United Nations Development Programme

Office of Audit and Investigations

Annex II
TERMS OF REFERENCE
ATLAS AUDIT OF UNDP
FOR THE OFFICE OF AUDIT AND INVESTIGATIONS
I.

BACKGROUND

The United Nations Development Programme (UNDP) together with other UN specialized agencies use PeopleSoft
as their Enterprise Resource Planning system (ERP). Atlas is the name to this ERP system.
For the purpose of this RFP, the audit will only focus on UNDP and not any specialized agencies.
Atlas was implemented in 2004 in all UNDP locations under the prevailing UN accounting standard, United Nations
Accounting Standard (UNSAS).
Atlas runs on Oracle database (version 11g) and is accessed through internet web browsers. The management of
infrastructure which hosts Atlas is outsourced to an external UN entity. All Atlas environments have gone through at
least one upgrade cycle since their implementation in 2004.
Current Application and tools versions are as follows
PeopleSoft Financials Version 9.0
PeopleSoft HCM Version 9.1
PeopleSoft Portal Version 9.1
PeopleSoft EPM 9.1
PeopleSoft CRM 9.1

PeopleTools Version 8.50

PeopleTools Version 8.51
PeopleTools Version 8.50
PeopleTools Version 8.50
PeopleTools Version 8.50

UNDP Office of Information Systems and Technology (OIST) is planning on synchronizing all the applications to
PeopleTools version 8.52 in the second half of 2012.
Effective 1 January 2012, UNDP implemented the International Public Sector Accounting Standards (IPSAS) and
moved away from the United Nations System Accounting Standards (UNSAS). This has entailed a number of
configuration changes in Atlas.
Atlas was audited in 2005 and a follow-up audit was conducted in 2008. In the year 2005, the UNDP Office of Audit
and Investigations (OAI) commissioned to an external consulting firm a post-implementation review of the Atlas
system. This review was aimed at identifying significant risks, prevailing at that time, in the key areas of control
framework definition, business process controls and application security controls. The 2008 review was also
commissioned to an external audit and consulting firm and it focused on the implementation of the 2005
recommendations as well as the review of all remaining modules. A desk follow-up on the implementation of the
recommendations of the 2008 audit has been maintained by OAI. The desk follow-up indicates a reasonable level of
implementation of these recommendations.

10

United Nations Development Programme

Office of Audit and Investigations

II.

AUDIT OBJECTIVE S

OAI is soliciting the services of an independent service provider to conduct a full review of the following aspects of
the Atlas system:

System and data alignment to the established UNDP control framework

System alignment to key reporting requirements and data lineage
System alignment to IPSAS implementation requirements
Key interface efficiency and controls
Database Security
Continuous Monitoring

The objectives of the review are to assess systems alignments to key areas of the UNDP control framework
definition, business process controls, and identified key reporting needs, as well as newly implemented IPSAS
framework. It is expected that through the assessment, potential risks and/or opportunities for improvement are
identified together with recommendations to address them that are actionable in the UNDP context. In particular:

Recommend system modifications to improve its alignments to the above stated aspects.
Recommend policy and/or business process modifications to optimize benefit of Atlas usage related to the
above stated aspects.
Recommend improvements for continuous monitoring of ATLAS

The proposed recommendations will draw on good practices of other similar organizations with appreciation of
UNDPs operating environment so that these recommendations are actionable and to ultimately harvest benefits
from this exercise.
III.

SCOPE

The review will cover all ATLAS modules/processes/practices relevant to UNDP - excluding other specialized
agencies (UNFPA, UNOPS, and UN WOMEN, UNU).
To meet the above stated objectives, the following PeopleSoft modules and components are included in the scope:
PeopleSoft Enterprise Finance/SCM/ESA
General Ledger
Commitment Control
Treasury
Contracts
Billing
Grants/Project Costing
Purchasing
E-Procurement
Asset Management
Accounts Payable
Accounts Receivable
Travel & Expense

11

United Nations Development Programme

Office of Audit and Investigations

PeopleSoft Enterprise HCM

Core HR
Base Benefits
Position Management
Global Payroll
Absence and Leave Management
Employee Self Service
PeopleSoft Enterprise Performance Management
Enterprise Financial Warehouse
PeopleSoft Customer Relationship Management
Helpdesk
PeopleSoft Portal
The Argus provisioning built-on, is housed in the PeopleSoft Portal
Oracle Database
The underlying Oracle 11g database
Audit and Monitoring
Audit Trails and Audit functionalities of PeopleSoft

The Business Transaction Analysis and Monitoring Solution or BTAM (Oversight) program has the
following functionalities:
o Real-time Transaction Inspection (RTI) for detection and prevention of costly financial
management errors, misuse, and fraud.
o Real-time reporting and alerts resulting in rapid error-correction and significant
reductions in downstream work effort and your corresponding cost-per-transaction
o Enterprise-wide transparency and workflow management
o Integrated Coverage of all major business processes (e.g. payables, receivables, assets,
general ledger, etc.)

To meet the objectives of the audit, it is expected that the exercise will focus on the following elements:
a)

Application Controls of the PeopleSoft business modules

Value driver for this area is alignments between UNDPs control requirements and system set-up and
utilization compliance by various UNDP stakeholders. The exercise should include the testing of:

The effectiveness of the automated control environment of PeopleSoft for each of the modules
The optimization (efficiency) of the automated control environment in terms of its scope and
definition
The completeness, accuracy and validity of the data for each of the modules
o Data prepared for entry are complete, valid and reliable
o Data are converted to an automated form and entered into PeopleSoft accurately,
completely, and on time
o Data are processed by PeopleSoft completely and on time, and in accordance with
established UNDP business and control requirements

12

United Nations Development Programme

Office of Audit and Investigations

Output is protected from unauthorised modification or damage and distributed in accordance

with prescribed policies
The consistency and effectiveness of the authorisations between the established Internal Control
Framework and PeopleSoft security set-up.
o The integrity of the interface between PeopleSoft Security set-up and the custom-built user
provisioning system on PeopleTools called ARGUS
o Special user profiles and provisioning procedures of such users and assessment of risk
exposure from these special user profiles.
o External access user profiles and access mechanisms
Adequacy of the segregation of duties principles
o Profile definitions
o Provisioning procedures.
Existence of audit trails and application journaling
o

b) Reporting Integrity and Reliability of the Data

Value driver for this area is alignments of the system and reporting needs expressed for key reports. It
should include review of:

c)

Financial Statements of Combined Delivery Reports, the most important reports identified by the
business community
o Adequate reports providing the business the capacity it needs to make business decisions
Data lineage from application layer to reporting layer
o Between Modules
o Cross Modules
o Internal Reports
o Reconciliation process
o External reporting

IPSAS and Application Configuration and Change Management

Value driver for this area is alignment of the IPSAS requirements and system set-up. It should include
review of:

IPSAS functional specification in the area of

o Employee Benefits
o Revenue Management
o Asset Management
o Receipt Accrual
o Treasury Management
Change Management process and transaction monitoring
Configuration Management Process

d) PeopleSoft Interfaces
Value driver for this area is efficiency, effectiveness and security (integrity, confidentiality and availability) of
the interfaces and data standards. It should include the review of key interfaces including:

Global Payroll to General Ledger interface

Banking Interface developed and managed centrally
Banking Interface developed and managed locally

13

United Nations Development Programme

Office of Audit and Investigations

e)

Database Security
Value Driver is the reliability and security of the Oracle Database 11g. It should include the review of:

f)

Database access controls

Database maintenance procedures
Database logging and monitoring

Audit and Monitoring

Value driver for this area is the efficiency and effectiveness of the audit trails in order to achieve and trace
back accountability of the business transactions and, in a second stage, the alignment between the BTAM
Control Matrix and UNDPs financial control requirements and UNDPs Internal Control Framework.
The Continuous Control Monitoring System is meant to provide Atlas monitoring capabilities and provides
UNDP a means for better enforcing UNDPs Internal Control Framework.
Due consideration needs to be given to the adequacy of the audit trail information and the BTAM Control
Matrix (including the detailed configuration rule base of BTAM).

IV.

REPORTING AND WORKING ARRANGEMENTS

It is foreseen that all work necessary to cover the areas described above can be done in New York. Communication
with staff residing outside New York might be necessary. This should not lead to travel outside New York but
addressed through electronic communication, teleconferencing and/or videoconferencing. The following approach
is provided as an example. The contractor is requested to document their own approach in more detail:
The selected service provider will report to OAI. Accordingly, the service provider will regularly meet with OAI
throughout the engagement to review progress. If OAI is not satisfied with the performance of an individual team
member OAI may request the service provider to replace the team member.
UNDP will provide suitable office space for the service provider and will assign a focal point. The main role of the
focal point will be to ensure that the service provider receives information (whether through meetings or
documents) on a timely basis.
The report to be submitted by the selected service provider at the end of the review exercise should include an
overall rating in the audit report, satisfactory, partially satisfactory or unsatisfactory, using OAI rating definitions
(Annex VII).
The recommendations should be given a priority, High, Medium or Low using the UNDP priority definitions
(Annex VII).
The selected service provider should collect and include the written management comments on the audit
observations/recommendations in the report.
The written report to be submitted by the selected service provider will be subject to the review and clearance of
OAI. The audit report will be subject to public disclosure and will be published by OAI on UNDP web site.

14

United Nations Development Programme

Office of Audit and Investigations

V.

DELIVERABLE

The selected service provider will produce a single written report, which will be addressed to OAI.
VI.

TIME FRAME

The Atlas Audit fieldwork is expected to take place in the timeframe starting not later than 5 November 2012 and
should be concluded not later than 21 December 2012.

15

United Nations Development Programme

Office of Audit and Investigations

Annex III
PROPOSAL SUBMISSION FORM
[Please insert company letter-head]
PROPOSAL SUBMISSION FORM
Dear Sir / Madam,
Having examined your Request for Proposal dated August 2012 we, the undersigned, offer to provide services to
UNDP Office of Audit and Investigations for the PeopleSoft Review for the sum as quoted in the financial
proposal.
We undertake, if our proposal is accepted, to commence and complete delivery of all services specified in the
contract within the time frame stipulated.
We agree to abide by this proposal for a period of 90 days from the date fixed for opening of proposals in the
Request for Proposal, and it shall remain binding upon us and may be accepted at any time before the expiration
of that period.
We understand that you are not bound to accept any proposal you may receive.
Duly authorized to sign proposal for and on behalf of

__________________________
Signature & Stamp of entity
Dated this day/month/year
Name of representative:
Address:
Telephone:

16