Office of the Inspector General

© UNDP Guinea-Bissau / Gwenn Dubourthoumieu

Audit on the Effectiveness of IT Controls at the Global Fund

26 November 2015

In early 2015, the Office of the Inspector General (OIG) audited the controls applicable to the Global Fund's IT infrastructure, network and applications, including externalized and cloud-hosted services, to assess their effectiveness. As serious weaknesses and security gaps were found that could have been exploited to inflict harm to the organization, the leadership of both the Audit and Ethics Committee and the Board, at the request of the Inspector General, agreed to postpone the publication of the OIG report until November 2015 to allow the Secretariat to address critical issues. This decision was taken in line with the Policy for the Disclosure of Reports Issued by the Office of the Inspector General.

At the time of the audit, using the four "A's" framework commonly used in IT risk management (data agility, availability, accuracy and access), the OIG concluded the following: internal controls over IT were "generally effective" for data agility; controls over data availability and accuracy showed some weaknesses but the Global Fund had "a full plan to become effective". However, the OIG found that controls regarding data access were not adequate and only "a partial plan to become effective" was in place.

In terms of data access, the OIG found that most of the IT internal controls were only partially supervised with obsolete security policies and deficiencies in security and monitoring systems. The auditors noted the absence of a formal segregation of duties creating the risk of incompatible roles being allocated to a limited number of users. They also found that there were no regular reviews of user access resulting in ex-employees still having access to Global Fund systems.

Concerning data accuracy, Global Fund servers were not monitored by an anti-virus solution creating a high risk of malware infestation. After performing a vulnerability assessment using a Microsoft recommended tool, the OIG identified that 31 out of the 50 Windows infrastructure servers tested had not been upgraded with the latest security patch. This poses a "severe risk" according to Microsoft tool classification.

For data availability, the auditors noted that some Global Fund data did not have reliable back up. A project to manage disaster recovery, recommended in an earlier OIG audit, had not yet been finalized at the time of the latest audit.

Since the beginning of the audit, the Global Fund IT department has made important progress in addressing some of the key risks identified by the OIG. The IT security function has been strengthened and a Chief Information Security Officer has been hired. User access rights and controls are better managed following an extensive review process. A segregation of duties matrix for the Enterprise Risk Platform has been formalized and user profiles have been updated accordingly. Outstanding corrective actions to cover the other issues identified by the OIG are in progress. More information is contained in the Follow-Up report.

###

The Office of the Inspector General safeguards the assets, investments, reputation and sustainability of the Global Fund by ensuring that it takes the right action to defeat AIDS, tuberculosis and malaria. Through audits, investigations and consultancy work, it promotes good practice, reduces risk and reports fully and transparently on abuse.

Established in 2005, the Office of the Inspector General is an independent yet integral part of the Global Fund. It is accountable to the Board through its Audit and Ethics Committee and serves the interests of all Global Fund stakeholders. Its work conforms to the International Standards for the Professional Practice of Internal Auditing and the Uniform Guidelines for Investigations of the Conference of International Investigators.

The Global Fund believes that every dollar counts and has zero tolerance for fraud, corruption and waste. Through its whistle-blowing channels, the Office of the Inspector General encourages all to speak out to report fraud, abuse and human rights violations that prevent Global Fund resources from reaching those who need them.