United Nations

A/50/791


General Assembly

Distr. GENERAL  

30 November 1995

ORIGINAL:
ENGLISH


Fiftieth session
Agenda item 149


REPORT OF THE SECRETARY-GENERAL ON THE ACTIVITIES OF
THE OFFICE OF INTERNAL OVERSIGHT SERVICES

Note by the Secretary-General


1.  Pursuant to paragraph  5 (e) (i) of General Assembly resolution 48/218 B
of 29 July 1994, the Secretary-General has the  honour to transmit, for  the
attention of the General  Assembly, the attached report,  conveyed to him by
the Under-Secretary-General  for Internal Oversight  Services, on the  audit
of the United Nations access control system project.

2.   In transmitting the report,  the Secretary-General  considers it useful
to  present the  views expressed  by  the  Department of  Administration and
Management on the project  and on certain major conclusions of the Office of
Internal  Oversight  Services as  reflected in  its  report.   These  are as
follows:

  "At the outset, it should be recalled that it was Management that  decided
in the summer of 1994,  after reviewing the  project and the causes for  the
delays  encountered,  not  to  activate  the  access  control  system.   The
decision, which was publicly announced, was based on  the judgement that the
system, while  capable of implementation  technologically, did  not meet the
security concerns  of the Organization  in an  efficient and  cost-effective
manner.  The  findings of the Office of  Internal Oversight Services do  not
dispute that management judgement.

  "In many  respects, the project, at  inception, was driven  by a sense  of
urgency  to provide  an additional  measure  of security.   However,  it  is
acknowledged  that  at  the  time the  project  was  formulated,  inadequate
attention was given to  assessing how much added security the planned system
would afford and the operational feasibility  of the system on  a day-to-day
basis.

  "It  is also acknowledged that, during the course of implementation of the
project,  changes in  the  assignment  of key  personnel  led to  a lack  of
continuity in project management, including oversight by senior management.

95-37943 (E)   081295/...
*9537943*
  "As concerns  the selection  of the  contractor, it  should be  emphasized

that, as noted by  the Office of  Internal Oversight Services, requests  for
proposals were sent to 31 companies, of which 8 submitted proposals.   Three
companies,  which  were  considered  to  be   the  most  responsive  to  the
requirements and general specifications  of the request  for proposal,  were
short-listed;  one  of  these companies  subsequently  withdrew.    The  two
remaining   finalists,   Westinghouse   Electric  Company   (WEC)   and  NDC
Automation,  Inc. (NDC), were  both deemed  to have  had adequate expertise,
proven  reliability  and the  technological  support  for  their  respective
systems.

  "For  the final selection  of the  vendor, a  systems requirement criteria
evaluation  matrix was  developed  and  utilized;  in that  matrix,  several
elements identified as critical to the  project were quantified.   Thus, the
Department of  Administration and Management  disagrees with the  conclusion
of  the Office  of Internal  Oversight Services  that the  selection of  the
vendor to which the contract was awarded was not based on a set of  commonly
applied criteria.

  "Both  finalists were  companies with  experience as  system  integrators.
Both companies'  proposals entailed the use  of sub-contractors  in order to
incorporate the technologies of the latter  into a complete working  system,
including cards,  hands-free  card  readers, imaging  systems,  computerized
data-collection technology, turnstiles and cash registers.

  "One  major technical difference  between the  two proposals  was that NDC
proposed two separate  systems, using two  different operating  and database
systems,  one  for  identity  cards  and  readers  and  another  for  garage
operations.    This  approach  would  have  required  additional   hardware,
software and staff resources  and would have exposed the system to a  higher
risk of component failures.  WEC, in  contrast, offered a unified  operating
and  database system,  which was  preferred  as  the most  comprehensive and
cost-effective technical approach.   This conclusion was later validated  in
the implementation of  the Integrated Management Information System  (IMIS),
which has also focused on a centralized approach to database management.

  "Another major consideration in the selection  was that the NDC  proposal,
because of the limited  technology of its card readers, would have  required
two sets of turnstiles,  one for  entry and one for  exit.  This would  have
required the  installation of  twice as  many turnstiles  at each  location,
thus doubling the cost of this component and increasing maintenance costs.

  "There were  significant  differences in  the  costs  of the  two  systems
proposed:   excluding  maintenance, the  NDC proposal  totalled  $1,547,040,
while the  WEC proposal totalled $1,183,440, or $363,600 less.  The identity
cards proposed  by NDC cost  $12.50 each,  compared to a cost  of $5.50 each
for the  WEC cards; the  annual difference in  the cost  of the  cards alone
would consequently have been  $140,000 on the basis  of an estimated  20,000
cards a year.   Thus, the  WEC proposal  was decidedly  less expensive  than
that of NDC.

   "For the  reasons outlined  above, the  Department of Administration  and
Management  considers that the  selection of the  contractor was  made on an
appropriate basis at the time and that proper procedures were followed.

  "The Department of Administration and Management  does not agree with  the
Office  of  Internal Oversight  Services  that  testing  of  the system  and
documentation thereof were inadequate and that  testing was not performed in
accordance with  the contract.   By  its very  nature,  the system  required
several  tests during  its development  and  final  acceptance phases.   All
tests  were carried out  in accordance with the  provisions of the contract,
its  amendments or modifications  as required,  and were  duly registered in
milestone charts as an integral  part of the contract  documents.  Documents
on file confirm that  all tests were done when and where they were scheduled
to be executed.

  "When the garage access control  system, essentially an  accounting system

linked to  the Accounts  Division for  billing garage  parking, was  deleted
from the contract  with WEC, the  testing required  for this feature,  which
had  been envisaged  to cover  60 days, or  2 billing cycles,  was no longer
applicable and was therefore eliminated from the testing requirements.

  "In summary, the Department of Administration and Management  acknowledges
the  weaknesses  in  the  management  process  for  project formulation  and
execution as outlined above.  The  Department believes, however, that United
Nations Regulations and Rules, particularly in respect of procurement,  were
respected throughout the process."
Annex

REPORT OF THE OFFICE OF INTERNAL OVERSIGHT SERVICES ON THE
AUDIT OF THE UNITED NATIONS ACCESS CONTROL SYSTEM PROJECT


CONTENTS

  Paragraphs

I.  BACKGROUND ...................................................1 - 6

II.  SCOPE OF AUDIT ...............................................7 - 9

III.  SUMMARY OF AUDIT FINDINGS ....................................10 - 25

IV.  DETAILED FINDINGS ............................................26 - 75

V.  LIST OF MAJOR RECOMMENDATIONS ................................76 - 77


I.  BACKGROUND


1.  The United Nations access control system was a project undertaken  under
the  contract executed by  and between  the United  Nations and Westinghouse
Electric Corporation  (WEC) on  16 March  1992 to  design, develop,  supply,
instal,  test and implement, on  a turnkey basis, an electronic security and
card access control system.

2.  Security improvements were initially proposed in March 1987 by the  then
Chief of  Buildings and Commercial Services Division.  Three  years later, a
special security  task force determined an  urgent need  to upgrade security
arrangements and improve control over vehicle  access to the United Nations.
An initial working group was formed,  consisting of representatives from the
Security  and  Safety   Service,  the  Buildings  Management  Service,   the
Commercial Purchase and  Transportation Service and the Electronic  Services
Division.   The  group was  directed to  formulate the  initial request  for
proposal for  the supply,  delivery and  installation of  an access  control
system, to select  a vendor capable  of supplying and installing  the system
and to provide guidance in project implementation.

3.  In August 1990, the request for  proposal was sent out to 31 prospective
suppliers and 8  proposals were received by  the designated closing date  on
17 September  1990.   A revised  request for  proposal was formulated  on 26
February 1991 and was given to three remaining firms selected by the  group;
however, only two bids were  received.  On 27 August 1991, the contract  was
awarded to WEC.

4.   The access  control  system, as  stated  in  the certificate  of  final
acceptance, was completed,  tested and accepted by  the United Nations on 26
May 1993.   Following its  acceptance, its  activation was delayed  for more
than a year.   In September 1994, it was  formally announced that the system
would not be put into operation and would be  dismantled.  The Department of
Administration and Management,  after reviewing  the project and the  causes
for the  delays encountered  in activating  the system,  concluded that  the

system  could not  function efficiently as originally  specified because the
design was not realistic in terms  of the procedures and  resources required
to  operate and maintain it.   In a  note of 14  June 1994  addressed to the
Under-Secretary-General  for Administration  and  Management,  the Assistant
Secretary-General  for  Conference and  Support  Services  stated  that  the
system  would not  meet the  security concerns  of the Organization,  and it
was,  therefore, not in the  best interests of  the Organization to activate
the system.

 5.   The  total  costs  incurred in  the  entire  project amounted  to  US$
1,566,358.88, broken down as follows:

                                                                     $

  Contract with WEC                                           947 505.09

  Additional cards (20,000)                                   110 000.00

  Cost to relocate the access control system control
  centre to another room within the United Nations
  facility                                                     37 486.00

  External consultants:
    
    K. Jensen (appointed as project coordinator)              65 900.00

    DVI Communications (drafting of the contract)           20 256.95

    Contract with E.J.E.I.C. for site preparation work     385 210.84

      Total                                           1 566 358.88


6.   The total  amount shown  above does  not include  the significant  cost
incurred in terms of human resources  by United Nations officials  and staff
during the entire period spent  on the project from March 1990 to May  1993.
As certain components, valued at US$ 250,000 by management, could have  been
utilized for other  purposes, non-implementation of  the project resulted in
a net loss to the Organization of US$ 1,316,358.88.


II.  SCOPE OF AUDIT

7.   The audit by the  Office of Internal Oversight  Services of the  access
control  system included  a review  of the  project's initiation,  planning,
funding and  procurement process,  including award  of contract  as well  as
disbursements,  testing and final  acceptance by  the United  Nations of the
system and project implementation.

8.   We undertook  a further review  of the project,  which included  value-
formoney audit procedures to assess managerial and programme  accountability
and system development audit procedures in order  to identify the causes  of
project failure.

9.    Our preliminary  audit  findings  were  discussed  with the  officials
concerned,  and  their   comments  were  taken  into  consideration  in  the
preparation  of  the  report issued  on  4  May  1995.    The Department  of
Administration and Management sent  its comments to the  audit report on  19
July 1995.  They have been reflected in the present report.


 III.  SUMMARY OF AUDIT FINDINGS

10.    The audit  revealed management  deficiencies,  serious weaknesses  in
internal  controls and  flaws in  procurement.   Areas requiring improvement
were also identified.  These findings are summarized as follows:


A.  Project origination

11.   There was  inadequate planning  of the project.   No feasibility study
was  undertaken  prior to  the inception  of  the access  control system  to
determine its viability and cost-effectiveness.


B.  Funding/budget

12.    Budgetary  controls  were  not  completely  respected.    Contractual
commitments  were  entered into  prior  to  June  1991,  before seeking  the
approval  of  the   Advisory  Committee  on  Administrative  and   Budgetary
Questions  (ACABQ),   a  practice   that  is  contrary   to  the   Financial
Regulations.


C.  Working group/consultant

13.   No clear terms of  reference were established  for the United  Nations
access control  system working group and  for the  external consultant hired
by the United Nations.  The  responsibilities of individual employees tasked
with this project were not properly defined and formalized.


D.  Procurement

14.   Deficiencies  in  the  procurement process  did not  allow a  fair and
competitive bidding  procedure because the  original specifications for  the
United Nations access control system were flawed.


E.  Selection of vendor

15.   Weaknesses  were  noted in  the selection  of  the vendor  to  supply,
develop, install and implement the United Nations access control system.


F.  Contract formulation

16.  Deficiencies in the contract were noted.



 G.  Resolution of disputes

17.   The approach of  the Organization to  resolving contract  disputes was
uncoordinated.  The contract was modified to reduce the scope of work.


H.  Project delays

18.  The  imaging system originally  delivered by the  contractor failed  to
function,  causing  project delay.    Selection  of  a  new card  technology
introduced in mid-stream caused project delays and extra cost.


I.  Testing of the United Nations access control system

19.  Testing of  the system and documentation  relating to these  tests were
found inadequate.   Testing of  the system was  not performed in  accordance
with the contract.


J.  Contract amendments

20.   The  contract  amendment  was signed  ex  post  facto.   The  original
provisions of the contract were amended  and various important annexes  were
replaced.


K.  System documentation

21.  The  system documentation of the  United Nations access  control system
was found inadequate.


L.  Warranty period

22.  The one-year system warranty was wasted.

23.  On  the basis  of the Office of  Internal Oversight Services review  of
the project, the auditors developed recommendations  aimed at improving  the
general  procedures  dealing with  inception, execution,  implementation and
monitoring of United  Nations projects, procurement procedures and  contract
execution.   Changes  in  certain budgetary  and accounting  procedures were
suggested in order to enhance financial controls.

24.  The audit findings  indicate a financial loss to the Organization as  a
result of  this failed project but  do not  clearly establish responsibility
for  this loss.    Therefore,  this final  report is  being referred  to the
Investigation Section, which  is responsible for  inquiring into  reports of
possible violations  of  United Nations  rules, regulations,  mismanagement,
misconduct,  abuse  of  authority  and  waste  of  resources  as  defined in
paragraph 18 of the SecretaryGeneral's bulletin ST/SGB/273.

 25.   Although  the Department  of Administration  and  Management accepted
certain recommendations  and conclusions and took  remedial action, some  of
the findings were still contested, as detailed below.


IV.  DETAILED FINDINGS

A.  Project origination

There was a lack of proper  planning of the project.  No project feasibility
study was undertaken to determine viability and cost-effectiveness.

26.  In the  absence of a  feasibility study to determine if  implementation
of an  electronic card access system in the United Nations Secretariat would
be  viable  and   cost-effective,  the  Department  of  Administration   and
Management believes that the security reviews  made by two different  bodies
provided an  adequate basis  for initiating  the project.   Our  evaluation,
however, confirmed that such reviews could  not replace a feasibility study,
and its absence had  a negative impact on the implementation of the project.
For example, an important project component,  the garage access and  billing
control  system,  was  deleted, while  the pedestrian  and  vehicular access
control system at the  entrance gates was  retained.  Also, it would  appear
that the access  control system would allow anyone  in possession of a  lost
or  stolen identification card  not reported  and cancelled  to enter United
Nations  premises without  hindrance.   Therefore, we consider  the existing
system more reliable and secure compared to what was proposed.

27.   If a  feasibility study  had been  conducted, it could  have prevented
management  from deleting  an  important  component of  the  access  control
system in  the middle of  the execution stage of the  project.  However, the
system  was delivered with  only the  capacity to record the  entry and exit
time of  those  who  passed  through  it,  as well  as  identifying  invalid
identification cards.

28.   Earlier, the Department of  Administration and  Management reported to
ACABQ that one of its primary security concerns  was the garage.  Subsequent

developments  in the outside  world confirmed that terrorist plans involving
the  use  of   vehicles  were   contemplated  against  the  United   Nations
Secretariat building.  In addition, billing  and control procedures for  the
use of the United  Nations garage facilities, which are mostly manual,  were
always considered rather time-consuming and ineffective.

29.   The Office of  Internal Oversight  Services found that  United Nations
officials failed to  confer with the Protocol  and Liaison Service  prior to
inception of the project.  This Service was  not consulted during the design
process in  order  to identify  practical  problems  relating to  the  large
number of  temporary  passes  required by  delegates to  various  short-term
meetings at  United Nations Headquarters.   Attendees would  either have had
to be  relegated to using the  Visitors' Entrance exclusively  or the United
Nations would have had to incur  large expenditures in identification  cards
to accommodate the number of such delegates.

 30.  Had  the Protocol and Liaison Service  been properly consulted or  had
it been a part of the working group, United Nations officials from the  very
beginning would have known  that the project  was not viable because it  was
incompatible  with existing  procedures.   Experience  shows  that,  without
sufficient  user  involvement,  system  development  projects  have  a  high
probability of  failure. This  was the case  with the United  Nations access
control system.

31.  Management claims that the Protocol and  Liaison Service was consulted.
We  find  this to  be  in  contradiction  with the  assertion  made  by  the
Assistant  Secretary-General  of  the  Office  of  Conference  and   Support
Services and the  United Nations  Security Coordinator in  the report of  14
June  1994 submitted  to  the Under-Secretary-General  of the  Department of
Administration  and Management. It  was also  stated by  management that the
purpose of the project  was to enhance  security and "not to satisfy  staff,
diplomats or  non-governmental organizations and  therefore they should  not
be  characterized as  users".   The  Office  of Internal  Oversight Services
disagrees with  this view as  it is an obvious denial  of the United Nations
reality.

32.   As the  absence of  a feasibility  study shows, no  system development
standards  were   established.     Consequently,  there   was  no   standard
methodology used in the  project.  Had such  a methodology existed  and been
followed,  a feasibility  study, which  is  an initial  phase of  the system
development lifecycle, would have been undertaken.   The development of  the
project would  have been based on a formal statement  of requirements agreed
to  by users  and the  installation  standards would  have set  the  minimum
requirements for system and programme documentation. 

33.   The management disputed the  finding, stating that  a formal statement
of requirements was agreed to by the users with regard to computer  hardware
and  software.   However,  this  was  precisely the  problem.    A  specific
hardware/software solution was selected  that could not  be integrated  with
the day-to-day  procedures followed in the  Organization.  Furthermore,  the
Department of Administration and Management stated  that, since most of  the
components of the access  control system were  off-the-shelf products, there
was no  system design and development required except for  the garage access
and  billing  control  system  and  that  was  the  responsibility  of  WEC.
Additionally,  management stated that the access control system was procured
on a turnkey basis.

34.  The Office of Internal Oversight Services  disagrees with this position
and maintains that, even  with turnkey systems, certain steps in the  system
development life-cycle should be followed by the implementing  organization.
As far as the  garage access and  billing control system was concerned,  the
system development  life-cycle requires significant  interaction between the
users  and developers  of the  system at  critical  intervals in  the system
development process, which did not take place.

 B.  Funding/budget

Lack  of sufficient  budgetary controls.   Contractual  commitments  entered
into without advising ACABQ, contrary to existing Financial Regulations.

35.  The United Nations access control system  was started as a non-budgeted
project and  costs were not  properly budgeted  for prior to  its inception.
The project  was started  by concerned  United  Nations officials,  although
they had  not finally  decided on  the particulars  of how  to finance  this
specific  endeavour. Contractual commitments were entered into prior to June
1991, before  seeking the approval  of ACABQ, which was  in contravention of
financial regulation 13.1.

36.    The management  replied  that,  under  the  given circumstances,  the
budgetary  modalities  used  were  appropriate.    The  Office  of  Internal
Oversight  Services disagrees with  this notion and points  to the fact that
ACABQ in its  report of  15 July 1991,  stated such contractual  commitments
ran  counter  to  the  intent  of  General  Assembly  resolution  44/203  on
unforeseen  and extraordinary  expenses  in connection  with  the  1990-1991
programme budget.   Based on its  own findings, ACABQ  noted that,  although
the implementation  of the  access control system  was linked  to the  "Gulf
crisis", in fact it was related more  to problems of crime prevailing in the
immediate area of  the United Nations.  ACABQ  pointed out in its report  on
the 1992-1993 proposed programme budget that, in view  of this, it failed to
comment on  whether  the  project  proposal represented  the  most  suitable
approach for  addressing the  question of  increased security  arrangements.
It must  be admitted,  however, that  ACABQ eventually  approved the  budget
expenditures for the project, given that the project had already commenced.


C.  Working group/consultant

Lack  of  terms  of  reference  for  the  working  group  and  the  external
consultant hired by the United Nations.

37.  In  the absence of  a project  steering committee,  the United  Nations
access control system working  group could have played a crucial role in the
initiation  of the project,  provided that it had  formal terms of reference
and acted in accordance therewith.   Had responsibility been clearly defined
and a formal delegation  of authority been made, the frequent changes in key
personnel would not  have had such a negative impact on the  project as they
in fact  did.  Had the external consultant who  had oversight responsibility
been involved  throughout the life of  the project  and his responsibilities
clearly defined, the project would not have been so adversely affected.

38.    We  found  that  the   Working  Group  convened  meetings  and  acted
collectively to  raise and  discuss issues  relating to  the access  control
system.  However,  it seldom kept the  senior management informed about  all
major issues taken up  or discussed, nor did  it seek consultation or advice
on final decisions.   For example, when the project was not proceeding  well
and there  was a potential  that the  entire system as  originally specified
and designed  would  not be  delivered  and  completed  by the  vendor,  the
Working Group failed to inform the  Assistant Secretary-General for  General
Services or the Chief of the Buildings and Commercial Services Division  who
did not participate in meetings of the working group.

39.  The management, in its response, disputed  these facts, stating that it
was kept fully  informed at  each step  of the project  and that there  were
numerous instances  when management was advised  in writing or  participated
in meetings during the various stages of the  project.  While we acknowledge
that management was informed  of certain issues, we believe there is a clear
need  to seek  approval for  key  decisions, which  should be  documented in
writing.  In this  context, we did  not find any evidence that  approval was
sought  or received in  November 1992  when the decision was  made to delete
the garage access control subsystem and renegotiate the contract.

40.   The external  consultant commenced  work on  13 August  1990, but  his
responsibilities  were  not  described  or defined  in  his  special service
agreement or  in  any document,  except that  he  was  appointed as  project
coordinator.  His first contract expired on 12  December 1990.  It was again
renewed from 13 January  to 13 May 1991  and 23 March 1992  to 22  September
1992.

41.   According  to the  Department  of  Administration and  Management, the
consultant was  hired to assume oversight  responsibilities of the  project.
The Office of Internal Oversight Services  noted that the consultant  worked
on a staggered basis  and, simultaneously, was involved in the work for  the
World Summit  on the  Environment.   His  contract did  not allow  full-time
administrative oversight of the project.   The Office of Internal  Oversight
Services questions  the wisdom of this  decision, considering the  magnitude
of the project.


D.  Procurement

Deficiencies in the procurement process did  not allow fair and  competitive
bidding  to  assure the  best  possible  price and  service  to  the  United
Nations.

42.  Again, mainly  as a result  of the absence of a feasibility  study, the
requests for  proposals  sent to  31  prospective  bidders did  not  contain
adequate specifications  to meet the security  needs of  the United Nations.
It did not properly define the  scope of work and thereby  made it difficult
for  potential vendors  to provide  a  reasonable  estimate of  the project.
Inadequacies were noted in various vendors'  letters to procurement staff of
the Commercial Purchase and Transportation Service.

43.  The management  stated, in its response, that the original request  for
proposal dated  1  August 1990  was formulated  with the  objectives of  (a)
identifying a  state-of-the-art access control  system that would  generally
meet the technical and security requirements  of the United Nations  and (b)
identifying  prospective contractors  capable of  supplying such  a  system.
This   request  for   proposal  contained   general  requirements   covering
functional, system,  implementation, training and installation  information.
They  stated that  firms that  pointed out  inadequacies in the  request for
proposal were not seriously interested and/or  capable.  Their replies  were
considered to be not responsive and  were, therefore, not forwarded together
with  the  other  proposals  for  evaluation  to  the  Buildings  Management
Service.
  44.  The requirements and  scope of work should be defined in any  request
for proposal  in a manner  that allows vendors  to be  responsive.  However,
although requests for proposals were sent  to 31 vendors, only  8 responded.
After  analysis, five  vendors were  eliminated  and  a revised  request for
proposal was  submitted to  the remaining  three vendors  in February  1991.
According  to management, this request for proposal  provided additional and
new  detailed  information  on  the  pedestrian  and  vehicular  access  and
delegation parking procedures.

45.   We are  of the  opinion that  the revised request  for proposal should
have been sent to  a wider audience in  view of the fact  that it  contained
information  that was not  in the  original request for proposal  and of the
small number of remaining vendors from which to choose.

46.  While management  disagrees with the auditors, we maintain that, on the
basis  of our  review of  the  bidding  process, some  qualified prospective
bidders were eliminated from the competition owing to  a lack of clarity  in
the specifications.


E.  Selection of vendor

Weaknesses were  noted in  the selection of  the vendor to  supply, develop,

install and implement the United Nations access control system project.

47.  In the  opinion of the Office  of Internal Oversight  Services awarding
the contract to  WEC was not  based on  a set  of commonly applied  criteria
that would have included technical competence, experience and reputation  of
the vendor in  that particular  field.  Management  commented that two  main
criteria  were established for the  selection of the  vendor:  (a) extensive
experience in integrating highly technical computer  driven systems and  (b)
the technical expertise specifically related to  the provision of a security
system.  They further indicated that both of these criteria were fully met.

48.  However, the  Office of Internal Oversight  Services maintains that WEC
did not have sufficient experience in  this specific type of  project, using
a  highly advanced  card technology.   As  it was  only in  mid-stream  that
Westinghouse introduced  its own card  technology, the United Nations access
control  system  obviously was  the first  of  this kind  of access  control
system project  in which the firm  had been engaged  and, thus, it  appeared
that  the United  Nations  was supposed  to  be the  first  to use  the  new
Westinghouse technology. 

49.   It also appeared  that WEC did not have  qualified personnel to handle
the  project;  hence,  it  subcontracted  to  Epic  Systems  to  develop and
integrate  the garage  access  control  system software  with  WEC  standard
software  and the  delivery of  an imaging  system.    For the  latter, Epic
Systems in turn subcontracted another firm, USIS.

50.  Management describes subcontracting as  a common arrangement and points
to  numerous  instances where  the  results  have been  fully  satisfactory.
However, in this instance the  garage access control system software and the
imaging system  accounted for two  out of three  of the  major subsystems of
the  United Nations  access  control system.    Subcontracting  (and further
subcontracting) this  proportion of the system  was not  a prudent practice.
Layers of  subcontracting serve  to distance  the original  vendor from  the
project and  cloud accountability. Even the  relocation of  the system after
its delivery was subcontracted to Epic Systems.

51.   The subcontractors'  performance in  rendering the  required system or
service  for which  they were  subcontracted was poor.   The  imaging system
failed to work when it  was delivered on 18 May 1992  and was replaced  by a
Goddard imaging system on  15 October 1992.   The software that was supposed
to  make up  the garage  access control  system  was not  developed, thereby
resulting in the  deletion of the  entire garage subsystem  from the  United
Nations  access  control  system  project.    Thus,  it  appears  that WEC's
capabilities in the area of systems integration were questionable.

52.   The other  bidder was  a company  with proven worldwide  experience in
installing hands-free access control systems.   Its proposed system met  the
United Nations requirements  without any  need for  subcontracting, yet  WEC
was  chosen by United Nations  officials.  The working group's ratings given
to these  two vendors seemed to  be unbalanced with  regard to, inter  alia,
system modularity and vendor qualifications.

53.   Although the  Department of  Administration  and Management  disagreed
with our conclusion  that WEC was not the best choice as  contractor for the
United  Nations  access  control system,  we would  like  to point  out that
subsequent  events (inability by  WEC to  deliver the  garage access control
system, prohibitive maintenance cost, failure  to meet delivery schedules of
the  programmed access cards and to properly test  the United Nations access
control  system,  etc.)   confirmed  that  the  choice  of  the   contractor
substantially contributed to the final rejection of the project.

54.    The  original  proposal  by  WEC  was  US$  812,160,  plus  a  yearly
maintenance cost of  US$ 99,220  (total US$  911,380).   However, its  final
proposal  amounted to  US$ 1,332,505.09, including maintenance  costs of US$
135,000,  whereas,  the  other  bidder's  proposal  was US$  1,547,040  plus
maintenance costs of US$ 52,175 (total US$ 1,599,125).   The reason for  the

price  difference  between  the  proposals  originally  submitted  by  these
vendors  was differences  in specifications.    It  was found  that the  WEC
proposal  did not fully comply with the specifications  issued by the United
Nations.

55.   The other bidder  submitted a proposal  that complied  with the United
Nations  specifications in  every detail.    It  presented more  precise and
specific technical  specifications  as  compared  with  WEC.    This  vendor
submitted a letter dated 25 April 1991 that  specified this issue and  noted
that,  through its  contacts in  the  market, it  had learned  that  another
bidder  had   quoted  a   system  that  did   not  fully  comply   with  the
specifications  issued  by the  United  Nations  and  its  price quoted  was
considerably  lower than its  quote.   It then offered the  United Nations a
simpler  system  at  significantly lower  cost  and  therefore  requested  a
renegotiation  of its proposal.   An  Office of  Internal Oversight Services
review of  the technical proposals submitted  by these  two vendors verified
these facts.  Examples of these are discussed below.

 56.    The  other  vendor  proposed   the  implementation  of  the   garage
administration  and  access  control  functions  in  two  separate  computer
systems.   It emphasized that the  garage administration  and access control
functions  of  the system  were  two  completely  separate  functions.   WEC
proposed only one computer  system for both these functions.  The Office  of
Internal  Oversight Services  believes the  failure  of  WEC to  deliver the
garage  access control system leads to the conclusion  that indeed the other
proposal was more realistic.

57.  Another important  feature in the other proposal was access control for
short-term visitors,  which could  be handled  by a  stand-alone PC  system.
Management points out  that the Security and  Safety Service decided  at the
time when the technical  requirements were finalized  to exclude  short-term
visitors from  the access  system.  This  appears to support  the Office  of
Internal Oversight  Services contention that there  was reason  to allow the
other bidder to submit a revised and simpler proposal.

58.  There were three revisions of the  contract amount after the  selection
of the bidder but  before the contract was signed.  These changes eventually
increased the above amount from US$  911,380 to US$ 1,332,505.09,  including
maintenance costs.   This resulted in additional  charges by the vendor over
and above its original bid.

59.  Management  points out  that the cost of  the other vendor's cards  was
significantly higher than WEC's.  However,  the Office of Internal Oversight
Services believes  that part  of this cost  could have been  offset had  the
other  vendor's  technical  proposal  been  scaled  down  as  it  suggested.
Additionally, although  cost should always be  a large  factor in evaluating
bids, the viability of the overall proposal should also be considered.


F.  Contract formulation

Deficiencies in the contract were noted.

60.  The auditors found deficiencies in the  formally signed contract.  They
noted  that  the final  contract  was  prepared  using  two different  fonts
(styles).  Management  explained  that  this  occurred  due  to  the  use of
different   wordprocessing  software   at   different  stages   of  contract
development.

61.  We also  noted there were no  penalty clause  terms in the contract  to
penalize the vendor  for failure to  meet targets or schedules  specified in
the contract or for failure  of the project to meet contract specifications.
Likewise, there was no retention-of-payment provision made in the  contract.
The  inclusion of such terms to protect the interests  of the buyer has been
a standard practice in  project contracts.  Usually a 10 per cent  retention
is provided for in the contract.   We noted that this provision was proposed

by  DVI Communications,  the consultant  engaged  by  the United  Nations to
provide  assistance in  drafting the  contract,  i.e.  5 per  cent retainage
after the final  acceptance test certificate is issued and 5 per cent at the
end of the warranty period.


 G.  Resolution of disputes

Lack  of coordinated  approach of  the  United  Nations to  resolve contract
disputes. The contract was modified to reduce the scope of work.

62.   Under the initial contract,  the scope of  work of  the United Nations
access control system consisted of three hardware/software major  subsystems
that would all operate  in concert, namely, the  access control system;  the
garage access  control system; and the  badge/imaging system.   However, the
contract  was  modified  after eight  months  to  reduce the  scope  of  the
project.  The  garage access  control system, which  was a major  subsystem,
was deleted from the original  contract.  It was dropped, as agreed by  both
parties on  19  November 1992,  because  of  the contractor's  inability  to
develop  and customize  the software  which  would  serve the  garage access
control system.

63.  The reduction of  the contract amount by $250,000 with deletion of  the
garage access  control system appeared to  be disproportionate  to the total
project cost  as the  loss of  the garage  access  control system  subsystem
significantly  affected the  benefits to  be gained  from the  project as  a
whole. Management  submitted a  table showing  those specific  items in  the
original  contract that were  wholly or  partly taken  into consideration in
the reduction  of the  contract  price.   However,  the Office  of  Internal
Oversight  Services is of  the opinion  that the  Organization suffered more
than the  loss of the  individual components  of the  garage access  control
system  and  thus   the  contract  reduction  should  have  reflected   this
additional loss.


H.  Project delays

Imaging  system  originally delivered  by  contractor  failed  to  function,
causing project delay.

64.   We noted that the  imaging system originally delivered on  18 May 1992
by the subcontractor, Epic Systems, failed to function.   However, before it
was rejected by the United Nations, the contractor withdrew it and  replaced
it with  a Goddard  imaging system,  but only on  15 October  1992, after  a
lapse  of  five months.    This  caused a  delay  in the  completion  of the
contract.   However, no attempts were  made by the  United Nations officials
concerned  to negotiate a cost reduction and/or work  for the termination of
the contract at this stage.

65.   Final  acceptance and  sign-off of  the United Nations  access control
system according to the programme schedule  was scheduled for October  1992.
However,  in  November 1992,  when  the  garage  access  control system  was
dropped, the system was still not yet completed.

66.   The  contractor was  not only unable  to fulfil the  provisions of the
contract with  regard to performance and  delivery of  the finished product,
as specified  in article 40,  but also incurred  delay as  per definition of
the terms  of the  contract.   The delay  was attributable to  the defective
imaging system, to the inability of the vendor to develop the garage  access
control system  and, at  the end, the failure  of the vendor to  deliver the
access cards on time.

 Selection of a new card technology in  mid-stream caused project delay  and
extra cost.

67.   The United  Nations officials  accepted a new  access card  technology

introduced  by the vendor  in mid-stream  although this  technology was new,
unproven and more  costly.  The vendor did  not meet delivery schedules  and
could not provide the required number of access cards.

68.  The  Office of Internal Oversight Services  also noted that the  number
of needed access cards was not properly established  at the beginning of the
project.   This should  have been  included in  a feasibility  study.   Only
10,000 cards  were included in the  original contract,  although the request
for proposal  submitted  to the  vendors  had  clearly indicated  a  minimum
requirement of 24,140 and maximum  of 69,915 cards.  In May 1993, after  the
final execution of the  contract by the vendor and despite the fact that the
administration  had second  thoughts  about activating  the  system,  20,000
additional  cards were  requisitioned  at  a  cost  of  US$ 110,000.    This
purchase  order  was  also revised  in  August  1993  to  suit  the delivery
schedules  proposed by the vendor.   The vendor was not able  to comply with
the delivery  date, which  was revised  from May  1993 to  January 1994  and
final delivery was completed only in May 1994.


I.  Testing of the United Nations access control system

Testing of  the system and documentation  relating to these tests were found
inadequate.  Testing of the system was not performed in accordance with  the
contract.

69.   The demonstration  and testing of  the United  Nations access  control
system was carried out in Baltimore, Maryland, on 4 March 1993.

70.   We  found  that articles  8.0 to  8.06 of  the contract  on functional
testing were not  followed by the United  Nations officials involved  in the
project.  First, the functional testing was conducted  in Baltimore, whereas
the contract provided  that all testing be  conducted on site following  the
installation  of each  subsystem and  after  all  three subsystems  had been
installed.  The documentation  submitted in support  of the tests that  took
place in  Baltimore appears  to be inadequate  because it did  not follow  a
predetermined and preapproved test plan as called for in the contract.

71.   Secondly, the  final acceptance tests that  the officials claimed were
performed on  12 and  13  May were  not  conducted  in accordance  with  the
provisions stipulated in the contract.   The contract provided for a minimum
of 70 days of operation before a final acceptance test certificate would  be
issued. Management  contends that,  because of  the deletion  of the  garage
access control system, a period  of 70 days was no  longer needed and  a 10-
day test period  or less would have been  sufficient.  This certificate  was
issued on 26 May 1993  by the United Nations officials,  after only two days
of  system  testing.    The  certificate   appeared  to  have  been   issued
prematurely, in  direct contradiction with the  plan communicated  to WEC by
the Officer-in-Charge,  Buildings and  Commercial Services  Division, on  17
May  1993.   This  plan  stipulated that  the United  Nations would  issue a
certificate of final  acceptance seven days  after the system was  placed on
line, i.e. on 14 June 1994.


J.  Contract amendment

Contract amendment was signed ex post facto.

72.  The contract  amendment was signed  in August 1993 after the  execution
of a  final acceptance test certificate,  which certified  the completion of
the  United Nations access  control system.  The  following were the changes
made ex post facto:

  (a)   Deletion of  the subsystem pertaining  to the  garage access control
system from  the contract.  All references to this  subsystem were therefore
removed from the contract;

  (b)   Replacement of  the originally  specified Indala RF  card and reader
technology by Westinghouse technology;

  (c)    Replacement of  the  USIS  badge/imaging  system  (which failed  to
function when  it was  delivered in  May 1992)  by a  Goddard badge  imaging
system (which was  delivered only in  October 1992,  after a  lapse of  five
months).

Original  provisions of  the contract  were  amended and  various  important
annexes were replaced.

73.  The following  original provisions and annexes were amended or replaced
as a result of the amendment:

  (a)  Article 9.04(b)

  "Upon successful  conclusion of the final  acceptance tests  of the United
Nations access control system in accordance  with this article and performed
in accordance  with  annex 6,  the  United  Nations representative  and  the
contractor  shall sign the certificate  of final acceptance in  the form set
out in annex 13 of this contract."

The auditors noted the amendment was made to justify the limited testing  of
the system conducted  on 12 and 13  May 1993 as well  as the signing  of the
final acceptance test certificate  in accordance with the  form set out in a
new added annex;

  (b)    Annex  6  as  attached  to the  original  contract  called  for the
following test requirements:

  "Final  acceptance  tests  will commence  only  after  all  functional and
performance  tests have  been satisfactorily  completed.   Final  acceptance
tests will continue for a period of 60 days."

The revised  annex 6  was amended,  limiting the  testing of  the system  to
include  only the functional  and performance  tests and  deleting the final
acceptance  tests originally  provided for  (i.e.  to  run the  system under
actual operating conditions for a minimum of 60 days);

  (c)   Annex 5, Schedule  of payments,  in the original  contract, provided
for the payment  to the vendor of US$  142,125.76 for functional testing  of
the system.   Annex 5  was amended.  We  noted that this specific  milestone
was changed to "United Nations approval of results of United Nations  access
control system  functional testing  of software  using the  WSE readers  and
cards in  Westinghouse, Baltimore,  MD".   This was  amended to justify  the
payment made to WEC, to which the United Nations officials agreed;

  (d)    Apart from  the  above-mentioned  annexes, the  following important
annexes had also been replaced:

  (i)Annex  1, Hardware bill  of materials,  dated 21  January 1993, 110692,
revision E, attachment 1;

    (ii)Annex 10, Performance bond rider, dated 26 July 1993;

   (iii)Annex 12, Technical  specifications, dated 24 January 1993,  110692,
revision E;

    (iv)A  contract amendment also  deleted annex  3, Bill  of materials, in
its  entirety.   It  was thus  difficult  to determine  if other  equipment,
materials,  or peripherals,  etc. had  not been  delivered.  This  ended the
vendor's liability for non-delivery of all the materials listed in annex 3;

  (v)Lastly,  the contract amendment  included a specific provision that was
found  irregular  because   it  referred   to  the  final  acceptance   test
certificate.   This certificate, in  our opinion,  was irregularly executed,

as  no final acceptance  tests within  the context of the  provisions of the
contract had been actually performed.


K.  System documentation

System documentation was found inadequate.

74.  The systems  manual and the users  manual still contained  the original
United Nations  access control system as  contracted with  the garage access
control  system.    Thus,  the  system  and  users  manuals  still contained
information that  was no longer applicable.   If  the documentation received
from the vendor had been reviewed  by United Nations officials,  they should
have  discovered that the documentation was not updated.   This was contrary
to  article  13.01  of  the  contract  that  "the  Contractor  shall provide
documentation  with  appropriate updates  to  reflect  the  as-built  system
configuration for the United Nations and  the software modules including the
major  subsystems".    Article  13.03  also  provides  that   "documentation
prepared by the Contractor shall be subject  to review and written  approval
by the United Nations".   No evidence was found to  indicate that a  written
approval was  formally given.   We  also noted  that there  was no  security
manual prepared to complement the system nor a maintenance manual.


L.  Warranty period

The one-year system warranty was wasted.

75.   The  one-year warranty  period went into  effect from the  date of the
signing of the final acceptance test certificate,  26 May 1993, and  expired
on 25 May 1994.   During this period, the  system was never run under actual
operating conditions.


V.  LIST OF MAJOR RECOMMENDATIONS

76.   The Office of  Internal Oversight Services  highlights in the  present
report the recommendations  that, in its opinion, deserve priority attention
from management.

  (a)   On project  management, the  Office of  Internal Oversight  Services
recommends that,  in order to  help to ensure  that future  projects of such
magnitude and complexity as the United  Nations access control system  would
be properly  planned, managed, overseen,  and successfully implemented,  the
United Nations  should develop standard  project management guidelines  that
will  provide  appropriate  controls.    The  guidelines  should  include  a
mandatory feasibility study  among the detailed  elements of the development
process.   A  feasibility study  is  particularly  important in  every major
project  to ensure that  the Organization's  investment in  time, effort and
money is justified before it is undertaken;

  (b)  On procurement, the Office  of Internal Oversight Services recommends
that, before goods and services are acquired by the United Nations, a  needs
assessment  is  done.   The  Organization  should  establish  guidelines  to
improve bidding procedures  that include specific criteria for  establishing
the eligibility of  the contractors during prequalification.  Guidelines for
the preparation  of requests for proposals  should be  established to ensure
that specifications, requirements and standards are complete.   Criteria for
bid  evaluations and  the evaluation  of  contractors should  be  developed.
Functions should  be segregated to ensure  that the  procurement function is
separated from contract administration  and that monitoring  the project and
the vendor's performance is done by the substantive office;

  (c)   On contract formulation, the  Office of  Internal Oversight Services
recommends that advice and consultation should be sought from the Office  of
Legal  Affairs whenever  an amendment  is  contemplated and  such amendments

should be finalized in  a timely fashion with due consideration given to the
best interests of the Organization;

  (d)   The  United Nations  should also  ensure that  specific elements  of
internal  control are  exercised during  the project  life-cycle,  including
clear and  prompt documentation  of transactions and significant  events and
formal approval by senior United Nations  officials for all major decisions.
Continuous supervision should be provided to  ensure that control objectives
are achieved and  accountability for the  use of resources  is assigned  and
maintained.

77.  As  of 13 November 1995 and pursuant to the provisions  of paragraph 18
of the  mandate of the Office  of Internal  Oversight Services (ST/SGB/273),
the  Office  has  referred  this  matter   from  the  Audit  and  Management
Consulting  Division  to  the  Investigations  Section for  the  purpose  of
determining whether evidence can be adduced  that any current staff  members
have violated United Nations rules and  regulations in connection with  this
project.   Specifically, the  Investigations Section has  been requested  to
examine  four areas:  project planning, vendor selection, project monitoring
and project  acceptance.  The Investigations  Section may  extend its review
as warranted.


-----


 

This document has been posted online by the United Nations Department of Economic and Social Affairs (DESA). Reproduction and dissemination of the document - in electronic and/or printed format - is encouraged, provided acknowledgement is made of the role of the United Nations in making it available.

Date last posted: 18 December 1999 16:30:10
Comments and suggestions: esa@un.org