Office of the Inspector General March 9, 2016

INTRODUCTION Standards applicable to this presentation Some of the Key Concepts related to Risks and Controls Taxonomy of Risks: - Risk Categories - Sub-Areas of the Risk Categories Risk Assessment Process Results of Risk Assessment Process Proposed Work Plans for 2016-2017 Update on Pending Investigations

Article 118 of the General Standards & IPPF Performance Standards 2120-A1 According to Article 118 of the General Standards to Govern the Operations of the General Secretariat, “the Inspector General shall present to the Permanent Council, before the end of each year, a plan of activities for investigation and audit of the programs, services, and activities of the General Secretariat for the next two years and shall update it annually. The Permanent Council may request the inclusion of specific investigations or audits, once it reviews the plan”. Performance Standard 2120-A1 (Risk Management) of the International Professional Practice Framework (IPPF) for Internal Auditing, sates as follows: “the internal audit activity must evaluate risk exposures relating the organization’s governance, operations, and information systems regarding: Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguard of assets, and Compliance with laws, regulations, policies, procedures, and contracts.”

Risks and Controls – Key Concepts Inherent Risk Controls Residual Risk Risks and Controls Assessments Taxonomy of Risks (next slide)

Risk Category Sub-Area Strategic and Development 1. Strategic, planning and performance 2. Country development outcomes. 3. Operational policy framework and guidelines. 4. Budget. 5. Human capital management. 6. Reputational risk. Operational 7. Project supervision. 8. Prohibited practices. 9. Procurement. 10. Ethics and professional conduct. 11. Contractual and contractors. 12. Technology infrastructure, equipment, software and applications. 13. IT data, records management, and retrieval. 14. IT management and system security. 15.Continuity of operations and recovery a disaster 16. Transaction processing (Errors and omissions) Reporting 17. Financial reporting. 18. Liquidity and financing 19. Market risk. Compliance 20. Legal 21. Governance Risk Taxonomy The risks that may impact the GS/OAS’ vision, mission and objectives may be classified into four categories of risks The key risks affecting the GS/OAS can be broadly defined along the following risk categories: Strategic and Development, Reporting, Operational, and Compliance. This risk taxonomy focuses on the key risks that impact the GS/OAS which includes, but is not limited to them.   The primary purpose of the taxonomy of risks proposed here in is to identify all relevant risk faced by the GS/OAS. However, recognizing the difficulties inherent to trying to identity all risks, this taxonomy does not intend to be exhaustive, but rather broadly right, and to provide an integrated view for analysis. In addition 21 subareas of risk were identified within the 4 main categories.

Risk Assessment Process Purpose Actions taken by the OIG a. Memo# SG/OIG/RIS/15-01 sent to GS/OAS management announcing the initial phase of the Risk Assessment process b. Information provided: - Details on the purpose and objective of the risk assessment - Components of the organization’s risk universe - Tables where participants can list the ten most critical processes/risks related to their areas and rank them based on their importance (probability and impact) to the achievement of the area’s objectives. Also, a heat map was provided to give the areas the option to chart the risks (next page) A heat map is a two-dimensional representation of data in which values are represented by colors. The heat map provides an immediate visual summary of information.

Summary Results of Risk Assessment – Top 20 Risk Areas Strategic and Development Mission, Values, and Priorities not relevant to the Region. Inputs or assumptions used for strategic decisions are incorrect. Country development outcomes not relevant or not supported by stakeholders. Failure to update the policies in a timely manner to reflect evolution of the strategy or lessons learned. Disconnect between institutional priorities and allocation of resources. Inability to attract, acquire and retain the necessary human talent. Budget- process timing inconsistent leading to poor planning.   Operational Non-compliance with the code of ethics. The OAS does not have the infrastructure of information technology (e.g. hardware, networks, software, people and processes) that is needed to perform their tasks effectively. The current and future information requirements of the business are not reviewed periodically so they are efficient, profitable and well controlled. Lack of participation of specialists from the finance and procurement at the time of the review of the projects Operational Data information is outdated, inaccurate, or relevant data is unavailable. Obsolete recovery plan. Mismatch between the GS/OAS's needs and human resources skills and availability. Lack of clear definition of roles, responsibilities, accountability, and oversight. Budget resources are not adequate or properly allocated.   Reporting Liquid assets are not available to meet the financial commitments of the GS/OAS, particularly for medium and long term commitments. Material or significant internal control deficiencies over financial reporting. Financing depends on unreliable income from Member States, resulting in financial and budgetary unpredictability and deficits. Compliance Lack of periodic reviews of insurance policies that ensure adequate coverage to protect the GS/OAS before new events and emerging risks: Cyber-attacks, interruptions of activities by catastrophe, etc. Recurring requests for exceptions to rules and regulations create internal conflicts and erodes credibility.

Heat Map 4 8 13 6 17 1 12 3 5 16 11 15 14 10 19 20 7 18 9 2 The OIG analyzed the responses gathered from the departments/areas and the results of interviews with key personnel in order to select the top twenty risk areas that may impact the organization’s objectives. The responses were further grouped within the four broad categories of risks identified earlier in this document, as follows:   Strategic and Development Mission, Values, and Priorities not relevant to the Region. Inputs or assumptions used for strategic decisions are incorrect. Country development outcomes not relevant or not supported by stakeholders. Failure to update the policies in a timely manner to reflect evolution of the strategy or lessons learned. Disconnect between institutional priorities and allocation of resources. Inability to attract, acquire and retain the necessary human talent. Budget- process timing inconsistent leading to poor planning. Operational Non-compliance with the code of ethics. The OAS does not have the infrastructure of information technology (e.g. hardware, networks, software, people and processes) that is needed to perform their tasks effectively. The current and future information requirements of the business are not reviewed periodically so they are efficient, profitable and well controlled. Lack of participation of specialists from the finance and procurement at the time of the review of the projects. Data information is outdated, inaccurate, or relevant data is unavailable. Obsolete recovery plan. Mismatch between the GS/OAS's needs and human resources skills and availability. Lack of clear definition of roles, responsibilities, accountability, and oversight. Budget resources are not adequate or properly allocated. Reporting Liquid assets are not available to meet the financial commitments of the GS/OAS, particularly for medium and long term commitments. Material or significant internal control deficiencies over financial reporting. Financing depends on unreliable income from Member States, resulting in financial and budgetary unpredictability and deficits. Compliance Lack of periodic reviews of insurance policies that ensure adequate coverage to protect the GS/OAS before new events and emerging risks: Cyber-attacks, interruptions of activities by catastrophe, etc. Recurring requests for exceptions to rules and regulations create internal conflicts and erodes credibility. We should also note that some of the risk areas identified in this document were also discussed in the 2014-2015 risk assessment. Consequently, the work plans for these years included audits that were performed and recommendations that were issued to address those risks. Suggestion Important Critical

Proposed Work Plans for 2016-2017 The proposed 2016 and 2017 work plans are based on the risk assessment and requests from the Office of the Secretary General and the Permanent Council as well as information obtained by the OIG: Proposed Work Plan for 2016 Office of the Inspector General   2016 List of Audits General Secretariat of the Organization of American States No. TECHNICAL AREA / SUBJECT Source 03/15 Department of Procurement Services - Disbursement Process for Specific Funds RA 01/16 Department of Human Resources - Hiring Process and Transfer of Posts SG/RA 02/16 Department of Financial & Administrative Management Services - Regular Fund Transition Costs PC 03/16 Department of Procurement Services - Travel of Non-OAS Employees OIG 04/16 Department of Information and Technology Services - OASES Data Integrity 05/16 GS/OAS Office of Peru 06/16 GS/OAS Office of Bolivia 07/16 Department of Procurement Services – Management and Use of Travel Mileage SG

(SG): Request from the Secretary General. (RA): OIG Risk Assessment. Proposed Work Plan for 2017 Office of the Inspector General 2017 List of Audits General Secretariat of the Organization of American States No. TECHNICAL AREA / SUBJECT Source 01/17 Department of Procurement Services – Credit Cards Payment Process RA 02/17 Department of Procurement Services - Review of GS/OAS Insurance Policies 03/17 Department of Planning and Evaluation – Project Monitoring Process 04/17 Department of Human Resources - Code of Ethics 05/17 GS/OAS Office in Paraguay 06/17 GS/OAS Office in Jamaica 07/17 Department of Financial & Administrative Management Services – Travel Expense Claims System (TECS) OIG (SG): Request from the Secretary General. (RA): OIG Risk Assessment. (PC): Request from the Permanent Council

OIG INVESTIGATIONS  As of December 31, 2015, the OIG has 8 pending investigations, of which 2 will be closed following full investigation and 3 at the Preliminary Review phase. 3 investigations will be carried over OIG has a number of on-going investigations that are in preliminary review stages. The OIG will provide additional updates on those pending investigations in its 2015 Annual Report. The OIG is currently without an investigator. The investigator resigned on January 29 after a 5-month leave of absence and multiple other leaves without pay THANK YOU

Questions?