Key fingerprint 9EF0 C41A FBA5 64AA 650A 0259 9C6D CD17 283E 454C

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQQBBGBjDtIBH6DJa80zDBgR+VqlYGaXu5bEJg9HEgAtJeCLuThdhXfl5Zs32RyB
I1QjIlttvngepHQozmglBDmi2FZ4S+wWhZv10bZCoyXPIPwwq6TylwPv8+buxuff
B6tYil3VAB9XKGPyPjKrlXn1fz76VMpuTOs7OGYR8xDidw9EHfBvmb+sQyrU1FOW
aPHxba5lK6hAo/KYFpTnimsmsz0Cvo1sZAV/EFIkfagiGTL2J/NhINfGPScpj8LB
bYelVN/NU4c6Ws1ivWbfcGvqU4lymoJgJo/l9HiV6X2bdVyuB24O3xeyhTnD7laf
epykwxODVfAt4qLC3J478MSSmTXS8zMumaQMNR1tUUYtHCJC0xAKbsFukzbfoRDv
m2zFCCVxeYHvByxstuzg0SurlPyuiFiy2cENek5+W8Sjt95nEiQ4suBldswpz1Kv
n71t7vd7zst49xxExB+tD+vmY7GXIds43Rb05dqksQuo2yCeuCbY5RBiMHX3d4nU
041jHBsv5wY24j0N6bpAsm/s0T0Mt7IO6UaN33I712oPlclTweYTAesW3jDpeQ7A
ioi0CMjWZnRpUxorcFmzL/Cc/fPqgAtnAL5GIUuEOqUf8AlKmzsKcnKZ7L2d8mxG
QqN16nlAiUuUpchQNMr+tAa1L5S1uK/fu6thVlSSk7KMQyJfVpwLy6068a1WmNj4
yxo9HaSeQNXh3cui+61qb9wlrkwlaiouw9+bpCmR0V8+XpWma/D/TEz9tg5vkfNo
eG4t+FUQ7QgrrvIkDNFcRyTUO9cJHB+kcp2NgCcpCwan3wnuzKka9AWFAitpoAwx
L6BX0L8kg/LzRPhkQnMOrj/tuu9hZrui4woqURhWLiYi2aZe7WCkuoqR/qMGP6qP
EQRcvndTWkQo6K9BdCH4ZjRqcGbY1wFt/qgAxhi+uSo2IWiM1fRI4eRCGifpBtYK
Dw44W9uPAu4cgVnAUzESEeW0bft5XXxAqpvyMBIdv3YqfVfOElZdKbteEu4YuOao
FLpbk4ajCxO4Fzc9AugJ8iQOAoaekJWA7TjWJ6CbJe8w3thpznP0w6jNG8ZleZ6a
jHckyGlx5wzQTRLVT5+wK6edFlxKmSd93jkLWWCbrc0Dsa39OkSTDmZPoZgKGRhp
Yc0C4jePYreTGI6p7/H3AFv84o0fjHt5fn4GpT1Xgfg+1X/wmIv7iNQtljCjAqhD
6XN+QiOAYAloAym8lOm9zOoCDv1TSDpmeyeP0rNV95OozsmFAUaKSUcUFBUfq9FL
uyr+rJZQw2DPfq2wE75PtOyJiZH7zljCh12fp5yrNx6L7HSqwwuG7vGO4f0ltYOZ
dPKzaEhCOO7o108RexdNABEBAAG0Rldpa2lMZWFrcyBFZGl0b3JpYWwgT2ZmaWNl
IEhpZ2ggU2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBLZXkgKDIwMjEtMjAyNCmJBDEE
EwEKACcFAmBjDtICGwMFCQWjmoAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
nG3NFyg+RUzRbh+eMSKgMYOdoz70u4RKTvev4KyqCAlwji+1RomnW7qsAK+l1s6b
ugOhOs8zYv2ZSy6lv5JgWITRZogvB69JP94+Juphol6LIImC9X3P/bcBLw7VCdNA
mP0XQ4OlleLZWXUEW9EqR4QyM0RkPMoxXObfRgtGHKIkjZYXyGhUOd7MxRM8DBzN
yieFf3CjZNADQnNBk/ZWRdJrpq8J1W0dNKI7IUW2yCyfdgnPAkX/lyIqw4ht5UxF
VGrva3PoepPir0TeKP3M0BMxpsxYSVOdwcsnkMzMlQ7TOJlsEdtKQwxjV6a1vH+t
k4TpR4aG8fS7ZtGzxcxPylhndiiRVwdYitr5nKeBP69aWH9uLcpIzplXm4DcusUc
Bo8KHz+qlIjs03k8hRfqYhUGB96nK6TJ0xS7tN83WUFQXk29fWkXjQSp1Z5dNCcT
sWQBTxWxwYyEI8iGErH2xnok3HTyMItdCGEVBBhGOs1uCHX3W3yW2CooWLC/8Pia
qgss3V7m4SHSfl4pDeZJcAPiH3Fm00wlGUslVSziatXW3499f2QdSyNDw6Qc+chK
hUFflmAaavtpTqXPk+Lzvtw5SSW+iRGmEQICKzD2chpy05mW5v6QUy+G29nchGDD
rrfpId2Gy1VoyBx8FAto4+6BOWVijrOj9Boz7098huotDQgNoEnidvVdsqP+P1RR
QJekr97idAV28i7iEOLd99d6qI5xRqc3/QsV+y2ZnnyKB10uQNVPLgUkQljqN0wP
XmdVer+0X+aeTHUd1d64fcc6M0cpYefNNRCsTsgbnWD+x0rjS9RMo+Uosy41+IxJ
6qIBhNrMK6fEmQoZG3qTRPYYrDoaJdDJERN2E5yLxP2SPI0rWNjMSoPEA/gk5L91
m6bToM/0VkEJNJkpxU5fq5834s3PleW39ZdpI0HpBDGeEypo/t9oGDY3Pd7JrMOF
zOTohxTyu4w2Ql7jgs+7KbO9PH0Fx5dTDmDq66jKIkkC7DI0QtMQclnmWWtn14BS
KTSZoZekWESVYhORwmPEf32EPiC9t8zDRglXzPGmJAPISSQz+Cc9o1ipoSIkoCCh
2MWoSbn3KFA53vgsYd0vS/+Nw5aUksSleorFns2yFgp/w5Ygv0D007k6u3DqyRLB
W5y6tJLvbC1ME7jCBoLW6nFEVxgDo727pqOpMVjGGx5zcEokPIRDMkW/lXjw+fTy
c6misESDCAWbgzniG/iyt77Kz711unpOhw5aemI9LpOq17AiIbjzSZYt6b1Aq7Wr
aB+C1yws2ivIl9ZYK911A1m69yuUg0DPK+uyL7Z86XC7hI8B0IY1MM/MbmFiDo6H
dkfwUckE74sxxeJrFZKkBbkEAQRgYw7SAR+gvktRnaUrj/84Pu0oYVe49nPEcy/7
5Fs6LvAwAj+JcAQPW3uy7D7fuGFEQguasfRrhWY5R87+g5ria6qQT2/Sf19Tpngs
d0Dd9DJ1MMTaA1pc5F7PQgoOVKo68fDXfjr76n1NchfCzQbozS1HoM8ys3WnKAw+
Neae9oymp2t9FB3B+To4nsvsOM9KM06ZfBILO9NtzbWhzaAyWwSrMOFFJfpyxZAQ
8VbucNDHkPJjhxuafreC9q2f316RlwdS+XjDggRY6xD77fHtzYea04UWuZidc5zL
VpsuZR1nObXOgE+4s8LU5p6fo7jL0CRxvfFnDhSQg2Z617flsdjYAJ2JR4apg3Es
G46xWl8xf7t227/0nXaCIMJI7g09FeOOsfCmBaf/ebfiXXnQbK2zCbbDYXbrYgw6
ESkSTt940lHtynnVmQBvZqSXY93MeKjSaQk1VKyobngqaDAIIzHxNCR941McGD7F
qHHM2YMTgi6XXaDThNC6u5msI1l/24PPvrxkJxjPSGsNlCbXL2wqaDgrP6LvCP9O
uooR9dVRxaZXcKQjeVGxrcRtoTSSyZimfjEercwi9RKHt42O5akPsXaOzeVjmvD9
EB5jrKBe/aAOHgHJEIgJhUNARJ9+dXm7GofpvtN/5RE6qlx11QGvoENHIgawGjGX
Jy5oyRBS+e+KHcgVqbmV9bvIXdwiC4BDGxkXtjc75hTaGhnDpu69+Cq016cfsh+0
XaRnHRdh0SZfcYdEqqjn9CTILfNuiEpZm6hYOlrfgYQe1I13rgrnSV+EfVCOLF4L
P9ejcf3eCvNhIhEjsBNEUDOFAA6J5+YqZvFYtjk3efpM2jCg6XTLZWaI8kCuADMu
yrQxGrM8yIGvBndrlmmljUqlc8/Nq9rcLVFDsVqb9wOZjrCIJ7GEUD6bRuolmRPE
SLrpP5mDS+wetdhLn5ME1e9JeVkiSVSFIGsumZTNUaT0a90L4yNj5gBE40dvFplW
7TLeNE/ewDQk5LiIrfWuTUn3CqpjIOXxsZFLjieNgofX1nSeLjy3tnJwuTYQlVJO
3CbqH1k6cOIvE9XShnnuxmiSoav4uZIXnLZFQRT9v8UPIuedp7TO8Vjl0xRTajCL
PdTk21e7fYriax62IssYcsbbo5G5auEdPO04H/+v/hxmRsGIr3XYvSi4ZWXKASxy
a/jHFu9zEqmy0EBzFzpmSx+FrzpMKPkoU7RbxzMgZwIYEBk66Hh6gxllL0JmWjV0
iqmJMtOERE4NgYgumQT3dTxKuFtywmFxBTe80BhGlfUbjBtiSrULq59np4ztwlRT
wDEAVDoZbN57aEXhQ8jjF2RlHtqGXhFMrg9fALHaRQARAQABiQQZBBgBCgAPBQJg
Yw7SAhsMBQkFo5qAAAoJEJxtzRcoPkVMdigfoK4oBYoxVoWUBCUekCg/alVGyEHa
ekvFmd3LYSKX/WklAY7cAgL/1UlLIFXbq9jpGXJUmLZBkzXkOylF9FIXNNTFAmBM
3TRjfPv91D8EhrHJW0SlECN+riBLtfIQV9Y1BUlQthxFPtB1G1fGrv4XR9Y4TsRj
VSo78cNMQY6/89Kc00ip7tdLeFUHtKcJs+5EfDQgagf8pSfF/TWnYZOMN2mAPRRf
fh3SkFXeuM7PU/X0B6FJNXefGJbmfJBOXFbaSRnkacTOE9caftRKN1LHBAr8/RPk
pc9p6y9RBc/+6rLuLRZpn2W3m3kwzb4scDtHHFXXQBNC1ytrqdwxU7kcaJEPOFfC
XIdKfXw9AQll620qPFmVIPH5qfoZzjk4iTH06Yiq7PI4OgDis6bZKHKyyzFisOkh
DXiTuuDnzgcu0U4gzL+bkxJ2QRdiyZdKJJMswbm5JDpX6PLsrzPmN314lKIHQx3t
NNXkbfHL/PxuoUtWLKg7/I3PNnOgNnDqCgqpHJuhU1AZeIkvewHsYu+urT67tnpJ
AK1Z4CgRxpgbYA4YEV1rWVAPHX1u1okcg85rc5FHK8zh46zQY1wzUTWubAcxqp9K
1IqjXDDkMgIX2Z2fOA1plJSwugUCbFjn4sbT0t0YuiEFMPMB42ZCjcCyA1yysfAd
DYAmSer1bq47tyTFQwP+2ZnvW/9p3yJ4oYWzwMzadR3T0K4sgXRC2Us9nPL9k2K5
TRwZ07wE2CyMpUv+hZ4ja13A/1ynJZDZGKys+pmBNrO6abxTGohM8LIWjS+YBPIq
trxh8jxzgLazKvMGmaA6KaOGwS8vhfPfxZsu2TJaRPrZMa/HpZ2aEHwxXRy4nm9G
Kx1eFNJO6Ues5T7KlRtl8gflI5wZCCD/4T5rto3SfG0s0jr3iAVb3NCn9Q73kiph
PSwHuRxcm+hWNszjJg3/W+Fr8fdXAh5i0JzMNscuFAQNHgfhLigenq+BpCnZzXya
01kqX24AdoSIbH++vvgE0Bjj6mzuRrH5VJ1Qg9nQ+yMjBWZADljtp3CARUbNkiIg
tUJ8IJHCGVwXZBqY4qeJc3h/RiwWM2UIFfBZ+E06QPznmVLSkwvvop3zkr4eYNez
cIKUju8vRdW6sxaaxC/GECDlP0Wo6lH0uChpE3NJ1daoXIeymajmYxNt+drz7+pd
jMqjDtNA2rgUrjptUgJK8ZLdOQ4WCrPY5pP9ZXAO7+mK7S3u9CTywSJmQpypd8hv
8Bu8jKZdoxOJXxj8CphK951eNOLYxTOxBUNB8J2lgKbmLIyPvBvbS1l1lCM5oHlw
WXGlp70pspj3kaX4mOiFaWMKHhOLb+er8yh8jspM184=
=5a6T
-----END PGP PUBLIC KEY BLOCK-----

		

Contact

If you need help using Tor you can contact WikiLeaks for assistance in setting it up using our simple webchat available at: https://wikileaks.org/talk

If you can use Tor, but need to contact WikiLeaks for other reasons use our secured webchat available at http://wlchatc3pjwpli5r.onion

We recommend contacting us over Tor if you can.

Tor

Tor is an encrypted anonymising network that makes it harder to intercept internet communications, or see where communications are coming from or going to.

In order to use the WikiLeaks public submission system as detailed above you can download the Tor Browser Bundle, which is a Firefox-like browser available for Windows, Mac OS X and GNU/Linux and pre-configured to connect using the anonymising system Tor.

Tails

If you are at high risk and you have the capacity to do so, you can also access the submission system through a secure operating system called Tails. Tails is an operating system launched from a USB stick or a DVD that aim to leaves no traces when the computer is shut down after use and automatically routes your internet traffic through Tor. Tails will require you to have either a USB stick or a DVD at least 4GB big and a laptop or desktop computer.

Tips

Our submission system works hard to preserve your anonymity, but we recommend you also take some of your own precautions. Please review these basic guidelines.

1. Contact us if you have specific problems

If you have a very large submission, or a submission with a complex format, or are a high-risk source, please contact us. In our experience it is always possible to find a custom solution for even the most seemingly difficult situations.

2. What computer to use

If the computer you are uploading from could subsequently be audited in an investigation, consider using a computer that is not easily tied to you. Technical users can also use Tails to help ensure you do not leave any records of your submission on the computer.

3. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection – it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly. This includes other media organisations.

After

1. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection – it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly. This includes other media organisations.

2. Act normal

If you are a high-risk source, avoid saying anything or doing anything after submitting which might promote suspicion. In particular, you should try to stick to your normal routine and behaviour.

3. Remove traces of your submission

If you are a high-risk source and the computer you prepared your submission on, or uploaded it from, could subsequently be audited in an investigation, we recommend that you format and dispose of the computer hard drive and any other storage media you used.

In particular, hard drives retain data after formatting which may be visible to a digital forensics team and flash media (USB sticks, memory cards and SSD drives) retain data even after a secure erasure. If you used flash media to store sensitive data, it is important to destroy the media.

If you do this and are a high-risk source you should make sure there are no traces of the clean-up, since such traces themselves may draw suspicion.

4. If you face legal action

If a legal action is brought against you as a result of your submission, there are organisations that may help you. The Courage Foundation is an international organisation dedicated to the protection of journalistic sources. You can find more details at https://www.couragefound.org.

WikiLeaks publishes documents of political or historical importance that are censored or otherwise suppressed. We specialise in strategic global publishing and large archives.

The following is the address of our secure site where you can anonymously upload your documents to WikiLeaks editors. You can only access this submissions system through Tor. (See our Tor tab for more information.) We also advise you to read our tips for sources before submitting.

http://ibfckmpsmylhbfovflajicjgldsqpc75k5w454irzwlh7qifgglncbad.onion

If you cannot use Tor, or your submission is very large, or you have specific requirements, WikiLeaks provides several alternative methods. Contact us to discuss how to proceed.


United Nations International Criminal Tribunal for the Former Yugoslavia: Audit of ICTY Information Technology Management (AA2004-270-01), 1 Mar 2005

From WikiLeaks

Jump to: navigation, search

Donate to WikiLeaks

Unless otherwise specified, the document described here:

  • Was first publicly revealed by WikiLeaks working with our source.
  • Was classified, confidential, censored or otherwise withheld from the public before release.
  • Is of political, diplomatic, ethical or historical significance.

Any questions about this document's veracity are noted.

The summary is approved by the editorial board.

See here for a detailed explanation of the information on this page.

If you have similar or updated material, see our submission instructions.

Contact us

Press inquiries

Follow updates

Release date
January 12, 2009

Summary

United Nations Office of Internal Oversight Services (UN OIOS) 1 Mar 2005 report titled "Audit of ICTY Information Technology Management [AA2004-270-01]" relating to the International Criminal Tribunal for the Former Yugoslavia. The report runs to 23 printed pages.

Note
Verified by Sunshine Press editorial board

Download

File | Torrent | Magnet

Further information

Context
International organization
United Nations Office of Internal Oversight Services
Authored on
March 1, 2005
File size in bytes
402297
File type information
PDF
Cryptographic identity
SHA256 505285a17673a0c74e95e892be3bffeaa64a15d4e733291b49f6a72b95a29d20


Simple text version follows

        UNITED NATIONS                                          NATIONS UNIES


                            Office of Internal Oversight Services
                                 Internal Audit Division II

Reference: AA � ICTY (005/05)                             01 March 2005

TO:              Mr. Hans Holthuis, Registrar
                 International Criminal Tribunal for the Former Yugoslavia
FROM:            Egbert Kaltenbach, Director
                 Internal Audit Division II, Office of Internal Oversight Services (OIOS)
SUBJECT:         OIOS Audit of ICTY Information Technology Management
                 (AA2004/270/01)


1. I am pleased to submit the final report on the OIOS audit of ICTY Information Technology
(IT) Management, which was conducted during June and October 2004, by Bharat B. Manocha
and June Tan, in The Hague, Netherlands. A draft of the report was shared with the Chief
Administrative Officer in December 2004 whose comments, which were received on 18 January
2005 and further clarifications on 9 February 2005, are reflected in the final report.

2. I am pleased to note that most of the audit recommendations contained in this final report
have been accepted and that ICTY has initiated their implementation. The table in paragraph 51
of the report identifies those recommendations, which require further action to be closed. I wish
to draw to your attention that OIOS considers recommendations 1, 2, 3, 4, 6, 7, and 8 as being
of critical importance.

3. I would appreciate it if you could provide Mr Manocha, the ICTY resident auditor, with an
update on the status of implementation of the audit recommendations not later than 30 October
2005.

4. Please note that OIOS is assessing the overall quality of its audit process. I therefore
request that you consult with your managers who dealt directly with the auditors, complete the
attached client satisfaction survey form and return it to me under confidential cover.

5. I would like to take this opportunity to thank you and your staff for the assistance and
cooperation extended to the audit team.

Attachments: Final Report and Client Satisfaction Survey Form

Copy:    Mr. Kevin St. Louis, Chief Administrative Officer, ICTY (by e-mail)
         Mr. David Falces, Chief, ITSS, ICTY (by e-mail)
         Mr. S. Goolsarran, Executive Secretary, UN Board of Auditors (by e-mail)
         Mr. C. F. Bagot, Chief Nairobi Audit Section, IAD II/OIOS (by e-mail)
         Mr. M Tapio, Programme Officer, OUSG, OIOS (by e-mail)
         Mr. B B. Manocha, Resident Auditor (by email)
         Ms. L. Kiarie, Auditing Assistant (by e-mail)


-----------------------------------------------------------------------------------------

             United Nations
   Office of Internal Oversight Services

        Internal Audit Division II




  AUDIT REPORT

AUDIT OF ICTY INFORMATION TECHNOLOGY
             MANAGEMENT
              (AA2004/270/01)




         Report date: 01 March 2005

               Auditors:   Bharat B. Manocha
                           Hui Ming June Tan


-----------------------------------------------------------------------------------------

     UNITED NATIONS                                                  NATIONS UNIES


                            Office of Internal Oversight Services
                                 Internal Audit Division II

 OIOS AUDIT OF ICTY INFORMATION TECHNOLOGY MANAGEMENT
                                 (AA2004/270/01)
                           EXECUTIVE SUMMARY

From June to October 2004, OIOS conducted an audit to assess the adequacy of ICTY's
arrangements for Information Technology (IT) Management. The total expenditure was
approximately US$18 million in 2002-2003. OIOS concluded that ICTY had given insufficient
attention to the nature and type of IT services that would be required for the completion strategy
and that it needed to strengthen its arrangements to get maximum leverage out of its investment in
IT as described in more detail below.

                                         Governance
At the time of the audit, ICTY did not have an effective governance mechanism for oversight of
IT activities. ICTY needed to establish an Information and Communications Technology
Committee to comply with ST/SGB/2003/17 and to ensure effective coordination and prevent
overlapping between different organs of the Tribunal. OIOS is pleased to note that ICTY
established the Committee in August 2004.
                                    Planning and Monitoring
To ensure that ICTY has the right level and type of services to meet the challenges of the
completion strategy, OIOS recommended that ICTY formulate an IT strategy, which should be
supported by a long range plan covering the remaining period of the completion strategy and short
range plans.     These would provide a basis for: allocating and monitoring resources;
communicating to interested parties how the IT strategy will be delivered; and demonstrating how
IT activities have been prioritised to meet the Tribunal's needs. OIOS is pleased to note that
ICTY management and the ICT Committee have supported the creation of a strategy.

Whilst ITSS had developed tools to monitor some of its services, there was no overall monitoring
framework in place to apprise senior management how IT resources were being used to meet their
needs. OIOS recommended the creation of such a framework covering targets and performance
indicators, the use of monitoring tools (including customer satisfaction surveys), whom to report
and what to report.

                                     Organizational Structure
ICTY had not undertaken an analysis how and in what way current IT support might change as a
consequence of ICTY downsizing its activities as it nears its completion date. OIOS
recommended such an exercise be carried out which should consider: cost effectiveness of
outsourcing compared to maintaining resources in house; the merger / reorganisation of units as a
consequence of reducing work load; and, whether ITSS should continue to maintain and support
all current projects and applications or whether some could be discontinued to save costs.




                                         2


-----------------------------------------------------------------------------------------

                                   Application Development
ICTY needed to undertake a review of the type and nature of application development needed
over the remaining life of ICTY. If a need for major application development was identified,
OIOS further recommended a review of the existing methodology, which should include the
creation of a Project Selection Committee.

                                              Training
There was no assurance that the IT training provided had added value since training was
conducted based on historical trends and not on training needs analysis and there was no
evaluation if training had improved staff efficiency. There was also substantial scope for
improving utilization of training resources, as staff were performing tasks not required.

                                       Inventory Management
There was no assurance that all ICT assets assigned to ITSS were properly accounted for. Some
200 assets with an acquisition value of US$380,000 were reported to be missing or lost in 2003.
The reasons adduced for these losses reinforced OIOS assessment that ITSS needed to take urgent
additional steps to comply with ST/AI/374 and to safeguard its assets. Certain of these matters
have been referred to OIOS Investigations Division for their consideration and work was ongoing
at the time this final report was issued.

ICTY commented that the report was balanced and fair in the issues that it did present. Although
not generally part of the format of this type of report, ICTY would have appreciated some
discussion of the calibre of services which ITSS provides to the Tribunal, as in general it is
believed that they are considered as being an important and productive partner in helping the
organisation achieve its mandate. OIOS appreciates the comments and would like to thank ICTY
for the excellent co-operation received in the conduct of this audit, and the positive response it
received to the issues raised. OIOS is fully supportive and adheres to the concept of positive
reporting and would like to recognise the important role played by ITSS. No specific conclusion
was drawn on the quality of services provided by ITSS because the focus of the audit was on the
overall management of IT, and part played by ITSS, which is commented upon extensively
throughout the report.
                                                                   February 2005




                                         3


-----------------------------------------------------------------------------------------

                                TABLE OF CONTENTS

CHAPTER                                                                 Paragraphs

 I.    INTRODUCTION                                                        1- 4
 II.   AUDIT OBJECTIVES                                                      5
III.   AUDIT SCOPE AND METHODOLOGY                                           6
IV.    AUDIT FINDINGS AND RECOMMENDATIONS                                  7 - 50
       A. Governance                                                       7�8
            (a) Information and Communications Technology (ICT)            7�8
                Committee
       B. Planning                                                        9 � 12
            (a) IT strategy                                               9 � 11
            (b) Long and short term planning                                12
       C. Monitoring IT activities                                        13 � 15
       D. Organisation Structure                                          16 � 24
            (a) Integration of SDU with ITSS                              16 - 19
            (b) Organization and management of IT support                 20 - 22
            (c) Management span of control within Operations Unit         23 - 24
       E. Application Development Methodology                             25 � 28
       F. IT Training                                                     29 - 30
       G. Contract Management                                             31 - 36
                (a) Management of repair and maintenance contracts        31 � 32
                (b) Services not included in the contract                   33
                (c) Controls over repair and maintenance of equipment     34 � 36
       H. Asset Management                                                37 - 50
                (a) Monitoring of ICT assets                              37 - 40
                (b) Procurement and management of ICT assets              41 � 42
                (c) Loss of ICT assets                                    43 � 50
 V.    FURTHER ACTIONS REQUIRED ON RECOMMENDATIONS                          51
VI.    ACKNOWLEDGEMENT                                                      52


-----------------------------------------------------------------------------------------

                              I.   INTRODUCTION

1.      This report discusses the results of an OIOS audit of ICTY Information
Technology (IT) Management. The audit was carried out between June and October
2004 in accordance with the International Standards for the Professional Practice of
Internal Auditing.

2.     Information Technology Support Section (ITSS), a section under the ICTY
Registry, is responsible for providing Information and Communication Technology
(ICT) services to all the three organs in ICTY; Registry, Chambers and Office of the
Prosecutor (OTP). ITSS comprises five units: Development Unit, Operations Unit,
Training Unit, Systems Development Unit (SDU) and the Office of the Chief ITSS.
As at October 2004 ITSS had 71 staff [13 Professional (P) and 58 General Service
(GS)]. The Chief, ITSS reports to the Chief Administrative Officer, Registry.

3.      IT related expenditure for both staff and IT non staff items were as follows
Table 1: Total IT costs in ICTY (US$ in'000)
Description                        Total expenditure        Budget for
                                      2002-2003             2004 -2005
Staffing costs (Note 1)                  7,753                 7,213
Non staffing costs (Note 2)             10,419                 9,444
Total IT costs in ICTY                  18,172                16,657
Note 1: Staffing costs for 2002-2003 were based on staffing levels in ITSS and SDU as at 31
       December 2003 multiplied by the standard salary costs for ICTY. Staffing costs for 2004-
       2005 were based on the ITSS regular budget-staffing table for the current biennium and the
       11 posts from OTP transferred to ITSS during 2004, multiplied by standard salary costs for
       ICTY.
Note 2: Total expenditure certified by the Chief, ITSS during the biennium 2002-2003, as per ICTY
       accounting records.

4.    A draft of the report was shared with the ICTY, Chief Administrative Officer
(CAO) in December 2004 whose comments, were received on 18 January 2005.
ICTY provided further clarification/correction of their response on 09 February
2005. The responses have been reflected in this final report.


                          II. AUDIT OBJECTIVES

5.     The overall objective of the audit was to provide the ICTY Registrar with an
assessment of the adequacy of ICTY's arrangements for management of IT. This
included assessing:

          a) The IT governance and planning framework;
          b) IT activities undertaken by ITSS and the adequacy of the arrangements
          for identification and oversight of these activities; and,
          c) Whether IT activities were being carried out in compliance with UN
          Regulations and Rules;




                                               1


-----------------------------------------------------------------------------------------

                    III.    AUDIT SCOPE AND METHODOLOGY

6.      The audit focused on the adequacy of arrangements for managing IT, in
particular, ITSS activities during January 2002 to September 2004. It excluded
communications. The audit included a review and assessment of internal control
systems, interviews with staff, analysis of applicable data and a review of the
available documents and other relevant records.


              IV.          AUDIT FINDINGS AND RECOMMENDATIONS

                                       A. Governance

(a) ICTY Information and Communications Technology (ICT) Committee

7.      ST/SGB/2003/17 dealing with the Information and Communications
Technology Board (ICTB) directed that all Departments and Offices Away from
Headquarters (OAH) create internal or local information and technology groups or
committees following the pattern of the ICTB whose responsibilities would be to
ensure;

   a) Departmental strategies are aligned with the overall objectives of the
      Secretariat;
   b) Information on departmental systems, resources and assets is maintained and
      updated on a regular basis;
   c) Existing systems are reviewed to confirm their cost effectiveness; and
   d) Standard methodologies are developed and consistently used for ICT
      projects.

8.      ICTY did not establish an Information and Communications Technology
(ICT) Committee as required. While Chief, ITSS had established an informal
working group to discuss requirements and share information within the three
organs, it was not formally constituted and did not have the mandate to take
decisions. Consequently, the working group could not provide an effective substitute
for the ICT Committee. In the absence of such a committee, there was limited
coordination within the three organs leading to duplication of effort across ICTY,
inconsistent systems being used and an inability to transfer some information
between the various systems. At the time of the audit, Chief, ITSS informed the
audit team that ICTY was in the process of establishing an ICTY ICT Committee
along the lines required by ST/SGB/2003/17. ICTY commented that as from 23
August 2004 the Tribunal had established the local ICT Committee in accordance
with the referenced Secretary General's Bulletin. Membership of the Committee has
been strategically determined so that senior management from all of the organs of
the organization are well represented. In view of this additional information, no
recommendation is raised.




                                         2


-----------------------------------------------------------------------------------------

                                         B. Planning

(a) IT strategy

9.      General Assembly (GA) resolution 57/304 of 16 May 2003 welcomed the
significant step the UN ICT strategy (A/57/620 dated 20 November 2002)
represented in developing a strategic framework to further guide the development of
ICT within the UN and requested that the IT requirements for the various duty
stations be fully integrated into the strategy.

10.     In the opinion of OIOS, the above meant that ICTY needed to create its own
IT strategy document, which included those elements of the UN ICT strategy
applicable to ICTY, and included any other specific ICT issues relevant to it. At the
time of the audit, ITSS did not have an ICTY IT strategy. While ITSS had a budget
document outlining resources required, in the opinion of OIOS, this is not a
substitute for a strategy document explaining how IT will support achievement of the
ICTY mandate, and the completion strategy. The absence of such a strategy is also
seen as a contributory factor to other findings made in this report.

       Recommendation:

                To ensure compliance with A/57/620 (the UN ICT strategy)
        and to assist ICTY in optimising its resources for achievement of
        the completion strategy, the ICTY Information and
        Communications Technology Committee should oversee the
        creation and implementation of an ICTY Information Technology
        strategy document (Rec. 01).

11.     ICTY commented that it agrees with this recommendation, as do the members
of the local ICT Committee. The draft strategy will be presented for review and
comment at the next meeting of the Committee, which will be held in early February.
OIOS welcomes and supports the proposed initiative and will close the
recommendation upon receipt and review of the ICTY Information Technology
strategy document.

(b) Long and short term planning

12.     ITSS had a work plan for 2003�2004 that described goals to be achieved. At
the time of the audit, this plan had not been updated for 2004-2005 to include the
more recent challenges facing ICTY such as the financial uncertainty and the need to
serve OTP after the merger of the Systems Development Unit (SDU) with ITSS. In
the view of OIOS, there also needed to be consideration of the type and nature of IT
short and long-range plans required to link with the biennium work plans. These
types of plans are important because they provide a basis for: allocating and
monitoring use of resources; communicating to interested parties, how the IT
strategy will be delivered; and demonstrating how IT activities have been prioritised
to meet the ICTY's needs. This is considered especially important to ensure that IT
resources are correctly matched with the aims and objectives of the completion
strategy. ICTY commented that this will be implemented via the ICT Committee's IT
strategy, the associated detailed programmes of work, and ITSS' use of project

                                         3


-----------------------------------------------------------------------------------------

management discipline. Since ITSS work activities are structured around the
requirements of the substantive and support offices, appropriate budget planning
guidance will be prepared and disseminated to all parties as part of the budget
process of the 2006-2007 biennium. In view of this additional information, no
recommendation is raised.

                                 C. Monitoring IT activities

13.    In the opinion of OIOS, Registry had a responsibility to ensure that ICTY had
a monitoring framework in place to apprise senior management of the three organs
how IT resources were being used to meet their needs.

14.     ITSS, who were responsible for monitoring IT, had implemented software to
monitor some of the IT services provided. However, monitoring activities were not
being undertaken in the context of any approved monitoring framework or supported
by any customer satisfaction surveys. There was also an absence of monitoring
information such as targets and performance indicators and hence ITSS was not in a
position to assess the impact of services provided or to demonstrate the adequacy of
resources as explained below:

   a) ITSS could not assess if the Development Unit (DU) completed projects on
     schedule or experienced time and cost overruns;
   b) There was no evaluation if the projects developed by DU delivered the
     planned benefits;
   c) There was limited monitoring of resources deployed in SDU during the
     period 01 April to 30 September 2004.
   d) The training capacity was not fully utilized (the average fill rate being 55
     percent). The ITSS Training Unit did not conduct any evaluation to ascertain
     the reason for low fill rates.

        Recommendation:

               To ensure that ICTY is able to leverage the maximum
        benefit from Information Technology implemented and to meet
        programmatic needs, Chief, Information Technology Service
        Section should develop a monitoring framework that should be
        approved by the ICTY Information and Communications
        Technology Committee (Rec. 02).

15.     ICTY commented that it agreed with the recommendation and added that.
"we strongly believe that the central setting of standards by ITSD/HQ, would save us
and other non-HQ offices from reinventing the wheel. The setting of standards by
each individual UN office, gives none of us the benefits and efficiencies of a
centralised standard by which to compare ourselves with. I intend to raise the issue
with ITSD to see if such standards exist and if they can assist us with providing
guidelines, methodology and/or other pertinent information". OIOS appreciates the
response and will close the recommendation upon notification of the implementation
of the monitoring framework.




                                         4


-----------------------------------------------------------------------------------------

                                 D. Organisation Structure

(a) Integration of SDU with ITSS

16.     As part of the implementation of an OIOS recommendation in its audit of
Office of the Prosecutor (OTP) (Review of the Office of the Prosecutor at the
International Criminal Tribunals for Rwanda and former Yugoslavia A/58/677), OTP
transferred the Systems Development Unit of OTP (SDU), comprising 10 staff, to
ITSS on 31 March 2004. OIOS expected that ITSS would have undertaken advance
planning to determine how to maximise the benefits of this transfer, in particular
whether there would be synergies and savings through a merger with similar units
within ITSS. No merger took place, the OTP staff continuing to operate as a separate
unit until September 2004. In OIOS's opinion, a merger could save at least one post,
the Head of SDU (P3), with a potential saving of approximately US$240,000 per
biennium. ITSS has yet to realize these potential savings.

17.    ICTY pointed out some of the concrete steps it had taken in the period April
through August 2004:
    � The SDU was fully integrated in with the human resources administration of
    the rest of the Section.
    � Uptake meetings were held with incoming staff to determine their personal and
    professional objectives.
    � Extensive discovery exercises were undertaken to determine the scope of SDU
    duties and responsibilities.
    � An analysis was done to determine how if at all, the SDU and ITSS processes
    mapped onto each other's existing organisational structures.
    � In recognition of the major differences in culture and mission between the two
    organisations, careful moves were made to ensure that all parties were
    adequately consulted. This process was hailed by the Staff Union as a model by
    which other sections could seek to pre-empt conflict and discord.


18.     OIOS thanks ICTY for the clarification, but would like to emphasize that to
maximise the benefits of the merger, action could have been taken earlier. This
would have enabled ITSS to share staff and other resources with SDU to provide a
better service to OTP.

        Recommendation:

                To maximise savings from the transfer of IT staff from the
        Office of the Prosecutor to ITSS, Chief, Information Technology
        Service Section, ICTY should review the possible integration of
        these staff within existing ITSS units with the potential saving of
        one P-3 post, approximately US$240,000 per biennium (Rec. 03).

19.    ICTY agreed that the functions of the SDU manager were no longer
required, but ICTY may need to redeploy the actual post to cover the newly emerging
functions, which are an organisational governance obligation (SG/SGB/2003/17).
                                         5


-----------------------------------------------------------------------------------------

OIOS appreciates the response and will close the recommendation upon receipt of
documentation that the post has been abolished and / or documentation explaining
the re-use of the post, including the revised classified job description.

(b) Organisation and management of IT Support

20.     OIOS expected that ICTY would have analysed how and in what way current
IT support might change as a consequence of ICTY downsizing its activities as it
nears its completion date; for example the closure of field offices and reduction of
activities in ICTY headquarters. Chief, ITSS explained that no such analysis had
been requested or had taken place so far. OIOS is of the opinion that the following
analysis is urgently needed to provide senior management with an understanding of
the options for the provision of IT support over the remaining life of ICTY:

   a) Analysis of when it is more cost effective to outsource than to maintain
      resources in house � for example, OIOS is pleased to note that repairs and
      maintenance have already been outsourced. However, OIOS is of opinion
      that services such as help desk and application development have potential to
      be outsourced.
   b) Analysis of which units may need to be merged or reorganised as a
      consequence of reducing workload. For example, it appears as if the
      workload of Workshop and Audio Visual Unit has already reached a point
      where merger should be considered.
   c) Analysis of the changing nature and functions of management required as a
      consequence of reorganisation, integration, and outsourcing. For example,
      whether ITSS should continue to maintain and support all projects /
      applications currently supported or some of these can be discontinued to save
      costs.

       Recommendation:

                To assist in determining the optimum utilization of
        resources for Information Technology support over the remaining
        life of ICTY, Chief, Information Technology Service Section
        should submit a paper to the Information and Communication
        Technology Committee outlining: whether it is more cost effective
        to outsource than to maintain resources in house; a strategy for
        merging / reorganising units as a consequence of reducing work
        load; and, whether ITSS should continue to maintain and support
        all current projects / applications or some could be discontinued to
        save costs (Rec. 04).

21.     ICTY commented that "contrary to OlOS assertion that nearing the
completion equates to a significant reduction in activity, ICTY management would
like to observe that while the activities associated with investigations are being
reduced, the completion strategy calls for the Tribunal to operate at full capacity
until trials-in-chief are completed at the end of 2008... support of field offices and
field activities has already been optimised. Consequently, due to the efficiency with
which the offices are already supported, a reduction in the number and functioning
of the offices would not result in significant associated reductions in staffing. Back
at the Headquarters in The Hague, the ICTY management has determined that there

                                          6


-----------------------------------------------------------------------------------------

will be only minor reduction of activity through 2008. As only minor staff reductions
are anticipated, specific critical milestones such as the closure of the Annex and
Administration buildings, which would have an impact on IT support as well as other
administrative support, are now not deemed plausible until end of 2007. Similarly,
until the ICT Board can and does prioritise the outstanding IT projects, it would be
premature for ITSS to independently initiate an analysis. It would make more sense
to first determine the priorities and set forth a timeframe for completion. ITSS can
then set forth to determine appropriate staffing levels as the Organization downsizes.
Having noted this, it should be made clear that ITSS has already invested significant
effort in investigating the principle and practice of outsourcing over the last
years...Finally returning to the matter of presumed workload decreases, it is ICTY
Administration's opinion that as the ICTY has matured, so its staff and management
team have increasingly viewed the IT component as a means of developing further
efficiencies and innovations...ICTY management is fully aware that not all the
current backlog of projects can or should be undertaken. But this is exactly the
reason why ICTY intends to submit each project to a HLBC review so that it can be
determined whether such projects will reap a suitable benefit as we near the
completion of the ICTY mandate. It seems that the workload is chiefly determined
not by the raw numbers of staff or by the number of physical facilities, but by the
number, complexity and criticality of systems deployed".

22.      ICTY concluded that "in general however the proposal that ITSS continue to
review, with the involvement of the ICT Committee, the opportunities for
outsourcing, merger, reorganization and system discontinuation is sound, and ICTY
Management fully supports this recommendation". OIOS notes the response and
will close the recommendation upon receipt of a strategy paper to the ICT Committee
outlining whether it is more cost effective to outsource than to maintain resources in-
house; a strategy for merging / reorganising units as a consequence of reducing work
load; and, whether ITSS should continue to maintain and support all current
projects/applications or some could be discontinued to save costs and the decision of
the ICT committee.

(c) Management span of control within Operations Unit

23.     While the Head, Operations Unit (P-4) supervised approximately 50 GS staff,
the P-2 supervised 7 GS staff, and the P-3 did not have any direct supervisory
responsibility as he was entrusted with recruitment, procurement and implementing
special projects such as the OTP Evidence Digitizing Project. Activity in the areas
supervised by the P-3 has decreased because of the cash flow crisis and the
completion strategy. In view of this and the wide span of control of the P-4, OIOS is
of the opinion that the Operations Unit should be restructured to assign additional
supervision responsibilities to the two professional staff in the Unit.

         Recommendation:

                 To improve the management span of control within the
         Operational Unit, Chief, Information Technology Service Section,
         ICTY should review and restructure management responsibility for
         staff between the professional grades (Rec. 05).



                                          7


-----------------------------------------------------------------------------------------

24.     ICTY commented that ITSS is currently considering a re-vamp of the
organizational structure of the Section and the concerns noted by OIOS will be taken
into account at the time of the reorganization. OIOS thanks ICTY for the prompt
action taken and will close the recommendation upon receipt and review of a copy of
the new organisational structure, which deals with issue of the span of control within
the Operational Unit.

                          E. Application Development Methodology

25.     Given the limited life span and the financial crisis facing ICTY at the time of
the audit, OIOS expected that ICTY would have undertaken a review of the type and
nature of application development needed over the remaining life of ICTY. OIOS
observed that ICTY had not established mechanisms to review the following key
issues:

   a) How much new application development is required over the next four to five
      years and what criteria should be used to determine what represent cost
      effective development at this stage of ICTY's life; and
   b) Whether Development Unit (DU) should continue to maintain and support
      the projects it developed or whether this function should be entrusted to the
      Operations Unit to derive synergy of operations as well as to enable DU to
      focus on its core business of developing applications.

26.     Should ICTY establish that there is still a need to develop major applications
during the remaining period of its life, it should review and modify its existing
project methodology. The current methodology is neither comprehensive nor in line
with UN Secretariat's global ICT strategy stipulated in A/57/620. Its value as a
guide to ensure that the staff were familiar with the process and that all adopted a
consistent process for identifying and developing projects was therefore limited.
OIOS noted that the existing methodology had the following weaknesses:

   a) The existing project management methodology had not been updated since
      1999 and did not include guidelines on areas such as the criteria for selection,
      prioritization of projects, monitoring, and post implementation review;
   b) Cost benefit analysis was not undertaken; hence there was no assurance that
      the projects developed were those that generated the best returns;
   c) A project selection committee was not established to ensure that similar needs
      or opportunities within the three organs were identified and reconciled.
   d) There was no post-implementation review of applications developed to
      determine if the projects delivered the expected benefits;
   e) Actual time and resources expended on the projects were not monitored, to
      assist in identifying whether projects were managed in an efficient and
      effective manner or projects experienced time and cost overruns.

         Recommendations:

                To determine what resources are required for application
         development over the remaining life of ICTY, Chief, Information
         Technology Service Section should submit a paper to the
         Information and Communication Technology Committee outlining:

                                          8


-----------------------------------------------------------------------------------------

         the extent of new application development foreseen and whether it
         is worthwhile to undertake the development at this stage of ICTY's
         life. The paper should also discuss whether the Development Unit
         should continue to maintain and support the projects it developed
         or this function could be transferred to the Operations Unit (Rec.
         06).

27.     ICTY commented that "the current (High Level Business Case) HLBC
analyses seem to conclude that with even five years remaining in the Tribunal's
lifespan, investment in development is showing strong payback, and still continues to
make sense. Clearly there will be a point at some point in the life of the Tribunal
when, due to the diminishing amount of time left, it will become increasingly difficult
to extract sufficient benefit to justify the cost of investment. ICTY Management
agrees that it would helpful if the Tribunal could foresee at which point in time
dismantling the development capacity becomes sensible, and ITSS will attempt to
make this educated guess in the IT strategy document. However, in spite of this
estimate, ICTY Management feels that it makes sense for the ICT Committee to
continue to review the individual programmes and projects that make up the IT
strategy and tactical plans, and based on its on-going assessment that these activities
concretely assist the Tribunal in achieving its mandate in a cost-effective and
efficient way, decide on a case- by-case basis whether or not to proceed with
development... With regard to the question of the DU continuing to maintain
applications, it is important to understand what is meant by maintenance. The term
software maintenance has more to it than one would initially assume. It includes
adding and subtracting system functionality, performance tuning, data conversion,
migration and debugging. This is in contrast to software support, which entails
screening calls, acting as a focal point, creating user accounts, providing
application access to application, installation of the application, and helping users to
work around known bugs. Presently, in majority of the cases, user calls are already
handled by ITSS Operations/ Dispatchers, and if any support activities are currently
performed by DU, they can be transferred to Operations/Help Desk. Nonetheless, the
maintenance tasks, as defined above, must be done by a qualified programmer or
data manager, who possesses specific application, database and programming
knowledge". OIOS thanks ICTY for the additional clarification which outlines the
issues that OIOS wishes to see addressed in the paper it proposes should be presented
to the ICT Committee. The recommendation will be closed upon receipt of the paper
to the ICT Committee outlining: the extent of new application development foreseen
and whether it is worthwhile to undertake the development; and, whether the
Development Unit should continue to maintain and support the projects it developed
or this function could be transferred to the Operations Unit and the decision of the
ICT Committee on the paper.

         Recommendations:

                 Should ICTY determine a need for major application
         development over its remaining life, to ensure the effective and
         efficient implementation of these projects and to ensure compliance
         with A/57/620, Chief, Information Technology Service Section
         should update the project management methodology in line with
         industry norms such as Control Objectives for Information and
         related Technology (COBIT) and ensure that all staff are aware of

                                           9


-----------------------------------------------------------------------------------------

         how to follow the methodology (Rec. 07).

28.     ICTY commented that "it agrees with the general observations; however, we
would like to mention a few points which are as follows: in line with the OIOS'
recommendation of 1998, ITSS/DU has been following an application development
methodology, CMM, which is also a part of ITIL application management, and is
widely practiced by both governmental and commercial organizations throughout the
world. The current report recommends adopting COBIT as a model; however, it is
vital to note that COBIT unlike ITIL, does not specifically incorporate application
development. We concur that current methodology must be updated according to
A/57/620 and ST/SGB/2003/17. Nevertheless, we would like to point out that
although not strictly in line with ST/SGBI2003/17 a framework in ITSS/DU is in
place for project selection, monitoring and post implementation review. Thanks to
this approach, ITSS/DU has been able to meet users' requirements successfully and
so far, there is no record of project failure. In stark contrast, it is worth pointing out
that on an average every year 60 % of worldwide software development projects are
considered failures (Economist, Nov 25th 2004), indicating that ITSS has been
extraordinarily successful at managing development projects". OIOS appreciates
the additional clarification. COBIT is a high-level organisational tool, which would
require the adoption of a methodology such as ITIL, at the implementation level,
which is recognised within the COBIT framework itself. OIOS will close the
recommendation upon receipt and review of the revised project management
methodology approved by the ICT Committee.

                                          F. IT Training

29.    As a consequence of the integration of SDU within ITSS, ITSS had an ITSS
Training Unit and an OTP SDU Training Unit. The three staff of ITSS Training Unit
(1 P-2 and 2 GS) provided general training on standard desktop applications to all
ICTY staff. The OTP SDU Training Unit with three GS staff provided training in
OTP specific applications. The activities of both training units were reviewed and a
number of general issues were identified which have been referred to under the
sections above on `Monitoring' and `Organization Structure'. In addition to these
general issues OIOS noted inadequate assessment of the need for and inadequate
planning of training activities as discussed below:

    a) The two Training Units did not carry out any training need analysis to
       determine the training requirements of respective staff. The input from staff
       and managers was minimal and courses were conducted based on the historic
       trend.
    b) More than 80 percent of the training conducted by the ITSS Training Unit
       was on standard desktop applications although almost every job description
       stated that staff should be proficient in these applications.
    c) The two Training Units did not evaluate if the training imparted had added
       value in enhancing the efficiency of the staff members' work.
    d) The ITSS Training unit spent over 200 hours preparing course materials that
       were to be provided by the vendor1.

1
  Extract of contracts with vendors: "The Contractor shall provide all course
materials and documentation required for the training, with permission to duplicate
and distribute these materials to UN-ICTY staff."
                                           10


-----------------------------------------------------------------------------------------

   e) The details of the courses conducted by OTP Training Unit staff were not
      available and ITSS did not evaluate the efficiency of staff resources.
   f) The ITSS Training Unit spent over 2,000 hours re-working training materials
      prepared by UN Headquarters (UNHQ) for the Galaxy system. Chief ITSS
      explained that UNHQ and ICTY management encouraged them so that these
      materials could be shared with other UN offices. However, when ITSS
      Training Unit forwarded the draft material there was no follow up from
      UNHQ and as a result; the material was not shared with other UN offices.
      The training material was not even used in ICTY since it stopped using the
      Galaxy system in August 2004.

         Recommendation:

                 To maximize the efficiency and effectiveness of training
         provided, Chief, Information Technology Service Section should
         develop a training framework that includes a needs analysis of the
         training required over the remaining life of ICTY, and evaluate if
         the training conducted enhanced staff efficiency. The basis for the
         inclusion of each course should be documented and submitted to
         Information and Communication Technology Committee for
         approval (Rec. 08).

30.     ICTY commented "that although ITSS had not conducted needs analyses
during period indicated in the audit, ITSS Training Unit had carried out two training
needs analyses in 2001 and 2002. Based on the surveys, the course curriculum was
determined. Post training results showed that staff members felt that they saved on
average 45 minutes a day at carrying out their regular duties. The Training Unit
recognizes that 80% of its classroom curricula are on standard desktop applications,
however a 55% fill rate shows that this training is still required, further indicating
that screening of staff IT skills upon uptake is not as effective as it could be. In terms
of the training materials provided as part of the Sanction and CaseMap, it was never
the intention that the vendors delivered the final training materials as part of their
contracts. Considering the extensive custom procedures for the use of these products
in the OTP would need to be developed, it was accepted that the vendors would only
able to deliver generic materials for later adaptation by ICTY. In response to the
comments in regard to Galaxy, the Training Unit made frequent formal requests to
UN Headquarters in NY for Galaxy training materials. UNHQ was unable to provide
them as they did not exist. Therefore, in support of ICTY's scheduled implementation
of Galaxy in April 2003, ICTY HRS submitted a formal request to the Training Unit
for development of training materials. The Training Unit is working on a follow-up
targeted questionnaire that will evaluate whether staff members feel that they have
benefited from the training. The Training Unit plan to send out questionnaire at
regular intervals after training including conducting an annual review of each staff
member's training records. We have nearly completed a pilot program with CLSS
where we determine in conjunction with the target office's management, a skill
standard for each basic job. The Training Unit will develop a personalised training
program for each staff designed to address the identified deficits. Should this be
successful with CLSS, we intend to scale up the exercise. This approach is more
labour intensive but it removes the inherent inefficiency of the voluntary broadcast
training and it directly involves the management of the target Section". OIOS is



                                           11


-----------------------------------------------------------------------------------------

pleased to note that ITSS Training Unit had initiated actions to address some of the
audit findings but would like to point out that OIOS was not informed about the
assertion of the 45 minutes savings during the audit. Additional information
provided to OIOS recently revealed that the average savings of 45 minutes claim was
based on the response of seven staff members in 2002. Further, some staff surveyed
felt that they did not save any time at all. ICTY was unable to provide OIOS with
any supporting evidence on the statement made in their response on training
materials for Sanctions and CaseMap. As regards Galaxy, ICTY Chief, Human
Resource Section confirmed that he had requested ITSS to prepare some training
materials, which he thought to be a one to two weeks assignment. He was therefore
surprised to learn from OIOS that ITSS had spent more than 2,000 hours and stated
that he would not have requested this if ITSS had informed him of the extent of
resources required. OIOS will close this recommendation upon receipt and review of
documentation that training needs analysis has been conducted and benefits of
training provided have been undertaken and the list of training courses approved by
the ICT Committee.

                               G. Contract Management

(a) Management of repair and maintenance contracts

31.     During 2004, ICTY entered into eleven contracts at a total value of
approximately Euro 121,000 (US$145,000) for repair and maintenance of ICT
equipment valued at approximately US$13 million. OIOS reviewed three of the
eleven contracts and noted overpayments arising from non-adherence to contract
terms and conditions on contract no. ICTY/CON/03/026. ICTY Procurement
Section informed the audit team that the amount invoiced by the contractor and
certified by ITSS was correct and hence there was no overpayment, as they had
inadvertently incorporated incorrect prices in the contract. At the time of the audit,
Procurement Section was in the process of amending the contract and no
recommendation has therefore been made.

32.     ITSS also agreed with the audit team that contract terms and conditions had
not always been adhered to. To rectify this situation ITSS made arrangements for
concerned staff to attend briefings on their procurement responsibilities. It was also
agreed that for future contracts an initial briefing would be held prior to
commencement of services, with Procurement Section, the Project Manager and the
contractor. In addition, Procurement Section will request the contractor to provide a
detailed cost breakdown of equipment repaired and maintained which will be
reviewed by both Procurement section and ITSS. In view of the actions taken OIOS
is making no recommendation.

(b) Services not included in the contract

33.    ITSS requested preventive maintenance services from one of the contractors,
which were not specifically included in the contract, no. ICTY/CON/03/031. ITSS
accepted that they had made an error and Chief, ITSS and Chief, Procurement
Section have taken the steps described in the previous section to address this issue.
No recommendation is therefore raised.


                                         12


-----------------------------------------------------------------------------------------

(c) Controls over repair and maintenance of equipment

34.    OIOS expected ITSS to maintain a maintenance log for equipment detailing
when machines were repaired, what was repaired and the cost of repairs. An analysis
of these logs would then assist ITSS in determining when it is more economic to
replace equipment than to repair, the reliability of suppliers to take into account for
future purchases and to monitor the effectiveness of repairs being carried out.
Though ICTY maintained details of invoices received and paid each year for repairs
a complete history of repair undertaken for each machine was not available. The
information in the Communication Assets Tracking System was neither complete nor
accurate.

35.     OIOS also noted that ITSS did not have an adequate quality control system in
place (in two of the three contracts) to ensure that when the contractor replaced the
fuser unit, or other parts, the replaced parts were returned and, to ascertain whether
asserted repairs and maintenance by the contractor had been fully completed.

         Recommendation:

                  To assist ICTY management in determining when it is more
         economic to replace equipment than to repair; assessing the
         reliability of suppliers for future purchases, and, monitoring the
         effectiveness of repairs being carried out, Chief, Information
         Technology Service Section should establish a mechanism, such as
         an equipment maintenance log, together with procedures on the
         collection, processing and reporting and information of details
         about equipment repair and replacement (Rec. 09).

36.     ICTY commented that this would be implemented by mid-May 2005. OIOS
thanks ICTY for the prompt action taken and will close the recommendation upon
receipt and review of details of proposed mechanism, determining when it is more
economic to replace equipment than to repair; assessing the reliability of suppliers
for future purchases, and, monitoring the effectiveness of repairs being carried out.

                                    H. Asset Management

(a) Monitoring of ICT assets

37.    ICTY, Property Control Inventory Unit (PCIU) is responsible for recording
and reporting all non-expendable assets in accordance with the ST/AI/374 (Property
Records and Inventory Control under Revised Definition of Non-Expendable
Property). PCIU assigns all ICT assets to the ITSS, the asset manager for all these
equipment.

38.    The Chief, ITSS entrusted the responsibility of inventory management to the
Coordination Cell within ITSS, which used the Communication Assets Tracking
System (CATS) to keep track of approximately 8,000 items with a total value of
approximately US$13 million as at 30 June 2004. Because ITSS was not updating
CATS promptly and correctly and was not aware where equipment was located, or
who was using it, OIOS noted that as at 30 June 2004:
                                          13


-----------------------------------------------------------------------------------------

   a) 314 items assigned to ITSS did not have information on their status (i.e. in
      stock, in use, in repair etc).
   b) 98 items shown as "in use" were assigned to former staff.
   c) 37 items shown as "in use" were not assigned to any staff and there were also
      no information on the location of these assets.

39.     Therefore, there were no assurances that all assets assigned to ITSS were
properly accounted for and as a result OIOS noted substantial ICT assets had been
lost as discussed below.

        Recommendation:

                 To ensure that ICTY has a complete and accurate inventory
        of its ICT equipment, the Chief of Information Technology Service
        Section should develop procedures for updating the
        Communication Assets Tracking System database accurately and
        promptly and undertake an exercise to confirm the existence and
        location of all the assets entrusted to ITSS (Rec. 10).

40.     ICTY commented that the review of the database contents has already been
undertaken and completed. Considering the possible perception of a lack of
independent verification, and because ITSS is not staffed to independently conduct
full-scale physical inventories, the verifying inventory exercise will be conducted in
conjunction with PCIU. The timeframe for completion will be confirmed with PCIU
and reported to OIOS. OIOS notes the response and will close the recommendation
upon receipt and review of procedures for updating the Communication Assets
Tracking System database and receipt of the results of the exercise to confirm the
existence and location of the assets entrusted to ITSS.

(b) Procurement and management of ICT assets

41.     The ICT assets in stock with ITSS were kept in four storerooms. There were
indications that ITSS did not plan the procurement of ICT equipments resulting in
surplus stocks as at 30 June 2004. OIOS noted 474 items valuing approximately
US$513,000 remained in stock for over a year resulting in possible stock
obsolescence and loss in value. In addition, ITSS did not manage the assets in stores
properly:

   a) 23 items remained as "for repair" for over a year.
   b) Five items remained "in repair" for a period between nine months to three
      years.
   c) Though there were four locations for storing assets, the location (i.e. room
      number) of the assets was not entered into CATS;
   d) During a surprise physical inventory check, we noted that there were more
      items for repair than shown in CATS.

        Recommendation:

                To ensure efficient and effective utilization of ICT assets

                                         14


-----------------------------------------------------------------------------------------

         and to comply with ST/AI/374, the Chief, Information Technology
         Service Section, ICTY should: review if assets in stocks for more
         than one year should be disposed off; procurement for items in
         stocks should not be made unless justified; and closely monitor
         assets sent for repairs (Rec. 11).

42.     ICTY commented that "due to the hiring freeze, many computers and printers
slated for replacement and/or other deployment remained in stock. In addition, the
shortage in staffing within ITSS itself meant that certain deployment projects were
put on hold, again resulting in equipment remaining unexpectedly in stock.
Furthermore, for small items such as ink-jet printers, instead of opting for what
would be cost-ineffective repairs, we maintain a stock of new printers, which can be
issued as replacements for malfunctioning units. These circumstances and practices
have meant that OIOS observed what appears to have been an unusually high
numbers of new equipment left in stock. In spite of this, a review of the new in-stock
items has been undertaken to determine if there are any items, which should not have
been either acquired or held for unjustifiable reasons. Efforts will be made to
improve the logging, tracking and follow-up of items out for repair". OIOS
appreciates the clarification and will close the recommendation upon receipt and
review of the exercise undertaken to review if assets in stocks for more than one year
should be disposed off, steps taken to ensure that procurement for items in stocks is
not made unless justified, and details of the procedures developed for monitoring
assets sent for repairs.

(c) Loss of ICT assets

43.    ICTY's Property Control and Inventory Unit (PCIU) carried out an annual
physical inspection of all assets to ensure that they are available. Their review in
2003 revealed that a significant number of ICT equipment was missing. While ITSS
managed to locate some of the missing items, it reported the loss of ICT items with
an acquisition value of US$380,000 to Security and Safety Section (SSS) during
February to July 2004. The reasons adduced by ITSS for these losses indicated weak
controls over safeguarding ITSS assets:

   a) 59 computers with an acquisition value of approximately US$108,000, placed
      on pallets, apparently ended up on the disposal truck;
   b) Seven Spectra vehicle radios were disposed off along with the vehicles in
      which they were mounted;
   c) Eight computers with an acquisition value of approximately US$9,000, which
      had been sent to ICTR, Arusha in 2000, did not reach them.

44.    SSS investigated the losses and submitted copies of its reports to the Chief,
Operations Unit of ITSS during February to July 2004. As the assets could not be
located, ITSS proposed that the missing equipment be written off. The ICTY, Local
Property Survey Board (LPSB) considered the proposal in its meeting of 11
November 2004 and noted that it would like to know "what procedures (SOP's) have
been put in place to avoid this type of discrepancy in future and --- who is
responsible should the procedures which are in place not work". LPSB therefore
recommended that all cases be deferred until further clarifications.



                                          15


-----------------------------------------------------------------------------------------

45.     The SSS investigation report was a copy of the information provided by ITSS
and there was no evidence of any work undertaken to establish the causes of the
losses. OIOS is of the opinion that an investigation of the reasons why the losses
occurred has not been properly conducted and is very concerned given the size of the
loss. The matter has been referred to the OIOS, Investigations Division for their
consideration and appropriate action. No recommendation is therefore raised on this
matter in this report.

46.     ICTY commented that "In its narrative, OIOS observed the ongoing process
of accounting for a group of assets, which has proven difficult to finalise. This is a
process begun in 2001, which was later noted in the 2002 report of the external
Board of Auditors, and of which a snapshot was revealed in the PCIU 2003 physical
inventory. At the beginning of the whole process, PCIU determined that there was a
significant list of some 2000 inventory items, which could not be immediately
accounted for in a physical check.

47.     In the intervening period since then, the majority of the items have been
cleared from the list, many by being found, some identified as mistaken data entry
errors, some with duplicate or incorrect asset tags, and some as being identified as
actually being lost or stolen. This has involved hundreds of hours of staff time and
meant significant, in-depth efforts on many staff members' parts to ascertain asset
status. In conjunction with ITSS, the PCIU has been involved in a long-term,
painstaking process of trying to make a final determination.

48.     What remained when observed by OIOS in this audit was some 200 items
valued at around US$380,000 when originally acquired. Although the identification
of these items had been ongoing for several years, following the receipt of the
informal comments of the auditors, ICTY management immediately undertook an
intensified review with the assistance of ITSS, Security and PCIU. As of this date, we
have further reduced this list to about 140 items with a residual value of about
US$104,000. We are sharing this information locally with the resident auditors and
the OIOS investigator".

49.     In its further response of 11 February 2005, ICTY clarified that "With
respect to the overall number and value of missing equipment, our internal
investigation is ongoing and we will be reporting back to both the OIOS Investigator
and to the resident auditors".

50.     While OIOS appreciates the action taken by ICTY management, it observed
that the 60 items asserted to be resolved / located by ICTY are yet to be verified by
PCIU. Further the acquisition value of 140 items still missing is US$304,000
(residual value of US$104,000). OIOS noted that the issue is being investigated both
by ICTY Security and OIOS Investigations Division.


     V. FURTHER ACTIONS REQUIRED ON RECOMMENDATIONS

51.     OIOS monitors the implementation of its audit recommendations for
reporting to the Secretary-General and to the General Assembly. The responses

                                         16


-----------------------------------------------------------------------------------------

received on the audit recommendations contained in the draft report have been
recorded in our recommendations database. In order to record full implementation,
the actions described in the following table are required:

Recommendation No.                         Action Required
Rec. 01            Receipt and review of the ICTY Information Technology
                   strategy document.
Rec. 02            Notification of the implementation of the monitoring
                   framework.
Rec. 03            Receipt of documentation that the post has been abolished
                   and documentation explaining the re-use of the post,
                   including the revised classified job description.
Rec. 04            Receipt of a strategy paper to the ICT Committee outlining
                   whether it is more cost effective to outsource than to
                   maintain resources in house; a strategy for merging /
                   reorganising units as a consequence of reducing work load;
                   and, whether ITSS should continue to maintain and support
                   all current projects / applications or some could be
                   discontinued to save costs and the decision of the ICT
                   committee.
Rec. 05            Receipt and review of a copy of the new organisational
                   structure, which deals with issue of the span of control within
                   the Operational Unit.
Rec. 06            Receipt of (i) the paper to the ICT Committee outlining: the
                   extent of new application development foreseen and whether
                   it is worthwhile to undertake the development; and, whether
                   the Development Unit should continue to maintain and
                   support the projects it developed or this function could be
                   transferred to the Operations Unit and (ii) decision of the ICT
                   committee on the paper. .
Rec. 07            Receipt of the revised project management methodology
                   approved by the ICT Committee.
Rec. 08            Receipt and review of documentation that (i) training needs
                   analysis has been conducted and benefits of training provided
                   have been undertaken and (ii) the list of training courses
                   approved by the ICT Committee.
Rec. 09            Receipt and review of document (i) determining when it is
                   more economic to replace equipment than to repair; (ii)
                   assessing the reliability of suppliers for future purchases, and,
                   (iii) monitoring the effectiveness of repairs being carried out.
Rec. 10            (i) Receipt and review of procedures for updating the
                   Communication Assets Tracking System database and (ii)
                   receipt of the results of the exercise to confirm the existence
                   and location of the assets entrusted to ITSS.
Rec. 11            Receipt and review of (i) the exercise undertaken to review if
                   assets in stocks for more than one year should be disposed
                   off, (ii) steps taken to ensure that procurement for items in
                   stocks is not be made unless justified, and (iii) details of the
                   procedures developed for monitoring assets sent for repairs.



                                        17


-----------------------------------------------------------------------------------------

                             VI. ACKNOWLEDGEMENT

52.     I wish to express my appreciation for the assistance and cooperation extended
to the audit team by the staff and management of ITSS.




Egbert C. Kaltenbach, Director
Internal Audit Division II
Office of Internal Oversight Services




                                         18


-----------------------------------------------------------------------------------------


Personal tools