I. Audit Reports
 
Four audits were completed as of June 30, 2002 and recommendations were provided to correct identified internal control weaknesses.  All reports and recommendations have been approved by the Secretary General.

The OIG continues to monitor efforts made by the General Secretariat in addressing audit findings and the Inspector General is satisfied that every effort is being made to comply with the recommendations within the constraints of available resources. 

Audit (SG/OIG/AUDIT-01/02) was undertaken primarily as a follow up to the implementation of the recommendations provided in the 2000 audit of the NT Server Review (SG/OIG/AUDIT- 02/00), as well as  a  review  of the operating system level security of the Oracle Application, perimeter security controls and anti-virus controls of the OAS Enterprise System (OASES).

The audit determined that since the designation of the Information Security Officer (ISO), excellent progress has been made within the OAS Information Technology Department (ITD).  OAS now has a published information security policy addressing all major areas and a number of formal security procedures have been implemented.  Many difficult architectural improvements have been achieved, including dedicated domain controllers and a demilitarized zone on the firewall.  In the NT environment, password controls have been improved and more effective audit trails exist.  Systematic processes are now conducted for updating systems against new security threats and server and domain controller security configuration has greatly improved.  With the support of the GS/OAS, the ISO has developed good information security related knowledge and skills.  Anti-virus controls are comprehensive and benefit from careful and attentive supervision.  Despite the great improvement in the security of the Windows NT and Windows 2000 environment, the audit determined that the following remaining areas of risk require attention: 

• Clarification is needed to define an effective relationship between the Application Security Officer (ASO) and the Information Security Officer (ISO). 
  

•  For appropriate access control there needs to be formal notification of changes in roles or status of employees, contractors and consultants by GS/OAS directors, including the Department of Human Resources Services (DHRS) and the Office Procurement Management Services (OPMS) to the Information Technology Division (ITD).
  

• The architecture and administration of anti-virus controls appear sound and thorough and have thus minimized risk to an acceptable level but the anti-virus administrator’s procedures should   be formally documented.  
  

•  Anti-virus risk could be further limited by implementing formal security policy and procedures for keeping all Microsoft Office, Internet Explorer and desktop operating systems updated against constantly changing exploits.  The auditor also identified certain software programs for significantly reducing the labor cost of implementing these additional measures. 
  

• The architecture of perimeter security controls (i.e. firewall, dial-in, VPN) appears sound and the overall administrative procedures appear thorough with the exception of monitoring.  This is a pervasive weakness in information security throughout OAS largely because of the quantity and diversity of systems and the labor involved in monitoring security logs.  The purchase and effective implementation of one or more automated log monitoring and reporting tools can largely address this risk.
   

• There needs to be tighter control over who has authority to maintain the firewall to reflect accepted best practice. 

 Audit (SG/OIG/AUDIT-02/02) was undertaken to evaluate the implementation of the Oracle 11i upgrade that was officially introduced on January 18, 2002.  The Oracle 11i upgrade places OAS in an elite category of having one of the most state-of-the-art information systems available.  It is our opinion that with the right level of cooperation and funding, the new Oracle 11i upgrade will provide GS/OAS management with a system that will meets their long-term needs. 

GS/OAS has recognized that the older Oracle 10.7 release was not capable of providing the necessary project information without modification.  The Oracle 11i system is not just a system for the core financial functions but is a distributed financial system that is capable of supporting all units of the organization. Although the new Oracle 11i appears to have the capability to meet many of the needs for the Technical Units, the upgrade was complicated by the fact that several of the upgraded modules, specifically Projects and Grants, were significantly changed from the prior release. One of the difficulties experienced during the upgrade was that the funding of the project fell short of what was needed to ensure that all user requirements were identified, met and conveyed to the users.  Poor communications has been one of the biggest roadblocks to the system's successful implementation and it was evident to the auditor that the Technical Units, for the most part, did not sufficiently endorse the system’s capability from the beginning.  

The establishment of a Coordinating Committee with full representation to identify and address the implementation problem issues as quickly as possible, was the key recommendation of the report and the efforts of the Committee have assisted in settling the organization back into a normal working posture.    The OAS has an excellent reputation in managing and executing technical projects. In the future, in addition to updating the project methodology and in order to maximize the capabilities of any system to the fullest, oversight management should require full user participation and analytical dialog for similar technology efforts.  

Other key issues that were identified include the movement of sensitive production data into the test environment, the lack of some user reports, inadequate documented user procedures in the use of the system and incomplete testing during the project implementation.  The audit results identified several implementation problems that would have been avoided or minimized with a more effective project methodology.  The report recommends that the project methodology be updated to correct weaknesses identified, including comprehensive user community participation in the testing process, production simulation prior to system acceptance, adequate transfer of knowledge, proper user representation on all decision committees, final user acceptance and sign off on various phases of development.  The auditor noted that the implementation of the recommendations will provide the basis for successful future implementations and upgrades and provide the Secretariat for Management with a solid system foundation to manage their activities and provide Gs/OAS users with the required level of comfort regarding system’s capabilities. 

Audit SG/OIG/Audit-03/02 was undertaken primarily to comply with the request from the 2000 Audit Report from the Board of External Auditors to reexamine the purposes of the Leo S. Rowe Memorial Fund and to ensure that Trust resources are utilized for the purposes specified by the grantor.  Audit activities also reviewed OAS guidelines and transactions for the Leo S. Rowe Memorial Benefit Fund administered by a Committee chaired by the Assistant Secretary for Management.  

It is the opinion of the OIG that the Leo S. Rowe Memorial Award Committee (1) is structured according to GS/OAS requirements (2) the 2000 and 2001 nominations and awards were made according to the procedures of Administrative Memorandum No. 76 and (3) that the Committee satisfactorily performed its functions in the years under audit.  However, the audit identified the need for (1) written guidelines for emergency disbursements (2) accuracy in the posting of all expense accounts for Fund disbursements and (3) action to be taken by the GS/OAS Treasurer regarding changes to the investment policies of the Fund to agree with Leo S. Rowe Fund investment policies as directed by the Committee. 

Audit (SG/OIG/AUDIT-04/02) was undertaken to evaluate the internal controls in the GS/OAS Office in Uruguay.  We determined that there was need for compliance with OAS directives relating to the contracting of temporary personnel, cancellation of supporting documents for disbursements, removal of stale dated checks from bank reconciliations and updating the record of OAS fixed assets assigned to that office.  The following projects executed in that Member State were also reviewed.

• Environmental Information for the MERCOSUR    

• Pedagogic Didactic Training for Educators of the Region

• Support to the Rural Family (PROFAMRU) 

• Regional Technical Cooperation in Topics of Integration

• Educational Invigoration and Social Development of the Childhood of Low Resources through the Creation and Multiplication of Infantile Orchestras of the Region

• Scientific-technological Model of Integration among Argentina, Brazil and Uruguay

The audit found no discrepancies in the disbursement of project funds and noted that unspent funds were returned to the FEMCIDI account.  The audit recommended follow up action regarding the submission of the final report for the completed Pedagogic Didactic Training for Educators of the Region project.

II. STAFFING

The Inspector General utilizes performance contractors to supplement the staffing resources provided by the Regular Fund for auditing services.

III. OTHER
 
The Office of the Inspector General coordinated efforts with the Board of External Auditors and the independent firm of auditors during the 2002 external auditing process.  

August 12, 2002

Linda P. Fealing
Inspector General

Second Semester

I. Audit Reports

Eight audits were completed for the period July through the year ended December 31, 2002 and recommendations were provided to correct identified internal control weaknesses. All reports and recommendations submitted to the Secretary General were approved. The OIG continues to monitor efforts made by the General Secretariat in addressing audit findings and implementing recommendations. The Inspector General is satisfied that every effort is being made to implement OIG recommendations within the constraints of available resources.

Audit (SG/OIG/AUDIT-05/02) examined the operational processes of the Technical Secretariat of the Leo S. Rowe Fund to evaluate the adequacy of internal controls of the Leo S. Rowe Pan American Fund. The audit was undertaken primarily as a follow up to the implementation of the recommendations provided in the 1998 audit of the Inspector General and the recommendations issued by the Board of External Auditors for 2001 and 2002. The Director of the Department of Financial Services (DFS) is the Treasurer of the Leo Rowe Fund and is responsible for receipt, accounting and disbursement of its funds. The audit period was January 2001 through March 2002 and included a transition period following the issue of Executive Order No. 02-2 that clarified the relationship between the Rowe Fund Secretariat and the Inter-American Agency for Cooperation and Development. During the transition period arrangements were concluded for distribution and performance of administrative functions to the Fund. In February 2001 an Advisor to the Secretary General was assigned to perform the duties of Technical Secretary to the Fund. In February 2002 an agreement was reached with the OAS Staff Federal Credit Union to disburse and receive loan repayments as well as maintain individual loan balances. In 2001 the Rowe Fund satisfactorily addressed the two “reportable conditions” that were cited by the Board in 2000. Main weaknesses identified during this audit were the need for improvement in the:

• Pre-approval loan process to ensure that complete information is provided by the Technical Secretariat to the Committee for consideration of loan applications.

• Follow up of students’ academic progress.

• Referral of loans for appropriate write off.

• Effective management of the status of accounts for outstanding loans to ensure effective and timely, monitoring of loan repayments.

The Technical Secretariat to the Fund has made significant progress in resolving internal control issues identified during the current and prior audits, including prompt follow-up action on outstanding matters. The Leo S. Rowe Fund Committee and the GS/OAS Technical Secretariat are to be commended for the significant progress made in addressing the collection of outstanding loans and excellent cooperation with the OIG in resolving the identified weaknesses.

Audit (SG/OIG/AUDIT-06/02, 07/02, 08/02, 09/02, 10/02 and 11/02) were undertaken to evaluate the internal controls within the offices of the General Secretariat in Saint Vincent and the Grenadines, Saint Lucia, Trinidad and Tobago, Suriname, Panama and Mexico. The audits examined financial transactions, including cash receipts and disbursements and verified compliance with OAS directives and project agreements. The audits determined that internal controls in those offices are adequate for proper recording of financial transactions. OIG noted that the findings and internal control weaknesses were similar in those offices. Specifically, there is need for compliance with OAS procedures for replenishment of Petty Cash, maintenance of long distance telephone and vehicle logs, timely submission of quarterly reports on Releases for goods imported duty free, updating the Fixed Assets Inventory Report and reporting of monthly attendance. During the audits of the above noted Offices in the Member States, the OIG reviewed the following fifteen projects financed from FEMCIDI funds that were executed in those Member States during the period ended December 2002:

• The Caribbean Heritage Tourism Development.

• Institutional Strengthening of Basic Education – Programming in Rural Communities.

• Strengthening the Institutional Capacity of Governments to implement Development Objectives.

• Freshwater Resources Management in the Small Islands Developing States.

• Strengthening Knowledge/Information Networking in Biotechnology and Food Technology in the Caribbean and Latin America.

• Cooperative Strengthening of National Institutions to enhance Integrated Water Resource Management.

• Mission Enterprise: Promotion of Rural Economic Development.

• Diagnosis and Promoting Education Success in Trinidad and Tobago.

• Strengthening of the Institutional Infrastructure of the Environmental Department

• Gender and Media in the Caribbean.

• Aprovechamiento de la Flora Regional como Fuente de Fármacos Anticáncer y Antiparásitos.

• Tercer curso Actualización en Derecho Internacional.

• Programa Permanente de Formación de Recursos Humanos en Conservación y Restauración de Bienes Culturales.

• Cooperación Regional México – Centroamérica Sobre Educación a Distancia.

• Fortalecimiento de las Actividades de la Red Social de América Latina y El Caribe.

OIG also examined the specific funded Consolidación de la Cooperación Integral de México con Centro América y El Caribe project that was executed in Mexico during the audit period.

OIG examination of those projects noted that for the most part, project expenses were fully documented in accordance with project budgets and project objectives were achieved. Recommendations were issued for the submission of final reports that had not been received by the date of the audits, collection of outstanding payments for Rowe Fund loans from nationals of those Member States, refund of unused project funds, as well as other specific internal control issues related to the recording of financial transactions for one of the projects.

The audit of the Inter-American Agency for Cooperation and Development was undertaken primarily to follow-up on the concerns expressed in the 2001 report of the Board of External Auditors, including the need to adopt and utilize the automated OASES system of the General Secretariat of the OAS. The objectives included the need to:

• Evaluate the administrative and internal controls that relate to IACD operational processes, including cash receipts, cash disbursements and bank reconciliations.

• Evaluate the adequacy of the financial management of IACD funds.

• Ensure compliance with the terms of the agreements between the Secretariat for Management and IACD for the processing of the accounting transactions as well as the Budgetary and Financial Rules and other General secretariat directives.

In 2001 the Board of External Auditors cited a “Material Weakness” for the inadequate accounting system utilized by IACD and a “Reportable Condition” regarding the internal control environment of IACD Central American projects. The audit determined that the IACD issued several contracts in 2001 and 2002 that demonstrate its efforts in attempting to adopt and utilize the automated financial system as recommended by the Board of External Auditors. The IACD informed the OIG that because the GS/OAS was migrating to a new version of OASES in 2002, the change to OASES recommended by the Board would not have been cost effective. In 2002 the IACD signed an agreement with the Secretariat for Management (SM) in which the SM, through the DFS, assumed responsibility for processing and maintaining the Agency’s accounts in the OASES Financial System, including the custody of the IACD cash and related assets and processing of financial transaction within OASES. The agreement states that the IACD remains responsible for the management and control of the funds for it is entrusted, as well as its financial and reporting data and information. At the time of the audit, the SM assumed responsibility for financial record keeping and administration of IACD funds, except for the Specific Funded Central American projects. A draft agreement is currently under discussion between the two parties for including the Central American projects in the financial responsibilities performed by DFS on behalf of the IACD. The signing of the agreement will result in DFS recording of all IACD financial transactions in the OASES system.

The audit noted that, except for those findings and recommendations that relate to issuing performance contracts and obligation of funds prior to incurring expenditures, all recommendations from the 2001 OIG audit report were implemented. The 2002 audit identified the need for IACD to:

• Comply with OAS directives for disbursements, performance contractors, purchase orders and travel, for voiding stale-dated checks and obligation of funds prior to disbursement.

• Ensure that all accounting transactions, including adjustments to bank reconciliations and bank interest charges are processed and recorded accurately and in a timely manner.

• Ensure that bank reconciliations are prepared monthly and promptly;

• Ensure that overtime payments are not made to performance contractors

• Carry out effective follow up action in order to ensure the accuracy of DFS billings

II. Staffing

The Inspector General utilizes performance contractors to supplement the staffing resources provided by the Regular Fund for auditing services within available resources. A participant in the OAS internship program was assigned to the OIG for a four-month period that ended in November 2002.

III Other

The OIG observed GS/OAS meetings particularly related to CAAP, OASES, the GSB Renovations, Contract Awards Committee, and the Publications Board Committee. The Inspector General continues to meet with managers of the General Secretariat to discuss the implementation of audit recommendations, as well as other issues related to an effective internal control environment.

Linda P. Fealing
Inspector General
May 2003