ITU Presentation .pdf



Nom original: ITU Presentation .pdf
Titre: RIAS 2016 Follow-up process ITU

Ce document au format PDF 1.3 a été généré par PowerPoint / Mac OS X 10.11.1 Quartz PDFContext, et a été envoyé sur fichier-pdf.fr le 01/09/2016 à 20:29, depuis l'adresse IP 88.234.x.x. La présente page de téléchargement du fichier a été vue 562 fois.
Taille du document: 392 Ko (13 pages).
Confidentialité: fichier public


Aperçu du document


Follow up audits
Monitoring implementation of recommendations

• ITU is the United Nations specialized agency for information and
communication technologies – ICTs
• Headquarters in Geneva, Switzerland
• 780 staff (of which 56 staff in the field)
• Annual budget of 160 million Swiss francs
• 4 Regional Offices, 8 Area offices and a UN Liaison Office in New
York

IIA STANDARDS

2500 – Monitoring Progress

The chief audit executive must establish and maintain a system to
monitor the disposition of results communicated to management.

2500.A1

The chief audit executive must establish a follow-up process to monitor
and ensure that management actions have been effectively implemented
or that senior management has accepted the risk of not taking action.

Practice Advisory 2500-1
Monitoring Progress
1. To effectively monitor the disposition of results, the chief audit executive (CAE) establishes procedures to include:
• The time frame within which management’s response to the engagement observations and recommendations is required.
• Evaluation of management’s response.
• Verification of response (if appropriate).
• Performance of a follow-up engagement (if appropriate).
• A communications process that escalates unsatisfactory responses/actions, including the assumption of risk, to the
appropriate levels of senior management or the board.
2. If certain reported observations and recommendations are significant enough to require immediate action by management or the
board, the internal audit activity monitors actions taken until the observation is corrected or the recommendation implemented.
3. The internal audit activity may effectively monitor progress by:
• Addressing engagement observations and recommendations to appropriate levels of management responsible for taking
action.
• Receiving and evaluating management responses and proposed action plan to engagement observations and
recommendations during the engagement or within a reasonable time period after the engagement results are
communicated. Responses are more useful if they include sufficient information for the CAE to evaluate the adequacy and
timeliness of proposed actions.
• Receiving periodic updates from management to evaluate the status of its efforts to correct observations and/or
implement recommendations.
• Receiving and evaluating information from other organizational units assigned responsibility for follow-up or corrective
actions.
• Reporting to senior management and/or the board on the status of responses to engagement observation and
recommendations.

Practice Advisory 2500.A1-1
Follow-up Process
1. Internal auditors determine whether management has taken action or implemented the recommendation. The internal auditor
determines whether the desired results were achieved or if senior management or the board has assumed the risk of not taking
action or implementing the recommendation.
2. Follow-up is a process by which internal auditors evaluate the adequacy, effectiveness, and timeliness of actions taken by
management on reported observations and recommendations, including those made by external auditors and others. This
process also includes determining whether senior management and/or the board have assumed the risk of not taking corrective
action on reported observations.
3. The internal audit activity’s charter should define the responsibility for follow-up. The chief audit executive (CAE) determines the
nature, timing and extent of follow-up, considering the following factors:
• Significance of the reported observation or recommendation..
• Degree of effort and cost needed to correct the reported condition..
• Impact that may result should the corrective action fail.
• Complexity of the corrective action.
• Time period involved.
4. The CAE is responsible for scheduling follow-up activities as part of developing engagement work schedules. Scheduling of followup is based on the risk and exposure involved, as well as the degree of difficulty and the significance of timing in implementing
corrective action.
5. Where the CAE judges that management’s oral or written response indicates that action taken is sufficient when weighed against
the relative importance of the observation or recommendation, internal auditors may follow up as part of the next engagement.
6. Internal auditors ascertain whether actions taken on observations and recommendations remedy the underlying conditions.
Follow-up activities should be appropriately documented.

Step 1

Final Internal audit report (IAR) is sent by Internal Audit (IA) to the Secretary-General
(SG); recommendations are marked ‘’critical’’, ‘’high’’, ‘’medium’’, ‘’low’’

Step 2

SG sends the IAR to the managers (concerned by the recommendations with a request
for reporting back to IA on the implementation of recommendations

Step 3

IA enters the recommendations and the (by the SG) requested deadlines into an excel
follow-up sheet (IA-FUS)

Step 4

On a given date and with frequents intervals, IA sends to managers concerned an
email with earlier recommendation(s) with a request for further follow-up. This is done
until the recommendation(s) is (are) closed

Step 5

IA includes in its progress to the Audit Committee (AC) a short description of where the
various recommendations/follow-up stands and includes statistics; the AC will make in
its report a comment as to the implementation rate/statistics

Step 6

IA includes in its annual report to the Governing Body (Council) one or more
paragraphs as to the implementation of recommendations and the statistics; the
Council members will make, as appropriate, a comment on the implementation
rate/statistics

Step 7

In case of a remaining (and long outstanding) significant risk (“critical” or
“high”)because the recommendation cannot be closed (due to lack of action by the
manager concerned or lack of resources or other reasons), IA will ask the manager to
confirm - in writing- accepting the risk

Step 1
MEMORANDUM
Ref.: SG-SGO/IA/15-05
Date: 16 March 2015
To:

Secretary-General

From:

Head, Internal Audit Unit

Subject:

Internal Audit Report – Audit of SAP CRM Implementation


Please find attached the Internal Audit Report of SAP CRM Implementation
(Ref. SG-SGO/IA/15-04) dated 13 March 2015.
In accordance with the Internal Audit Charter this report includes comments by the
managers concerned1.
The recommendations are intended for implementation by the Information Systems
Department in collaboration with CRM users Divisions.
I remain at your disposal for further clarifications.

Annex: as mentioned

S.O. 13/09 (Internal audit charter) stipulates that « Internal audit reports shall include the comments of the
managers concerned. » (S.O. 13/09 - Annex, section E, paragraph 15).
1

Step 2
MEMORANDUM

Date:
To:

Chief, SPM
Deputy to the Director, BR
Chief, ISD
Deputy to the Director, TSB
Deputy to the Director, BDT

From:

Secretary-General

Cc:

Support Service, BDT
Head, SPM/PRM
Chief, TSB /OPD
Head, SECGEN/IAU
Head ISD/ERP

Subject:

Internal Audit Report – Audit of SAP CRM Implementation

18 March 2015

Please find attached Audit Report SG/SGO/IA/15-04 of 13 March 2015.
Service Order 13/09 (Internal Audit Charter) § 17 states that “The Secretary-General shall ensure
that all audit recommendations are responded to and implemented where appropriate. Responses
should include complete information on actions taken in respect of each recommendation and
should be forwarded to the Head of ITU Internal Audit.”
You are kindly requested to implement the recommendations contained in the report, taking into
account the management comments.
Please forward by 18 September 2015 to the Internal Audit Unit the status of implementation and
actions taken in respect of each recommendation contained in the report.
The Head, Internal Audit Unit is available to clarify any questions that may arise.

Annex: as mentioned

Step 3
Status

Delayed
In progress

* Report num ber

** Severity of the Recom m endation

IA/15-4-Audit SAP CRM Implementation

1 = critical

Closed

2 = high
3 = medium
4 = low

No.

Report
Number (*)

Report
date

Auditor Issue #

Recommendation

Severity Responsible
(**)
person

Name of
supervisor

Expected date of Status Date of Last Date of next Date of
implementation
Follow-up
Follow-up Closure

1

IA/15-4

13/03/2015

XXX

E.1

IA considers the Steering Committee should be reactivated and reconvened to ensure that the project will
continue on track within an appropriate schedule and with
adequate quality control

2

XXX

XXX

18/09/2015

Closed

2

IA/15-4

13/03/2015

XXX

E.2

The Steering Committee should request -and provide
guidance to- ISD to w ork on an updated Roadmap for the
continuation of the CRM project

2

XXX

XXX

18/09/2015

Closed

13/10/2015 See a bove

3

IA/15-4

13/03/2015

XXX

G.1

When new features are ready, ISD/ERP/CRM Unit should
consider testing them not only part by part but also
process-w ide w hile available, and ensure enough time is
left for fixing possible issues before go-live. Business
units need to allocate resources.

3

XXX

XXX

18/09/2015

Closed

03/02/2016 ISD Managem ent: Unit testing, Integration testing and User Acceptance

4

IA/15-4

13/03/2015

XXX

H.1

3

XXX

XXX

18/09/2015

Closed

2

XXX

XXX

18/09/2015

Closed

2

XXX

XXX

18/09/2015

Closed

2

XXX

XXX

18/09/2015

Management comments

13/10/2015 ISD Managem ent: We fully agree w ith IA’s recommendations. We w ould
like to add that the re-instated SC should also ensure that the necessary
resources are committed to any CRM follow up project.
SPM Managem ent: We are particularly supportive of emphasizing the
need to re-establish cross-sector steering committee to manage the
continued implementation and provide the team w ith a revised road map
including all major items to be implemented w ith expected time frames and
resources required.
BDT Managem ent: Before expanding the CRM system further, thorough
analysis of the current situation, cost and benefit should be reported to the
Steering Committee, including i) the implementation level of the existing
roadmap, ii) the remaining issues currently in production and the cost and
time needed to fix them and the number of staff trained and the cost and
time needed to train the remaining staff and iii) the necessary cost, staff
time, training and the expected benefit for each year.

(UA) testing are part of the implementation methodology. Unit testing is
typically done by the consulting firm or by ITU IS staff w hile Integration and
UA testing is done by the user (the “business”); including the w riting of the
test scenarios. Very often, Integration and UA testing is a challenge. The IS
department agree w ith IA’s recommendation regarding business units
needing to allocate resources.

04/02/2016 ISD Managem ent: Agree. ISD often uses the “train-the-trainer” strategy,
as w as the case w ith the CMR Project, and active participation from the
business is mandatory. Sometimes this approach can become a challenge
w hen resources are not available on time and at the same time project
deadlines need to be met.

IS project team, in collaboration w ith Heads of each CRM
users division, should ensure that training is delivered on
time in order to ensure the trainees have enough time to
understand the process and practice as necessary.

5

IA/15-4

13/03/2015

XXX

I.1

6

IA/15-4

13/03/2015

XXX

K.1

IA recommends that the Chief, ISD should consider
allotting additional budget allocations to allow for support
by external contractors for further implementation and
customization of the CRM solution.

13/10/2015 ISD Managem ent: We agree w ith IA’s recommendation. It should be noted
that w e did not encounter any technical issues during WT14.
SPM Managem ent: We are particularly supportive of emphasizing the
need to invest more resources into tech support and training to ensure that
w e can properly implement the remaining items. The list is still long and the
requirements complex, and w e still have much to do to make sure that the
aspects of CRM already in place are dependable (i.e. there are glitches and
errors as you noted betw een GD and CRM in basic account data).

13/10/2015 ISD Managem ent: Fully agree

The Head of each Division/Department/Bureaux in charge
of a database from w hich data w ill have to be migrated,
should ensure that he/she delegates to his staff the
related data cleansing w ith the necessary time
availability.

7

IA/15-4

13/03/2015

XXX

L.1

In future, for accountability and control purposes,
ISD/ERP/CRM Unit should propose to the managers in the
various Departments/Bureaux an approval chain linked
w ith access rights, to be implemented in CRM.

In progress 21/04/2016

ISD Managem ent: Agree

Step 4
Dear Mr. XXXX,
I refer to the internal audit report -that dates back to 2015- on SAP CRM Implementation (ref. SG-SGO/IA/15-04). Internal Audit is required to do a regular follow up of the recommendations and
their implementation.
As I am reporting to IMAC in February and to Council in May 2016 on the follow up of implementation of audit recommendations, would you be able to clarify whether these recommendations,
which we noted earlier as being in progress, are still in progress or whether they have a different status now ?
I included my appreciation, based on the outcome of various CRM implementation committee meetings in the past.
Recommendations:
G.1 When new features are ready, ISD/ERP/CRM Unit should consi der testing them not only part by part but also process-wide while available, and ensure enough time is left for fixing possible
issues before go-live. Business units need to allocate resources.
Management comment:
ISD Management: Unit testing, Integration testing and User Acceptance (UA) testing are part of the implementation methodology. Unit testing is typically done by the consulting firm or by ITU IS
staff while Integration and UA testing is done by the user (the “business”); including the writing of the test scenarios. Very often, Integration and UA testing is a challenge. The IS department
agree with IA’s recommendation regarding business units needing to allocate resources.
Follow up remark:
Email 12.10.2015: We continue to follow our testing approach (part of our Project Methodology): Unit Testing, Integration Testing (end-to-end processes) and User Acceptance Testing (End-toEnd Testing with formal sign off) and push the Business to do their part. Overall it works well.
Comment IAU 1 Feb 2016: implemented
H.1 IS project team, in collaboration with Heads of each CRM users division, should ensure that training is delivered on time in order to ensure the trainees have enough time to understand the
process and practice as necessary.
Management comment:
ISD Management: Agree. ISD often uses the “train-the-trainer” strategy, as was the case with the CMR Project, and active participation from the business is mandatory. Sometimes this approach
can become a challenge when resources are not available on time and at the same time project deadlines need to be met.
Follow up remark:
Email 12/10/2015 YV: End Users continue to expect ISD to develop training materials and train end users while ISD clearly communicates that development of Training Materials is a shared
responsibility and business units needs to allocate resources (with ISD support of course).This approach serves the following purposes:
1) While the business, with support from ISD, develops the training materials the business performs an additional test of the processes & system, and
2) business becomes well versed in the use of the system (they become super users)
3) Training materials have the proper business content instead of been only IS/system oriented training.
Comment IAU 1 Feb 2016: in progress
L.1 In future, for accountability and control purposes, ISD/ERP/CRM Unit should propose to the managers in the various Departments/Bureaux an approval chain linked with access rights, to be
implemented in CRM.
Management comment:
ISD Management: Agree
Follow up remark:
Email 12/10/2015 YV: this is work in progress. We have developed a process, but haven’t rolled it out yet. We plan to do this after WT2015. We will also to do some program development
because some ITU specific data control requirements are not standard in SAP CRM.
Comment IAU 1 Feb 2016 in progress
Would it be possible have an update/confirmation of the status of implementation of these recommendations.
It would be appreciated to get an answer from you by 5 February 2016.
Many thanks in advance. Best regards.

Step 5
Thi
s
ima

INTERNAL AUDIT - STATUS REPORT since 10th IMAC meeting

b)Follow up of internal audit recommendations
IA performed in April 2015 a follow-up of all open recommendations between 2008 and 2014.
Further progress was noted. An overview on the implementation of the recommendations is
provided in a separate document for IMAC.
Internal Audits - Follow-up register
Last update: 19/02/2016
Statistics of Audit recommendations
Ye a r
Number of audit reports
Recommendations - Total
In Progress
Delayed
Closed

2008
1
10
0
0
10

2009
2
13
1
0
12

2010
3
21
0
0
21

2011
2
17
9
0
8

2012
0
-

2013
4
113
13
1
99

2014
4
55
20
4
31

2015
7
33
27
0
6

Tota l
23
262
70
5
187

% of recommendation In Progress
% of recommendations Delayed
% of recommendations Closed

0%
0%
100%

8%
0%
92%

0%
0%
100%

53%
0%
47%

-

12%
1%
88%

36%
7%
56%

82%
0%
18%

27%
2%
71%

Low

Tota l

Criticality of the recommendations (Closed, In Progress, Delayed)
Ope n re comme nda tions
In Progre ss
2008
2009
2010
2011
2012
2013
2014
2015(*)
Tota l In Progre ss
De la ye d
2008
2009
2010
2011
2012
2013
2014
2015(*)
Tota l De la ye d
Close d
2008
2009
2010
2011
2012
2013
2014
2015(*)
Tota l Close d
TOTAL

Critica l

High

Me dium

1

1
0

1

5

3

2
6
11
20

10
13
14
43

1
1
1
6

0
0
0
0
0
1
4

0
0

0

0
0

0
1
0
9
0
13
20
27
70

0
1

1
3

1

4

0

5

1
3
4
6

7
6
12
2

2
3
5

12
3
4
33
38

68
24
2
121
151

19
4

10
12
21
8
0
99
31
6
187
262

33
39

Step 6
Council 2016 Geneva, 25 May-2 June 2016
Document C16/44-E
12 April 2016
Original: English

REPORT OF THE INTERNAL AUDITOR ON INTERNAL AUDIT ACTIVITIES
Follow-up of internal audit recommendations

•Throughout the period reported on, and in compliance with IIA[1] Standard 2500, Internal Audit continued to follow up on
recommendations made in previous audit reports.
• Further progress was noted over the last 12 months and statistics on the implementation are:
Year
Number of audit reports
Recommendations - Total
In Progress
Delayed
Closed

2009
2
13
1
0
12

2010
3
21
0
0
21

2011
2
17
1
2
14

2012
0
-

2013
4
113
13
1
99

2014
4
55
20
5
30

2015
7
34
30
0
4

Total
22
253
65
8
180

% of recommendation In Progress
% of recommendations Delayed
% of recommendations Closed

8%
0%
92%

0%
0%
100%

6%
12%
82%

-

12%
1%
88%

36%
9%
55%

88%
0%
12%

26%
3%
71%

No critical or high importance recommendations from before 2012 were left unimplemented. One of these recommendations is related to
the change of an internal approval workflow, which was delayed as it became part of a more holistic review of internal procedures and is
in progress and expected to be completed in 2016. The recommendations from 2011 still in progress or delayed concern an internal audit
of costing of publications. Management informed Internal Audit (and IMAC) regularly of the progress and the External Auditor had already
assessed that some of the recommendations from 2011 were closed. In 2016, Internal Audit continues to monitor the implementation of
the various recommendations contained in previous audit reports and will report on this follow-up, as appropriate, to IMAC and to the
Secretary-General. Overall, continuous progress is noted, yet very often priorities change and these may affect the degree of importance
of initially made recommendations.
[1]

Institute of Internal Auditors, www.theiia.org.

Step 7

From: XXXX
Sent: Thursday, April 28, 2016 8:05 PM
To: Sap, Frank
Subject: Re: Follow up of IA recommendations for next IMAC Meeting
Frank,
Upon discussion with DSG I am preparing a memo to SG pointing out the issue prior to providing you a final answer to your email.
I am definitely not in a position to accept - as you suggest - the residual risk. Only the SG is in a position to do that
Regards,
(Sent from my iPad)
On 25.04.2016, at 16:28, Sap, Frank <frank.sap@itu.int> wrote:
Dear Mr. XXXX,
Given that some of the security issues that had been identified by Internal Audit or by the local UNDSS team members and that response
to remedy is slow but existing, I would like to check with you, as supervisor of Drew, if you are accepting the residual security risk. I will
also inform the BDT Director to make him aware of these pending risks so that he can take a position.
…………..
Best regards,
Frank




Télécharger le fichier (PDF)

ITU Presentation .pdf (PDF, 392 Ko)

Télécharger
Formats alternatifs: ZIP







Documents similaires


itu presentation
oia presentation
the jiu report rias
the jiu report
pepe  job description 3
chief risk officer cambodia

Sur le même sujet..