In the first half of 2021, the Global Fund’s Office of the Inspector General (OIG) audited Wambo.org, the organization’s digital procurement platform. The audit report is available here.

The audit aimed to assess the design and effectiveness of the digital procurement platform’s internal control measures for pooled procurements. The audit revealed that the platform has been expanding in terms of users and the number of procurement transactions and that it makes available more diverse health products to its users. Also, the audit found the platform easy to use and capable of managing procurement transactions and approvals. Moreover, the platform has a mix of preventive controls, designed to keep errors and anomalies from occurring in the first place, and detection controls, designed to detect errors or irregularities that may have occurred. The OIG noted that the number of grant implementers and countries using the platform has been increasing, with 26 new implementers and 11 countries starting to use the platform in 2020. This brings the total numbers of platform users to 170 implementers and 80 countries as of 2021.

However, the audit found the platform has some areas requiring improvement. The audit revealed that key application controls for platform set-up and transaction processing and information technology (IT) controls to safeguard availability and security are only “partially effective”. Also, the platform scalability to handle increased procurement transactions requires significant improvement.

The Global Fund launched Wambo.org in 2016 to allow grant implementers to reliably procure quality-assured health commodities at competitive prices. Since then, the organization has continuously improved the digital platform that supports its Pooled Procurement Mechanism (PPM). Every year, the Global Fund provides new health products and categories via Wambo.org. For instance, since 2016 the organization has offered treated mosquito nets, antimalarial drugs and HIV medicines; since 2017, diagnostic supplies, medical equipment, and non-core pharmaceuticals; since 2018, vehicles and IT equipment; and COVID-19-related products from 2020 onwards.

Procurement transactions through Wambo.org have been increasing each year. In 2019, health commodities worth $952 million were purchased via the platform. In 2020, purchase orders placed via the platform were worth $1.37 billion, translating into a 45% increase. The Global Fund estimated that the purchase orders for 2021 would double those of 2020.

Audit findings

Heavy reliance on manual controls due to extensive configuration of procurement flows impacts efficiency and potential scalability

The OIG noted that Wambo.org has multiple and complex procurement workflows handling the responsibility of moving data and documents involved in a procurement function from one step to the next. Procurement workflows are the set of predictable and repetitive tasks in a procure-to-pay process. The workflows vary depending on the order type, product category, and funding source.

The OIG noted the number of users accessing the platform was often more than the defined number. For instance, the OIG found that some grant implementers have up to 28 different users accessing the platform and eight different approvers. This makes the approval chain longer and at times grant implementers are forced to request manual workflow adjustments to bypass approvers, especially when the approvers are unavailable. Unfortunately, manual adjustments make it challenging to track the sequence of events and changes made, thereby posing challenges during audits. For countries that don’t recognize electronic approval, grant implementers are required to manually approve orders by uploading a scanned copy of the signed purchase requisition form. However, the OIG that there is limited verification of the authenticity of the authorized signatory at the time of placing an order.

The audit reveals a heavy reliance on experienced staff to manually check the data integrity for each transaction. This substantial reliance on manual controls, however, affects efficiency and contributes to delays in delivering procured products. Also, the audit reveals a system design gap relating to updating product prices. The prices of products are managed in the Product Master database which can be updated without a second-person review or approval. Safeguards against changes in the platform are not activated and teams rely on manual controls, such as offline price monitoring. Also, the platform is designed for a limited number of non-Global Fund financed procurements that are highly dependent on manual processes for tracking submitted orders before they are processed.

Agreed management actions

The head of the Supply Operations Department is required by 31 December 2022 to establish an appropriate internal control framework for procurements that will

• Map out the roles and responsibilities of different internal and external users of the platform
• Update the platform’s process maps
• Cover data and reporting

The Secretariat places full reliance on Procurement Service Agents without assurance of health product deliveries

The OIG noted that the Secretariat receives limited assurance on product delivery from Procurement Service Agents (PSAs). The Global Fund pays PSAs for their services in managing the delivery of health products from suppliers to grant implementers. However, the audit revealed that the Secretariat does not verify if PSAs fully delivered the procured health commodities before the Fund pays them fees and logistics costs. Rather, the Secretariat relies on PSAs to confirm full delivery and grant implementers for escalating issues with products ordered or received. Furthermore, the Secretariat has not independently audited the recorded PSAs to verify their accuracy (quantity and quality), enhance service delivery, and pick up early warning signs for potential risks.

The OIG noted that PSAs use their own purchase orders that are different from the ones placed on Wambo.org, thereby posing a challenge for the Secretariat to reconcile products requested. PSAs can convert one Wambo.org order to multiple orders, making it complex and time-constraining for manual reconciliation. To compound the problem, the product names of the two systems might be different as well as the units of measurement.

Agreed management actions

By 31 December 2022 the head of the Supply Operations Department is required to undertake regular independent verifications of PSA records to:

• Assess the accuracy of PSAs’ reported information; and
• Check the information used to confirm product deliveries with the grant implementers.

A need to address residual IT security risks

Wambo.org has over 2,100 internal and external users. The internal users are the Global Fund Secretariat staff while external users are both grant implementers and PSAs. The Secretariat staff are all enrolled in multi-factor authentication (MFA), a security technology that requires multiple methods of authentication from independent categories of credentials to verifying a user’s identity for a login or other transaction. MFA reduces IT security risks such as phishing. The IT unit has made considerable efforts to enroll most of the users in the MFA program. However, mainly due to legal issues, some external users have not yet been enrolled and are thus vulnerable to phishing.

The OIG noted a need to communicate Wambo.org availability and downtime expectations. This would enable a user to understand and agree on availability expectations if there is downtime as well as inform the need to resort to manual processes as a temporary measure in case of platform unavailability. The audit revealed that there were delayed platform upgrades occasioned by the need to check all updates before implementation. Also, the audit revealed sub-optimal documentation of the upgrades received from the suppliers.

Agreed management actions

By 31 December 2022 the Chief Information Officer of the Information Technology Department is required to further strengthen IT risk management by:

• Enrolling the residual external users in MFA or providing a similar solution
• Communicating platform availability and downtime expectations with all stakeholders
• Strengthening the process of reviewing and testing platform releases to ensure upgrades
• Continuously monitoring release documentation issues with the supplier

Commentary

PSAs play a vital role in the Wambo.org procurement cycle as grant implementers rely on them to deliver purchased medicines and health products procured with Global Fund grant funds. However, it is the Secretariat that pays PSAs for that service. The audit finding that the Secretariat pays PSAs for their service without independently confirming the full delivery of products poses a risk of not verifying the quantity and quality of delivered products or the timeliness of the deliveries. To address the challenge, the OIG calls for the Secretariat to independently verify PSAs records for accuracy. However, this only partly addresses the problem. Checking with grant implementers to verify that the procured products or services are delivered in the desired quality and quantity before paying PSAs would go a long way to addressing the challenge. Since the Secretariat pays for goods and services that grant implementers order, it makes sense to first check with them before making payments on their behalf.

As the Global Fund plans to scale up the use of Wambo.org, the organization needs to have in mind its country ownership principle and its resolve to strengthen national health systems. The OIG noted that the number of grant implementers and countries using the platform has been increasing. At what point will the Global Fund support countries to strengthen their own national procurement entities? Although this was not within the scope of the audit, the Global Fund needs to rethink its focus and perhaps begin a conversation on how to strengthen in-country procurement entities to the level of Wambo.org. This is important when viewed through the sustainability lens. If anything, some countries use their own procurement entities to procure Global Fund-supported health commodities at competitive prices. For instance, the 2018 and the 2022 OIG audits of Global Fund grants to Kenya highlighted the country’s procurement and supply mechanism as a good example of a well-functioning system. In fact, the OIG noted that Kenya’s government procurement agency secured prices up to 21% lower than PPM prices for antiretroviral medicines for 2016 and 2017.