
ing
the
achi
evem
ent o
f con
trol a
nd/o
r bus
ines
s obj
ectiv
es u
nder
revi
ew.
2 Impo
rtant
reco
mm
enda
tions
add
ress
impo
rtant
def
icie
ncie
s or w
eakn
esse
s in
gove
rnan
ce, r
isk m
anag
emen
t or i
nter
nal c
ontro
l pro
cess
es, s
uch
that
reas
onab
le
assu
ranc
e m
ay b
e at
risk
rega
rdin
g th
e ac
hiev
emen
t of c
ontro
l and
/or b
usin
ess o
bjec
tives
und
er re
view
. 3 C
= c
lose
d, O
= o
pen
4 D
ate
prov
ided
by
OPP
BA
/DM
, IC
TD/D
FS a
nd th
e m
issi
ons
in re
spon
se to
reco
mm
enda
tions
.
3
Rec
om.
no.
Rec
omm
enda
tion
Cri
tical
1 /Im
port
ant2
C/
O3
Act
ions
nee
ded
to c
lose
rec
omm
enda
tion
Impl
emen
tatio
nda
te4
8U
NA
MI s
houl
d de
sign
and
impl
emen
t pro
cedu
res
for i
mpr
ovin
g th
e re
liabi
lity
of d
ata
cont
aine
d in
Ex
cel f
iles,
such
as:
(a) c
reat
ing
an in
vent
ory
of a
ll Ex
cel f
iles u
sed
acro
ss th
e va
rious
sect
ions
; (b)
de
term
inin
g m
ater
ialit
y of
con
tent
st
ored
/pro
cess
ed; (
c) st
anda
rdiz
ing
nam
e co
nven
tions
; (d)
ena
blin
g pa
ssw
ord
prot
ectio
n an
d us
e of
mac
ros;
and
(e) p
erfo
rmin
g pe
riodi
c sc
ans t
o de
tect
new
add
ition
s/m
odifi
catio
ns.
Impo
rtant
O
Rec
eipt
of
do
cum
enta
tion
show
ing
the
com
plet
ion
of th
e ac
tions
initi
ated
by
UN
AM
I. Fo
urth
qua
rter o
f 20
13
10U
NA
MI s
houl
d es
tabl
ish
and
impl
emen
t a tr
aini
ng
sche
dule
for f
ully
dep
loyi
ng IP
SAS
and
Um
oja
in
the
mis
sion
s.
Impo
rtant
O
Rec
eipt
of e
vide
nce
perta
inin
g to
the
com
plet
ion
of th
e ac
tions
initi
ated
by
UN
AM
I. Th
ird q
uarte
r of
2013
4
UN
AM
ID -
AU
DIT
RE
CO
MM
EN
DA
TIO
NS
AT
2012
/615
/01
- Hor
izon
tal a
udit
of IC
T sy
stem
s and
con
trol
s in
peac
ekee
ping
mis
sion
s for
impl
emen
ting
IPSA
S an
d U
moj
a
Rec
om.
no.
Rec
omm
enda
tion
Cri
tical
1 /Im
port
ant2
C/
O3
Act
ions
nee
ded
to c
lose
rec
omm
enda
tion
Impl
emen
tatio
nda
te4
1 U
NA
MID
shou
ld li
aise
with
ICTD
/DFS
to a
ddre
ss
the
chal
leng
es e
ncou
nter
ed in
usi
ng th
e N
ucle
us
syst
em, b
y im
prov
ing
the
timel
ines
s of d
ata
up
date
s, av
oidi
ng d
ata
dupl
icat
ion,
and
supp
ortin
g th
e ge
nera
tion
of c
usto
m re
ports
.
Impo
rtant
C
3 U
NA
MID
shou
ld li
aise
with
OPB
BA
and
IC
TD/D
FS to
det
erm
ine
how
to re
cord
and
pro
cess
co
sts a
nd in
vent
ory
date
s ass
ocia
ted
with
non
-ex
pend
able
pro
perty
and
self-
cons
truct
ed a
sset
s.
Crit
ical
OTh
e pr
ogre
ss m
ade
in th
is a
rea
will
be
asse
ssed
du
ring
the
audi
t of t
he IP
SAS
open
ing
bala
nces
st
arte
d re
cent
ly b
y O
IOS.
Seco
nd q
uarte
r of
2013
6U
NA
MID
shou
ld d
evel
op a
sche
dule
for t
he
depl
oym
ent a
nd im
plem
enta
tion
of th
e fu
ll se
t of
appl
icat
ions
incl
uded
in th
e Fi
eld
Supp
ort S
uite
.
Impo
rtant
O
Rec
eipt
of e
vide
nce
conf
irmin
g th
e co
mpl
etio
n of
the
actio
ns in
itiat
ed b
y U
NA
MID
for t
he
depl
oym
ent o
f Fie
ld S
uppo
rt Su
ite o
f ap
plic
atio
ns.
Four
th q
uarte
r of
2013
8U
NA
MID
shou
ld d
esig
n an
d im
plem
ent p
roce
dure
s fo
r im
prov
ing
the
relia
bilit
y of
dat
a co
ntai
ned
in
Exce
l file
s, su
ch a
s: (a
) cre
atin
g an
inve
ntor
y of
all
Exce
l file
s use
d ac
ross
the
vario
us se
ctio
ns; (
b)
dete
rmin
ing
mat
eria
lity
of c
onte
nt
stor
ed/p
roce
ssed
; (c)
stan
dard
izin
g na
me
conv
entio
ns; (
d) e
nabl
ing
pass
wor
d pr
otec
tion
and
use
of m
acro
s; a
nd (e
) per
form
ing
perio
dic
scan
s to
dete
ct n
ew a
dditi
ons/
mod
ifica
tions
.
Impo
rtant
O
Rec
eipt
of
do
cum
enta
tion
show
ing
the
com
plet
ion
of th
e ac
tions
initi
ated
by
UN
AM
ID.
Firs
t qua
rter o
f 20
13
9U
NA
MID
shou
ld re
view
, alig
n an
d fo
rmal
ize
its
disa
ster
reco
very
pla
n w
ith th
e bu
sine
ss c
ontin
uity
C
ritic
alC
1 Crit
ical
reco
mm
enda
tions
add
ress
sign
ifica
nt a
nd/o
r per
vasi
ve d
efic
ienc
ies o
r wea
knes
ses i
n go
vern
ance
, ris
k m
anag
emen
t or i
nter
nal c
ontro
l pro
cess
es, s
uch
that
reas
onab
le a
ssur
ance
can
not b
e pr
ovid
ed re
gard
ing
the
achi
evem
ent o
f con
trol a
nd/o
r bus
ines
s obj
ectiv
es u
nder
revi
ew.
2 Impo
rtant
reco
mm
enda
tions
add
ress
impo
rtant
def
icie
ncie
s or w
eakn
esse
s in
gove
rnan
ce, r
isk m
anag
emen
t or i
nter
nal c
ontro
l pro
cess
es, s
uch
that
reas
onab
le
assu
ranc
e m
ay b
e at
risk
rega
rdin
g th
e ac
hiev
emen
t of c
ontro
l and
/or b
usin
ess o
bjec
tives
und
er re
view
. 3 C
= c
lose
d, O
= o
pen
4 D
ate
prov
ided
by
OPP
BA
/DM
, IC
TD/D
FS a
nd th
e m
issi
ons
in re
spon
se to
reco
mm
enda
tions
.
5
Rec
om.
no.
Rec
omm
enda
tion
Cri
tical
1 /Im
port
ant2
C/
O3
Act
ions
nee
ded
to c
lose
rec
omm
enda
tion
Impl
emen
tatio
nda
te4
plan
, ens
urin
g th
at a
ll hi
gh ri
sk a
reas
are
cov
ered
. 10
U
NA
MID
shou
ld e
stab
lish
and
impl
emen
t a
train
ing
sche
dule
for f
ully
dep
loyi
ng IP
SAS
and
Um
oja
in th
e m
issi
ons.
Impo
rtant
O
Rec
eipt
of e
vide
nce
perta
inin
g to
the
com
plet
ion
of th
e ac
tions
initi
ated
by
UN
AM
ID.
Firs
t qua
rter o
f 20
13
6
7
ICT
D/D
FS -
AU
DIT
RE
CO
MM
EN
DA
TIO
NS
AT
2012
/615
/01
– H
oriz
onta
l aud
it of
ICT
syst
ems a
nd c
ontr
ols i
n pe
acek
eepi
ng m
issi
ons f
or im
plem
entin
g IP
SAS
and
Um
oja
Rec
om.
no.
Rec
omm
enda
tion
Cri
tical
1 /Im
port
ant2
C/
O3
Act
ions
nee
ded
to c
lose
rec
omm
enda
tion
Impl
emen
tatio
nda
te4
5IC
TD/D
FS s
houl
d su
ppor
t mis
sion
s in
con
figur
ing
Gal
ileo
in
acco
rdan
ce
with
th
e D
FS
dire
ctiv
e re
ques
ting
that
ass
ets
are
writ
ten
off o
n th
e ba
sis
of
thei
r dep
reci
ated
val
ue.
Impo
rtant
O
Rec
eipt
of d
ocum
enta
tion
on th
e re
conf
igur
atio
n of
Gal
ileo
to w
rite
off a
sset
bas
ed o
n th
eir
depr
ecia
ted
valu
e.
Firs
t qua
rter o
f 20
13
1 Crit
ical
reco
mm
enda
tions
add
ress
sign
ifica
nt a
nd/o
r per
vasi
ve d
efic
ienc
ies o
r wea
knes
ses i
n go
vern
ance
, ris
k m
anag
emen
t or i
nter
nal c
ontro
l pro
cess
es, s
uch
that
reas
onab
le a
ssur
ance
can
not b
e pr
ovid
ed re
gard
ing
the
achi
evem
ent o
f con
trol a
nd/o
r bus
ines
s obj
ectiv
es u
nder
revi
ew.
2 Impo
rtant
reco
mm
enda
tions
add
ress
impo
rtant
def
icie
ncie
s or w
eakn
esse
s in
gove
rnan
ce, r
isk m
anag
emen
t or i
nter
nal c
ontro
l pro
cess
es, s
uch
that
reas
onab
le
assu
ranc
e m
ay b
e at
risk
rega
rdin
g th
e ac
hiev
emen
t of c
ontro
l and
/or b
usin
ess o
bjec
tives
und
er re
view
. 3 C
= c
lose
d, O
= o
pen
4 D
ate
prov
ided
by
OPP
BA
/DM
, IC
TD/D
FS a
nd th
e m
issi
ons
in re
spon
se to
reco
mm
enda
tions
.
![Green ICT Readiness Model for Developing Economies: Case ... · The G-Readiness model’s by Molla, Cooper, & Pittayachawan (2009) [4] was adopted for this study. Green ICT readiness](https://img.pdfslide.us/doc/110x75/5f27c38fe3f9b4171b7b84b4/green-ict-readiness-model-for-developing-economies-case-the-g-readiness-modelas.jpg)
