fiscal year report 2011 - world bankdocuments.worldbank.org/curated/en/...assessment processes, risk...

Annual Fiscal Year

Report 2011

Internal Audit Vice Presidency

FOR OFFICIAL USE ONLY

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

wb350881

Typewritten Text

65953

Abbreviations

AAA Analytic and Advisory Activities ACBF African Capacity Building Foundation AI Access to Information AMC Asset Management Company AML/CFT Anti-Money Laundering and Countering the Financing of Terrorism Framework CAE Chief Audit Executive CFPVP Concessional Finance and Partnerships Vice Presidency COSO Committee of Sponsoring Organizations of The Treadway Commission DGF Development Grant Facility FIFs Financial Intermediary Funds FPAP Five Point Action Plan GEF Global Environment Facility GFDRR Global Facility for Disaster Reduction and Recovery Partnership GTLP Global Trade Liquidity Program HQ Head Quarters IADVP Internal Audit Vice Presidency IBRD International Bank for Reconstruction and Development ICFR Internal Controls Over Financial Reporting IDA International Development Association IFC International Finance Corporation IIA Institute of Internal Auditors iLAP Integrated Loan Administration Platform IMT Information Management and Technology INFRA Infrastructure Recovery Assets Program INT Integrity Vice Presidency IRMR Integrated Risk Monitoring Report KPIs Key Performance Indicators MAP Management Action Plans MIGA Multilateral Investment Guarantee Agency MLT Matrix Leadership Team OIS Office of Information Security PACT Partnership for Capacity Building in Africa Trust Fund QAIP Quality Assurance and Improvement Program RBR Development of the Risk Based Releasing functionality TFMF Trust Fund Management Framework UN United Nations VPU Vice Presidential Unit WBDocs Bank-wide document repository system WBG World Bank Group

World Bank Group Internal Audit Vice Presidency

The core work of the World Bank Group (WBG) is overcoming poverty and boosting growth. To guide the achievement of this overarching goal, the Bank Group outlined a strategic framework through its April 2010 paper on Post-Crisis Directions to help shape its priorities. During FY11, the Bank Group demonstrated its strong commitment to support growth and recovery through a combination of lending and knowledge services. At the 2010 Spring Meetings, the Governors endorsed a comprehensive modernization agenda for the WBG, with the goal of creating a group that is strategically focused, financially stronger, and more responsive, transparent, and accountable. With the pace of change underscoring the WBG’s complex modernization agenda, it is important for IAD to support the organization’s ability to identify, assess, and mitigate key risks by providing insightful, high quality recommendations for improving internal controls and risk management. IAD is an independent and objective assurance and advisory function designed to add value to WBG by improving the operations of WBG’s entities. It assists WBG in accomplishing its objectives by bringing a systematic and disciplined approach, to evaluate and improve the effectiveness of the organization’s governance, risk management, and control processes. IAD also focuses on raising awareness of risks and controls, providing advice to management in developing control solutions, and monitoring the implementation of management’s corrective actions to mitigate risks and enhance controls. IAD’s work is carried out in accordance with the Institute of Internal Auditors (IIA)’s International Professional Practices Framework.

IAD reports to the President and is under the oversight of the Audit Committee. The Audit Committee of the Board of Executive Directors has a mandate to assist the Board in overseeing the World Bank Group’s finances, accounting, risk management and internal controls. The Audit Committee oversees the external auditors with respect to the integrity of the financial statements for the entities and financial reporting for trust funds; the Integrity Vice Presidency with respect to anti-fraud and anti-corruption measures; and IAD with respect to internal controls. The Audit Committee’s responsibilities with respect to IAD include: The review of IAD’s Terms of Reference and recommendation to the Board for approval.

The review of IAD’s annual Work Program and recommendation to the Board for approval.

The review of the results of IAD’s work which covers governance, risk management and internal controls over

operations and compliance with key provisions of IBRD/IDA, IFC and MIGA’s charters and policies.

The review of the overall effectiveness of IAD. On at least a quarterly basis, IAD briefs and updates the President and the Audit Committee on engagement outcomes and the progress of management action plans to improve WBG’s control environment. IAD also briefs the Audit Committee on any changes to the annual Work Program, that may occur as a result of emerging risks or additional requests from Management for advice on internal control matters.

i

Introduction and Internal Audit Vice Presidency ‘s (“IAD”) Mandate

Oversight of IAD

FY11 Annual Report

Foreword from the Vice President and Auditor General

ii

During FY11, the World Bank Group sharpened its focus on areas where it can add most value: targeting the poor and vulnerable; creating opportunities for growth; promoting global collective action; strengthening governance; managing risks and preparing for crises. IAD was well positioned to help the Bank Group achieve its goals and meet heightened stakeholder expectations by providing independent, objective and candid reviews stemming from dynamic assessments of risk. This Annual Report for FY11 describes the outcomes of individual engagements and the status of management action plans. The report also highlights risk and control themes based on the body of work undertaken by IAD during the year. In FY11, IAD implemented an issue level ratings framework to help management to differentiate control issues that have an institutional impact from those that can be addressed at an operational level. The framework is also designed to support management in prioritizing corrective actions on the basis of risk. We focused considerably more time on WBG-wide engagements than in previous years, with the aim of identifying cross cutting control themes as well as to highlight good control practices that can be shared across WBG entities. Significant strides were made in enhancing the quality and timeliness of quarterly reporting to Management and the Audit Committee and that reporting now includes detailed information on the status of outstanding management action plans. Our ability to plan and successfully conduct risk-based reviews that yield reliable insights, and assessments that management can leverage to improve its business outcomes, is highly dependent on the technical competencies of our staff and the quality of our internal processes and methodologies. To this end, we have established a Professional Practices team to focus on continuously upgrading our technical practices and skill sets, and benchmarking our tools and quality assurance processes against industry leading practices. The implementation of a mid-year risk assessment refresh also helps IAD to better respond to the changing risk profiles within the organization. The formal mid-year update to our understanding of risk supports adjustments to the Work Program and is a step towards a more dynamic assessment of risk rather than it being an annual “point-in-time” exercise. In order to better align our risk assessment approach with management’s risk framework, we integrated the institutional definitions of risk categories into our own risk assessment processes. IAD has collaborated extensively with the office of the Group Chief Risk Officer to leverage as well as strengthen management’s ongoing efforts to integrate risk management activities across the Bank Group entities. As we look forward to the challenges of FY12 and beyond, IAD will continue to partner with management as well as other risk and control functions, while maintaining our professional independence and objectivity to deliver high impact, value-added results for the World Bank Group. I would like to extend my sincere appreciation to the President and the Audit Committee for their continued leadership and guidance and to WBG management for collaborating and extending their courtesies to our audit teams. I would also like to specially thank all IAD staff for their exceptional dedication, professionalism, and commitment to the World Bank Group’s mission and IAD’s mandate. Clare Brady Vice President and Auditor General

FY11 Annual Report

http://web.worldbank.org/WBSITE/EXTERNAL/EXTABOUTUS/IDA/0,,contentMDK:21363036~pagePK:51236175~piPK:437394~theSitePK:73154,00.html�




http://beta.worldbank.org/content/development-and-climate-change-research-series�

This Executive Summary is intended to provide (i) a qualitative assessment of key observations and trends in WBG’s risk management, governance and overall control environment and (ii) a synopsis of significant changes and developments in IAD’s methodology and professional practices. IAD’s FY11 Work Program results span risk management, strategic initiatives, IT reliability, operational efficiency and effectiveness and financial prudence. Forty-four engagements were completed during FY11 comprising reviews of key end-to-end World Bank Group business processes, operations, corporate, administrative, and information technology areas. Our qualitative assessment of control trends draws on the body of work undertaken by IAD during the year, through assurance and advisory engagements, observation of control practices, ongoing dialogue with WBG management and the Audit Committee, and knowledge of historical risk and control issues. By its very nature, the control environment is dynamic and evolving, which requires the institution to constantly tailor its risk management, governance and control practices to meet changing business needs. As such, the perspectives provided below reflect progress made by management since our last annual report, as well as ongoing challenges and emerging priorities that require continued attention. Risk assessment and risk mitigation at the business process level should be driven by institutional risk appetite. Each entity (Bank, IFC and MIGA) has made notable progress in developing risk frameworks, assessment processes, risk oversight, and reporting mechanisms. During FY11, as part of WBG management’s ongoing effort to provide an integrated overview of risk management activities at the institutional level, the Bank issued its second Integrated Risk Monitoring Report (IRMR), concurrently with similar risk reports issued by IFC and MIGA. Collaboration across the Group has allowed the Bank, IFC, and MIGA to develop risk taxonomies that reflect the nature of each entity’s business activities while being aligned at the highest level for purposes of reporting to Senior Management and the Board.

iii

Executive Summary

FY11 Annual Report

However, there are aspects of existing processes that require attention from both the Board and Senior Management, in order to provide a holistic view of integrated risk management across the Group. There is no top-down view of institutional risk

appetite to guide key business decisions based on strategic factors. While there is understanding of acceptable levels of risk in individual areas (such as corporate finance, and treasury), it is less formalized in other corporate administrative areas and in operations.

There is a need for systematic risk identification,

measurement and management processes at the business process level, based on a top-down view of institutional risks. While there are institutional risk assessment exercises (such as the “Risk Scan” for the Bank), these are not adequately linked to: (i) identification of relevant risks at the business process level; (ii) mapping of those risks to day-to-day business activities; (iii) assessment of the likelihood and impact of significant risks; (iv) identification of relevant controls to mitigate those risks; and (v) ongoing assessment by business owners of the continued effectiveness of those mitigating controls. IAD’s reviews in several areas (such as information security, vulnerability management, employee benefits, corporate insurance and IFC’s Anti-Money Laundering framework) indicated the need to move away from a transactional focus to a more comprehensive risk-management focus at the business process level.

Efforts to fully integrate risk management across the Bank Group will require a phased approach with clear milestones and medium term priorities. In this regard, IAD welcomes the establishment of a Group Chief Risk Office function and the related creation of a Risk Council, and a Risk Advisory Group. A Working Group has also been formed to define risk appetites, building on the WBG risk taxonomy. These developments are a significant step in strengthening the overall governance framework.

Operationalization of strategy and internal reforms require continued focus. One of the main objectives of the business modernization effort, spearheaded by Senior Management, is to make the World Bank Group more results-focused. Significant momentum has been achieved in this regard through several related initiatives: refining the IDA 16 Results Management System, reviewing the functioning of the matrix, and strengthening global technical practices. The Bank’s modernization and reform agenda is broad and complex, requires continuous and systematic monitoring, and strong accountability mechanisms to ensure effective implementation. The Bank’s Reform Secretariat, established during FY11, has played a major role in engaging staff and in coordinating, monitoring and reporting on progress to Senior Management and the Board. In addition, specific implementation structures have been established, including the Knowledge and Learning Council and the Matrix Leadership Team (MLT) for managing important aspects of the Reform Agenda. While significant progress has been made under the guidance of these units, IAD’s reviews indicate the need for more systematic monitoring of project implementation. Project plans should be detailed and comprehensive, and establish clear ownership for estimating resource requirements, identifying and agreeing upon time-bound implementation milestones and monitoring delivery. As indicated in IAD’s FY10 Annual Report, “mainstreaming” the reform agenda, ensuring sustainability and establishing strong accountability mechanisms, is an ongoing challenge. In this regard, IAD welcomes the recent changes with regard to Managing Director portfolios, which will help better align the Bank structure with the three core activities: Regional Operations, Knowledge and Learning, and Operational Services, Policy and Systems. The creation of the new Managing Director group for operational services, policy and systems is a positive step towards strengthening integration across the Bank’s operational services.

Several related initiatives are underway, including strengthening the accountability in regional quality assurance functions and upgrading the reporting architecture. To support this effort, during FY12, IAD will conduct a review of the quality assurance processes for investment lending operations. The MLT is also working to tighten governance and accountability. IBRD/IDA management has developed a Corporate Scorecard that will serve as a key tool for strategic engagement and accountability with the Board in the context of overall effectiveness and results. IFC formed a Corporate Task Force to help guide the implementation of its modernization program in a way that maximizes the benefits of the changes for staff and clients. MIGA developed a statement of accountability for management with clear delineation of roles and responsibilities. IAD will undertake reviews of key strategic components of the reform agenda during FY12, as detailed in the paragraph below. Management’s on-going implementation of the Five Point Action Plan (FPAP) has strengthened the design of IDA Controls. IAD’s advisory review of management’s implementation of its Five Point Action Plan (FPAP), in response to the findings of the 2008 IDA Controls Review, highlighted the progress made by IBRD/IDA management. While most of the corrective actions have been implemented by management, work is still underway in the areas relating to: (i) consolidation of investment lending and operational policy reform; (ii) review of accountability arrangements; (iii) accessibility of operational documents by staff; and (iv) rationalization of processes and controls around Analytic and Advisory Activities (AAA). IAD will validate the operating effectiveness of the majority of the controls implemented as part of the FPAP, during its planned FY12 reviews of: (i) regional quality assurance processes; (ii) institutional monitoring of procurement activities; (iii) risk-based resource allocation approach for project implementation support; (iv) management of regional programs; and (v) management of crisis response and emergency operations.

iv FY11 Annual Report

Executive Summary (continued)

Strategic alignment of trust funds remains a priority. Integrating trust funds and related processes remains a focus area such that trust-funded activities follow the same internal processes as lending operations and bank budget funded analytical work. IAD undertook a broad portfolio of trust fund related engagements during FY11 designed to cover key aspects along the trust fund life cycle: fund raising activities, integration of trust funds into country programs, financial management of trust funds, and trust fund cost recovery arrangements. IAD provided specific recommendations for strengthening the alignment of network-managed Bank executed trust funds, the treatment of Financial Intermediary Funds (FIFs) in Country Programs, and the methodology for recovery of trust fund administration costs. Progress has been made in the implementation of the Trust Fund Management Framework (TFMF) during FY11 and IBRD/IDA management has undertaken an evaluation of the TFMF to enhance the strategic alignment, risk management and cost-efficiency of the trust fund portfolio. At the country level, recipient-executed trust funds are increasingly discussed in Country Assistance Strategies and Country Portfolio Performance Reviews. IBRD/IDA management will undertake further work during FY12 to ensure that trust funds complement Bank operations and strategic priorities, and enhance corporate accountability, predictability and sustainability of trust funds. A senior level working group has also been convened in order to identify and facilitate convergence towards regional best practice in trust fund management, including aspects relating to integration of Bank Executed Trust Funds in the corporate budget and their alignment with Country Assistance Strategies and sector strategies. In addition, the Concessional Finance and Partnerships Vice Presidency (CFPVP) has made significant efforts to improve fund raising coordination.

v


IAD also welcomes the efforts by CFPVP to develop a new framework for Financial Intermediary Funds to facilitate a more strategic engagement on FIFs. Strengthening the design, management and oversight of FIFs has been acknowledged by management as a focus area, recognizing the need to be responsive to global mandates while maximizing efficiencies in aid delivery. IAD will continue to work closely with CFPVP and other units during FY12, to support further trust fund reforms. WBG information security integration has improved but still requires focused attention. Management has taken significant steps to reduce fragmented information security practices through the establishment and growth of the Office of Information Security (OIS). A “defense-in-depth” protection approach has been deployed, which includes firewalls, network segmentation, intrusion detection and prevention systems, and a virtual private network for remote access. IAD’s FY11 audit results in the areas of information security and vulnerability management show that there is a need for better aligning the information security strategy with a clearly defined risk appetite and for conducting a comprehensive risk assessment using the newly established IMT risk framework to better determine the options and levels of risk mitigation. While the integration of OIS into the broader IMT structure will allow better alignment with the business, continued coordination and communication between OIS, Treasury Information Security and Corporate Business Technology Information Security is needed to ensure information security capacity and expertise built by OIS is leveraged effectively. During FY12, IAD will conduct a review of the management of the two-factor authentication and network perimeter security across the Bank Group entities.

FY11 Annual Report

The implementation of the IMT strategy is streamlining the IT organization. As the Bank Group enters the midpoint of the Information Management and Technology (IMT) three-year strategy, key elements of the federated model are taking shape. The strategy has an extensive agenda, and successful implementation will require long-term leadership engagement in IT strategy and organization, investment planning and business solutions delivery. As part of this strategy, IMT has identified critical programs that enable modernization of core business capabilities, improve information transparency and access and deliver global mobile solutions to support decentralized operations. Potential risks of the federated model include the complexities of coordinating implementation efforts across many units and ensuring sustainability after the transition period. The success of this model requires strong central IT coordination and sustained commitment amongst different lines of business to deliver on shared responsibilities across the WBG. IAD will undertake a review of the IMT strategy implementation during FY12, with a view to assessing the alignment of IMT priorities and resources with its business goals. Greater focus on resolving known issues will strengthen the Bank Group control environment. The review of IAD’s engagement outcomes and other institutional reports indicate many of the issues raised are “repeat” observations that have been previously flagged. While there has been improvement in management responsiveness in addressing significant control issues, follow-up to implement corrective action is not always systematic or timely, leading to recurrence of issues raised in prior year reports. This has contributed to the time lag between identification of issues and implementation of management actions to fully address the risk exposures. During FY12, IAD will focus, through its follow-up process and quarterly reporting mechanisms, on sharper signaling of management responsiveness in implementing timely corrective actions.

vi


The effective implementation of the World Bank Access to Information Policy (AI Policy) has promoted greater transparency and accountability. The AI policy, implemented in FY11, constituted a radical shift in the Bank’s disclosure paradigm, by moving towards a general presumption in favor of disclosure. IAD’s advisory review of this integral component of the Bank’s overall reform agenda highlighted the extensive work undertaken by management to put in place the infrastructure and related business processes to facilitate implementation of the policy. The “building blocks” that contributed to effective implementation included preparation of extensive guidance for staff training, development of related policy statements on records management and information classification and an effective oversight and governance mechanism at the institutional level. Senior management oversight of HR reform initiatives is important for program success. The recent institutional risk assessment reports point to the need for a more strategic and integrated approach to human capital management to continue to attract and retain a world-class WBG staff. Management is reviewing several aspects of the institutional policy framework relating to recruitment, compensation, competencies, learning and development, performance management and succession planning. The implementation of these HR reform initiatives in the Bank will require systematic oversight. During FY11, IAD’s review of the management of WBG benefits program, one of the key components of the overall HR policy framework for human capital management, highlighted the need for improved design and implementation of policies, enhanced monitoring and performance standards.

FY11 Annual Report

vii


FY11 Annual Report

Management information could be better aligned to business needs to support strategic decision making. Management information is not always systematically captured across business processes to support critical business decisions. Costing practices are not uniformly followed at the business unit level, leading to potentially inconsistent management information. There is a need for greater alignment of coding structures and data definitions to business needs. For example, in the area of trust funds, the underlying processes for recording and capturing trust fund administration costs require strengthening to permit robust analysis and cost allocation at the institutional portfolio level. Complexity of coding limits the ability to meaningfully aggregate data, conduct analysis across products and business processes (e.g., knowledge products, trust funded products, HR related data) and requires greater use of assumptions and estimates. Alignment of management information with business needs will foster selectivity in making strategic choices and trade-offs and will reinforce accountability for results. A more efficient process for development and ongoing maintenance of IBRD/IDA institutional policies is required to ensure continued relevance. While considerable effort has been undertaken by Bank management in updating several components of policy and procedures (e.g., safeguard policies, operational procurement related policies), a more robust process is required for developing and updating overall institutional policies and procedures. Processes supporting policy development and maintenance remain inconsistent. There is often the need for clearer differentiation between mandatory policy requirements, recommended guidance and good practice. IAD’s reviews during FY11 indicated the need for better alignment of operating practices with policy provisions in certain areas. As part of the modernization agenda, IBRD/IDA management is undertaking an overall reform of the Bank’s Operations Manual. In FY12, IAD will conduct an audit of the framework for development of policies and procedures in the Bank to support management’s ongoing efforts in this area.

IFC’s regional risk management processes to support decentralization efforts will need systematic oversight. As part of its focus on decentralization and becoming a more client-centric organization, IFC management has made substantial progress in delegating risk management activities to field offices, with the Istanbul Regional Operations Center becoming fully functional. IFC has also shifted some of its risk functions to field offices and mapped the Headquarters (HQ) based risk specialists to regions. To ensure effective implementation of this decentralized model, management focus is required to move from a primarily “people-oriented” approach to a more structured “process-based” model. This will entail striking the right balance between a top-down approach in terms of designing an effective oversight and monitoring framework while still providing enough autonomy to the regional operation centers to support business needs. Periodic assessment of project benefits in IFC’s system development life cycle can be improved. In IFC, IAD’s reviews of specific systems (such as ICAS-E, iDesk) indicated there is scope for introducing a more robust process for defining and tracing business functionality requirements to system and user testing, to measure the realization of stated project benefits, at inception, during the life cycle, and upon completion. IAD will undertake a review of specific system renewal projects relating to HR and Summit (for major treasury activities) as part of its FY12 Work Program.

viii


FY11 Annual Report

Changes in IAD’s methodology have fostered delivery of value added results. FY11 marked the first year of implementation of (i) an issue level ratings framework to help drive more meaningful audit dialogue; and (ii) a mid-year risk assessment refresh to make adjustments to IAD’s Work Program taking into account changes in risk profiles. IAD also transitioned fully to an issue based follow-up process, to enable timely follow-up and reporting on the adequacy and effectiveness of management corrective actions for all outstanding recommendations. An independent external assessment of IAD’s professional practices was conducted by the Institute of Internal Auditors (IIA) during the year, in line with the requirements of the International Professional Standards for Internal Auditing. IAD received the highest rating.

Towards the end of FY11, IAD established a Professional Practices Team to build and maintain robust internal processes and support strong engagement with key stakeholders. In FY12, planned actions to improve technical practices include: (i) advancing the systematic use of data analysis in IAD engagements; (ii) refining IAD’s approach to advisory engagements; and (iii) recalibrating rating definitions based on retrospective analysis of FY11 results.

Management Response

ix FY11 Annual Report

The World Bank Group’s Management Team welcomes the FY11 Annual Report of the Internal Audit Vice Presidency. We appreciate IAD’s overview of the control themes and emerging priorities that require management’s continued attention. In the past year, Management has established a governance structure for our business modernization agenda. As part of this agenda, we have focused attention on our reform priorities and actions across a number of functional areas highlighted by IAD – risk management, information security, information management and technology (IMT) strategy, trust funds, and HR policy framework. In that context, the creation of the new Managing Director group for operational services, policy, and systems is an important step towards strengthening integration across the Bank’s operational services. The establishment of the Group Chief Risk Officer, along with the creation of a Risk Council, and a Risk Advisory Group, is also an important milestone in strengthening the overall governance framework. Furthermore, we have made significant progress in the implementation of the Trust Fund Management Framework and in redesigning IDA controls, as part of the Five Point Action Plan (FPAP). The modernization program is a Group-wide effort, and, while the specifics differ among the institutions, the drivers of reform – sharper focus on results, openness and accountability, and more efficient processes – are the same. Management is committed to implementing timely, corrective actions and pursuing its reform efforts in order to create a more flexible and agile institution. We look forward to continuing to work with IAD to maintain a strong control environment and meet the evolving needs of the Group.

Table of Contents

World Bank Group’s Internal Audit Vice Presidency . . . . . . . . . . . . . i

Foreword from the Vice President and Auditor General . . . . . . . . . . ii

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

Management Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

FY11 Work Program Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Engagement Outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Advisory Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Methodology and Professional Practices . . . . . . . . . . . . . . . . . . . . . . 12

Budget and Staffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

FY11 Work Program Summary

The FY11 Work Program was designed to align with the World Bank Group’s strategic priorities, consistent with the IIA’s International Standards for the Professional Practice of Internal Audit (Performance Standard 2010), which requires the chief audit executive to establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. The objective was to provide a balanced work program that covered strategic initiatives, operational efficiency and effectiveness, financial prudence, risk management and IT reliability. The development of IAD’s FY11 Work Program was undertaken through an enhanced risk assessment process. This included a streamlined audit universe, use of a standardized risk taxonomy, and consideration of the results of other oversight and control units. The FY11 Work Program included an increased focus on Group-wide reviews, compared to FY10, to enable IAD to draw broader thematic conclusions at the institutional level. There was also an increase in the proportion of IFC reviews during FY11, recognizing that the audit coverage of IFC in prior years has not been in step with IFC’s risk profile. Forty-four engagements were completed during FY11 comprising reviews of key end-to-end World Bank Group business processes, operations, corporate and administrative processes, and information technology areas. These included 10 Group-wide process reviews; 20 IBRD/IDA engagements, 12 IFC specific reviews and two MIGA engagements. Appendix A lists all audit reports issued in FY11 and Appendix B describes the audit lifecycle. Figure 1 shows the Work Program breakdown by World Bank Group entity and Figure 2 provides a comparison of the work effort by World Bank Group entity during FY09-11.

IBRD/IDA 49%

WBG 19% 5% MIGA

2

Figure 1: FY11 Work Program Breakdown by Entity (based on

staff days)

Figure 2: Work Program Breakdown for the last Three Fiscal Years

FY11 Annual Report

27% IFC

0%

20%

40%

60%

80%

100%

FY09 FY10 FY11

IBRD/IDA IFC MIGA & Oth. WBG

FY11 Work Program Alignment with World Bank Group Priorities

Figure 3 illustrates the alignment of the FY11 Work Program coverage with World Bank Group Strategic Priorities and Business modernization and internal reform.

Figure 3: Work Program Alignment with World Bank Group Strategic Priorities

3

FY11 Annual Report

Goal: Inclusive and Sustainable Globalization

Create Opportunities

for Growth

Target the Poor and Vulnerable

Provide Cooperative

Models

Strengthen Governance

Manage Risk and Prepare for

Crises

IAD FY11 Reviews

Global Facility for Disaster Reduction

IFC Global Trade Liquidity Program

IFC Asset Management

Company

Integration of Trust Funds in Country

Assistance Programs

IAD FY11 Reviews

IBRD Credit Risk Management

(Sovereign and Commercial)

World Bank Group Risk Management

Framework

World Bank Group Financial Models

Trust Fund Financial Risk Management

IAD FY11 Reviews

World Bank Group’s Staff Benefits

World Bank Group Information Security

& Vulnerability Management

Trust Fund Cost Recovery Framework & World Bank Group

Cost sharing Mechanisms

World Bank Group Strategic Priorities

Four Pillars of Business Modernization

IAD FY11 Reviews

Implementation of the Code of Conduct

Implementation of the WB Policy on

Access to Information

IFC’s Anti-Money Laundering Framework

Post-Crisis Directions Finances Governance Business (Internal

Reform)

Products and Services Processes & Systems Organization

Financing

Global Partnerships & programs

Knowledge Service

Decentralization

Matrix Knowledge Partnerships

Human Resources Budget & Disbursement Modernization

Operational Policies & Procedures

Information Management & Technology

Key focus areas of reform

FY11 Work Program Summary (continued)

4

The FY11 assurance engagements were rated in accordance with IAD’s revised ratings framework. The following engagement level ratings were used for FY11: Satisfactory – Internal Audit identified no significant

issues related to the design of controls or to the proper functioning of controls as designed. If issues were noted, they were considered minor in nature.

Needs improvement – Internal Audit identified issues related to the design of the controls and/or In the functioning of the controls. Although none of these issues, either individually or in the aggregate, indicate significant weaknesses, management should address these issues in a timely manner to further strengthen the system of controls.

Unsatisfactory – Internal Audit identified issues that indicate significant weaknesses in the design and/or operating effectiveness of controls. Management should take immediate action to establish a satisfactory system of controls.

Summaries of engagement outcomes were included in the quarterly reports provided to the President and to the Audit Committee. Full audit reports for assurance engagements rated “Unsatisfactory” were circulated to the President and to the Audit Committee.

Table 1: FY11 Engagements by Entity

FY11 Annual Report

WBG 10

► Satisfactory 0 ► Needs Improvement 7 ► Unsatisfactory 1 ► Unrated (Advisory) 2 ► Unrated (Controls Testing) - IBRD/IDA 20

► Satisfactory 8 ► Needs Improvement 5 ► Unsatisfactory - ► Unrated (Advisory) 5 ► Unrated (Controls Testing) 2 IFC 12

► Satisfactory 2 ► Needs Improvement 8 ► Unsatisfactory -

► Unrated (Advisory) 1 ► Unrated (Controls Testing) 1 MIGA 2

► Satisfactory - ► Needs Improvement 1 ► Unsatisfactory - ► Unrated (Advisory) -

► Unrated (Controls Testing) 1

44

Engagement Outcomes

World Bank Group Engagements

IAD’s review of World Bank Group (WBG) Information Security Management highlighted the Group’s improved ability to respond to information security challenges through the evolution of operations and oversight as well as institutional investments in recruitment of skilled staff, systems and tools. Additional improvements in the areas of strategy, risk management, governance, policies and standards are important for the further development of information security management. Management plans to enhance the information security risk assessment framework, under the oversight of the Chief Risk Officer. The results of the review of WBG Vulnerability Management highlighted the progress made by the Office of Information Security (OIS) towards protection of information resources. Management is undertaking further actions to implement a risk-based approach for prioritizing and escalating issue resolution. The World Bank Group Corporate Security has continuously improved its security and safety programs to protect staff and assets at HQ and in country offices. However, there is a need to enhance the effectiveness of the governing council, strengthen the enforcement of safety procedures in country offices, and to standardize security assessments. As part of the ongoing efforts to strengthen the Implementation of the Code of Conduct since the November 2009 launch, management has established a dedicated function for the investigation of staff misconduct allegations, developed a structured Financial Disclosure Program, and made significant strides in imparting ethics training to all WBG staff. IAD recommended further enhancements in the areas of program metrics, reporting, and outreach and communication.

The World Bank Group Corporate Insurance audit results showed that management has actively taken steps to build up the function, strengthen controls, and formalize related processes. The review highlighted a need to advance the World Bank Group’s approach to managing corporate insurance by moving from a generally transactional procurement focus to a more comprehensive risk-management focus. The review of the Group’s Risk Management and Control Processes over Financial Models did not identify any significant control issues that would call into question the validity of current model outputs. However the development of a World Bank Group wide risk management framework and improved consistency of control processes associated with model development, validation, implementation and on-going use, are needed to strengthen the control environment. The World Bank Group Chief Risk Officer has recently established a Risk Advisory Group and a Risk Council to review, among other things, the Bank Group's model risk management framework, including the need to have independent model validation reviews. The review of the Management and Administration of World Bank Group Staff Benefits covered design aspects of the policy framework, governance structure, benefit administration, service delivery, data and system change management, exception reporting and adequacy of quality assurance processes. A considerable number of control improvements are required in the areas of policy design and implementation, management oversight mechanisms, quality assurance, operational performance standards, and systems. Governance processes and related controls over World Bank Group Global Real Estate and Facilities Management in Headquarters are well designed. However, real estate and facility management in the country offices requires further attention, particularly in the areas of strategy and accountability.

5 FY11 Annual Report

Engagement Outcomes (continued)

6

IBRD/IDA Engagements

To strengthen the governance and oversight of Valuation and Pricing within the Bank’s Finance Complex, the Treasury and Controller’s units of IBRD/IDA have formulated a valuation governance framework. Valuation and pricing are critical to the Bank’s borrowing and investment portfolios which are reported at fair value. IAD reviewed the draft governance framework against industry best practices and provided recommendations for strengthening controls. The draft governance framework to improve risk management of valuation and pricing has since been finalized by management. The program, portfolio and project management activities over Bank Application Development and Maintenance are well-managed. However, control improvements are needed in the areas of application change management and the consideration of enterprise architecture in development projects. The Bank maintains a Trust Fund Management Framework, which was reviewed and formally approved by the Board and addresses key aspects of trust fund management. Managing units are directly involved in the ongoing monitoring of market, liquidity, and currency risks of the trust funds under their responsibility. System controls have also been implemented to automate compliance with some of the requirements designed to reduce financial exposure.

The Bank’s Process for Integrating Trust Funds into Country Programs is well designed and aligns recipient-executed trust funds and country-specific bank-executed trust funds with country priorities. However changes to the CAS guidelines are required to specify the aspects of FIFs and some network-managed BETFs, which should be considered and reflected in country programs. The identification of clients’ needs and close coordination between the Regions have contributed to the success of the Bank’s Global Facility for Disaster Reduction and Recovery Partnership program. Areas that require management attention include clarification of the scope of the Secretariat’s authority in project approval, and enhancement of project supervision and cash flow management. IAD’s review of the IBRD/IDA Trust Fund Cost Recovery Framework noted that while the changes made to the trust fund fee structure since 2007 have led to significant improvements in cost recovery, there is a need to simplify the overall cost recovery framework and fee structure, besides strengthening the processes for capturing trust fund administration costs. Management intends to evaluate options for instituting a simpler framework at the institutional portfolio level. IAD’s reviews of other Bank processes and activities (e.g., Managing Procurement Complaints, Commercial and Country Credit Risk Management, Trading Operations, Controls over Administrative Expenses for the Global Environment Facility, and eDisbursements) identified minor opportunities for control improvement.

FY11 Annual Report

7

Foreword from the World Bank Group’s President

Progress Update on IAD’s review of the Implementation of the “Five -Point Action Plan”(FPAP) for IDA Internal Controls

During FY11, IAD completed its advisory review of Management's implementation of its IDA InternaI Controls Five-Point Action Plan (FPAP). Management prepared the FPAP, with 22 specific corrective actions, in response to the findings of the 2008 IDA InternaI Controls Review. Management' s FPAP was designed to address the significant deficiencies found in the 2008 review. Each of the five points in the Action Plan corresponded to one of the five “significant deficiencies” in the areas of (i) policy and procedural framework for investment lending; (ii) risk management and accountability at entity and project levels; (iii) controls for managing fraud and corruption risk in IDA-supported operations; (iv) procurement and financial management processes; and (v) controls over information technology (IT) and analytic and advisory activities (AAA). Of the 22 Corrective Actions, 18 had been implemented by management by the end of FY11. From a control design perspective, corrective actions implemented by management include (i) development of a framework to identify and track risks and to allocate resources based on the level of risk, (ii) integration of fraud and corruption controls into project preparation and supervision (iii) strengthened fiduciary controls (iv) development of systems and tools for the risk-based approach to project preparation and implementation and (v) enhanced institutional risk assessment and improved controls to address IT system vulnerabilities. The four remaining corrective actions are underway. Details of these pending corrective actions are provided below:

Remaining Open Corrective Actions Current Status

Consolidate multiple rules into clear principles to inform design and processing (Corrective Action 4).

Management has completed and presented the approach papers on the Investment Lending policy reform and Operational Memorandum reform to the Board. The drafting of the consolidated Operational Policy on Investment Lending will be completed and presented to the Board for discussion by December 31, 2011.

Review lines of accountability at Management and staff levels (Corrective Action 5).

Management has developed an Operational Core Curriculum on all the basic operational processes to improve product quality and ensuring policy compliance. Management has also undertaken a Cross Regional Review of Accountability for Quality Assurance and will present results to Senior Management and discuss action plans by October, 2011.

Improve accessibility of operational documents through automation (Corrective Action 21).

The design of the upgraded Bank Project Portal and a new Bank-wide document repository system (WBDocs) has been completed. The upgraded Bank Project Portal has been fully operationalized, and all regions and networks have migrated to WBDocs. Migration of the corporate units to the new document management system is underway. The target date for completion is December 31, 2011.

For AAA, rationalize processes and controls, and improve system support and monitoring (Corrective Action 22).

Business process review of AAA has been completed, the results of which have been used to develop an automated system with embedded controls. The automated project management system has been rolled out on a selective basis in August 2011, with a full roll out planned by the end of third quarter of FY12.

Management is maintaining focus on the completion of these remaining corrective actions, all of which are expected to be completed during FY12. IAD will validate the operating effectiveness of a majority of these re-designed controls as part of its FY12 engagements which include reviews of (i) regional quality assurance processes (ii) institutional monitoring of procurement activities (iii) resource allocation for project implementation support (iv) management of regional programs and (v) management of crisis response and emergency operations.

FY11 Annual Report



The audit of IFC’s Process for Market Risk Management noted the establishment of sound financial policies and operational guidelines, and daily monitoring procedures for ensuring adherence to the established residual risk thresholds. IFC also implemented a 'second line of defense' structure for the measurement and management of market risks. The review, however, highlighted the need for a more comprehensive, top-down approach to market risk management through a formal policy framework, that identifies management's assessment of where market risk lies within IFC's different business activities and acts as the basis for setting IFC's intended market risk management strategy and structure. IAD’s review of the Process for Managing IFC’s Investment and Advisory Services Fees from Clients noted effective controls in place over loan-related fees which account for the majority of the fees. Improvements were needed in the maintenance of related policies and procedures; oversight and monitoring of billing, collection, recording and reporting of fees for equity investments and certain advisory services. The review of Activities related to IFC’s Asset Management Company (AMC) focused on IFC’s internal processes for handling AMC-related matters and managing relevant risks. It included IFC’s oversight of its ownership of AMC, investment in AMC’s funds, reporting, risk management, provision of services to AMC and information technology security. The review highlighted that continued focus is required on the implementation of defined procedures for managing IFC’s relationship with AMC. Management has instituted adequate layers of review within IFC’s equity valuation process, clearly identified roles and responsibilities for equity investment valuations, and transitioned the Portfolio Valuation

IFC Engagements

Team into Accounting and Financial operations to further establish their independence from the valuation performance function (investment units). Management has initiated improvements in overall governance over the valuation process in the areas of cross-functional management oversight, valuation reviews, and enhancements of upstream controls and model risk processes. There has been significant strengthening in the procedural and operational controls of IFC’s Anti-Money Laundering and Countering the Financing of Terrorism Framework (AML/CFT). However, there are opportunities for improvement in the design of the risk management framework, program controls over computerized screening, and training for staff. IAD performed a review of IFC’s Equity Operations and Supervision, noting that the control processes over IFC’s equity operations and supervision activities are well designed and managed. The review of IFC’s Global Trade Liquidity Program (GTLP) and GTLP II highlighted that the oversight and governance of the program was adequate with well-defined operational processes and procedures. Concerted efforts to address risks and potential operational issues by various units, at the planning stage of the program, led to a successful roll out of the program. IAD’s review of IFC’s Application Development and Maintenance noted that the program and portfolio activities are well-managed through a centralized governance process. Control improvements were required in the areas of application maintenance, project management and user access testing.


IAD’s review of the IFC ICAS-E System Replacement identified noticeable improvements with respect to core project management disciplines, including better project status reporting, the implementation of automated project management tools, enhanced tracking of resource constraints and dependencies, improved project budgeting, and active project issue and risk identification. Further improvements are needed in the areas of core system development activities, measurement of project benefits, and business requirements definition and documentation.

IFC (cont’d)

IAD’s audit of the IFC iDesk Portal highlighted a need to strengthen iDesk ownership and improve the monitoring of performance, functionality requirements and database activity. The change management process for the software or hardware associated with iDesk is well controlled.


MIGA

IAD’s review of MIGA’s Provisioning for Guarantee Losses identified that the use of an integrated risk model for pricing, capital adequacy, and provisioning promoted consistency in the use of assumptions and

parameters across MIGA. The review also noted the need for Management to develop and follow a schedule for the periodic review of system parameters.

Controls Testing - ICFR

IAD tested key Internal Controls Over Financial Reporting (ICFR) across the World Bank Group institutions (Bank, IFC, and MIGA). This testing is to assist management in their assertions as to the reliability of each institution’s financial reporting. None of the issues identified in IAD’s review raised to the level of a significant deficiency or a material weakness. Consistent with other financial institutions, the Bank group’s historical focus for ICFR has been on ensuring compliance. As effective control disciplines have been instituted over the years, the next phase in the process maturation will require that the institutions critically review current processes to leverage ICFR to

enhance business effectiveness while still maintaining a high degree of compliance. This will require an emphasis on the rationalization of controls to identify and address potential redundancies, increased reliance on ex-ante preventive controls rather than ex-post detective controls, better leverage of automation and technology to reduce reliance on high-touch manual controls, etc. IBRD/IDA management has done significant work in rationalizing the number of key controls over the past few years. IAD, in conjunction with CTR, is re-evaluating its role in ICFR testing to focus future efforts on evaluating the effectiveness of the institutional approach to ICFR.

Advisory Summaries

IAD conducts both assurance and advisory engagements and IAD’s overall approach is consistent with the IIA’s International Standards for the Professional Practice of Internal Auditing. The advisory reviews are designed to be “preventive” in nature by focusing on the upstream design and implementation aspects of strategies, business processes and systems. In determining the overall mix of assurance and advisory engagements, as well as in evaluating the conditions under which an advisory engagement can be undertaken, several considerations are taken into account by IAD, including (i) the underlying objective of the engagement (ii) nature and scope of the engagement (iii) maturity of the process or control and (iv) the need for maintaining adequate safeguards for preserving IAD's objectivity and independence. Advisory reviews typically cover systems or processes under development, for which audit feedback is valuable in order for management to actively incorporate appropriate controls during the design stage.

10

The advisory review of the World Bank Group’s Risk Management Framework was designed to provide an objective update to Management and the Board on status of the Group’s efforts towards an integrated risk management framework. The review showed that the WBG entities had made significant progress, over the past few years, in strengthening risk management activities. Management demonstrates strong risk-awareness and each institution has effective oversight processes over significant risks. The review also identified that there should be continued efforts to integrate the risk management efforts across Group entities by establishing common methodologies, standards and tools, risk aggregation and analysis, and integrated reporting. IAD's advisory engagement on the Framework for the World Bank Group Cost Sharing Arrangements and Selected Chargeback Mechanisms was intended to support management's ongoing policy and design review. IAD offered specific recommendations that could be considered in redesigning cost sharing and chargeback processes. The results of the advisory engagement highlighted the need to develop prescriptive guidance to ensure harmonization and consistency, establish a group-wide mechanism for oversight, and strengthen existing Service Level Agreements.

FY11 Annual Report

IAD’s advisory review of the implementation of the World Bank Policy on Access to Information noted that extensive work has been undertaken by management to put in place the necessary infrastructure and related business processes. The review also noted that implementation was strengthened by an effective oversight and governance mechanism at the institutional level. The Access to Information Committee oversees implementation and also interprets the Policy. Management continues to focus on specific areas to further strengthen significant aspects such as improving consistency in records management and improving automation of certain manual processes. IAD’s advisory review of the Development of the Risk Based Releasing (RBR) functionality within the Integrated Loan Administration Platform (iLAP) system was a pre-implementation review. IAD noted that the concept of RBR was well thought-out by the Loan Department Disbursement Unit and thorough user acceptance testing was performed. IAD provided advice on documenting procedures, establishing Key Performance Indicators (KPIs) and monitoring access.

Advisory engagements

Advisory Summaries (continued)

11

IAD’s advisory reviews of the Bank and IFC’s Donor Fund-Raising Activities were undertaken to provide independent advice to Bank and IFC management to support a more structured and coordinated approach to fund-raising and its oversight. The focus of these reviews was on the overall coordination of donor fund-raising activities at the institutional level. The results of these engagements highlighted the efforts undertaken by both Bank and IFC management to improve information-sharing on donor contributions as well as the gathering and dissemination of donor intelligence. The results of the IFC review indicated the need for developing an advisory service fund raising strategy at the corporate level and clarifying oversight roles in relation to regions and advisory services business lines. The Bank review results identified the need to develop an institutional resource mobilization strategy to provide a framework for fund-raising and for clarifying the precise roles of the Concessional Finance Vice Presidency (CFPVP) and other business units responsible for coordination of fund-raising activities. Recommendations were also made for developing key performance indicators to measure efficiency and qualitative success of fund-raising activities in both the Bank and IFC.

At the request of the management of the Bank’s Africa Region, IAD conducted an advisory review of the Bank’s administration of the Partnership for Capacity Building in Africa (PACT) Trust Fund and Development Grant Facility (DGF) grants provided to the African Capacity Building Foundation (ACBF): The review detailed the history of the Bank’s involvement in the Fund and noted specific control enhancements that were required at the fund level. In addition, recommendations were provided to Senior Management to improve internal coordination when reviewing the various risks involved in the Bank’s partnerships and defining controls at the institutional level. IAD also provided recommendations for clarifying the process for developing the Bank’s partnership strategy for external entities, including the roles of various units in the process.

FY11 Annual Report

Advisory engagements (cont’d)

IAD implemented an issue level ratings framework during FY11 for assurance engagements. Issue level ratings allow (i) differentiation between key issues with an institutional impact and lower level operational issues; (ii) prioritization of remediation efforts by management based on the severity of the issue; (iii) transparency in the rationale for engagement level ratings. The issue level ratings were also linked to the underlying business process and risk dimensions to permit further analysis of the issues at the Vice Presidential Unit (VPU) level. The issue level ratings are aggregated upon conclusion of an audit, and are an important input for IAD in determining the overall engagement level rating. During FY11, IAD also modified its engagement level rating descriptions to better reflect IAD’s overall assessment of the control environment in the areas under review.

12

Methodology and Professional Practices

FY11 Annual Report

Implementation of Revised Ratings Framework

Figure 4 depicts the distribution of IAD’s FY11 issue level ratings and engagement level ratings. Approximately 11% of the recommendations were rated as high priority in FY11. While the design of the ratings framework is tailored to respond to the needs of the institution in flagging issues and deficiencies to the Board and Senior Management, the application of the framework is not intended to be a “formulaic” exercise and requires professional judgment in evaluating the unique context and facts around each issue or auditable area. As a result, there is no predetermined “benchmark” for rating distributions that can be used as a frame of reference for comparing rating results in the aggregate. However, the consistent application of the framework will help provide useful information on control and risk trends over the medium term.

Figure 4: FY11 Issue level ratings and FY11 Engagement Level ratings

Unsatisfactory 3%

Needs Improvement

64%

Satisfactory 33%

FY11 Engagement Level Ratings

High 11%

Medium 58%

Low 31%

FY11 Issue Level Ratings

13

FY11 Annual Report

Issue Level Ratings Engagement Level Ratings

Low The issue requires management attention to maintain a satisfactory control environment.

Satisfactory Internal audit procedures resulted in no significant findings related to the design of controls or to the proper functioning of controls as designed. If findings were noted, they were considered minor in nature. No high rated issues have been identified.

Medium

A control design and/or operating effectiveness issue that, if not addressed, may cause loss or reputational damage. The issue has a significant impact on the business or IT process under review.

Needs Improvement

Internal audit procedures resulted in findings related to the design of the controls and/or exceptions were noted in the functioning of controls. Although none of these findings, either individually or in the aggregate, indicate significant weaknesses, management should address these findings in a timely manner to further strengthen the system of controls.

High A serious weakness in control design and/or operating effectiveness that, if not addressed, is likely to impact the entity’s ability to achieve its business objectives, comply with key policies and/or maintain control over mission-critical systems. The issue has a significant impact at the entity level.

Unsatisfactory Internal audit procedures resulted in significant weaknesses in the design and/or operating effectiveness of controls. Management should take immediate action to establish a satisfactory system of controls.

Principles Issue level ratings are assigned to individual audit findings during assurance engagements. The ratings are based on

the impact and likelihood of the risk exposure identified by the audit issue. Risk exposures are classified according to the risk dimensions identified in the integrated risk frameworks used by WBG entities.

Issue level ratings differentiate between key issues with an institutional impact and lower level operational issues that still require management attention, albeit the impact may not be at an institutional level. Issue level ratings will help drive more meaningful audit dialogue and results.

The collective issues and related ratings found during an audit assists auditors in building the overall assessment of the auditable area. This increases the transparency with which auditable areas are rated (i.e. engagement level ratings).

Engagement level ratings are holistic conclusions on the auditable area, built upon the components of the Committee of Sponsoring Organization of The Treadway Commission (COSO) framework and the issue level ratings.

The application of engagement and issue level ratings enhances the risk assessment process, since it provides input to risk areas that IAD would consider in developing its annual Work Program.

Implementation of Revised Ratings Framework Issue Level and Engagement Level Ratings

The implementation of recommendations identified in IAD reviews is important for managing risk within the World Bank Group. Also important, is that action was taken promptly and the risk reduced to an acceptable level. The IIA Standards require that Internal Audit: determines whether management has taken timely

action to implement the recommendation; and

evaluates the adequacy, effectiveness, and timeliness of actions taken by management.

In years prior to FY10, IAD’s follow-up process was “report-based” and not “issue-based”. As a result, a significant proportion of the recommendations (arising from Satisfactory and Needs Improvement rated engagements) were not actively followed up.

IAD’s focus on strengthening follow-up efforts and management’s commitment to resolving open and overdue issues is reflected in the declining proportion of overdue recommendations. At the end of FY11, overdue issues, as a percentage of open recommendations, had fallen from 29% in FY10 to 19% in FY11. Figure 5 shows the number of implemented and open Management Action Plans (MAPs) by WBG entity at the end of FY11. During FY12, IAD will continue to focus on contributing to a culture of accountability by further strengthening its follow-up and associated reporting processes.

Methodology and Professional Practices (continued)

14

IAD’s Follow Up Process: From “Report-based” to “Issue-based”

FY11 Annual Report

The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.

IIA Standard 2500 - Monitoring Progress

Figure 5: Number of MAPs from FY08 - FY11

(Implemented and Open as of June 30, 2011)

0

100

200

300

400

500

600

700

IBRD/IDA IFC MIGA WBG

Implemented Open

Overdue: 8 of 30

Overdue: 5 of 26

Overdue: None

Overdue: 2 of 18

641

196 71

IAD carried out its first mid-year risk assessment refresh during November and December 2010. This process is a new component of the enhanced risk assessment methodology implemented by IAD for FY11. The objective of this exercise was to ensure that the IAD FY11 Work Program continued to be relevant by taking into account changes in the relative risk profiles of business processes and/or World Bank Group entities based on emerging risk and control information. The exercise entailed reviewing the risk frameworks, risk scans and other reports to understand shifts in risk profiles and targeted discussions with regions, networks, corporate VPUs and other units on emerging risks and updates on major initiatives. Proposed changes were discussed with, and approved by, the Auditor General. The decision-making process considered risk coverage, timing and resource implications.

15


FY11 Annual Report

Mid-Year Risk Assessment Refresh

What kind of Work Plan changes did the Risk Assessment refresh produce? An originally planned review of the Bank’s

Management of the Infrastructure Recovery and Assets Program (INFRA) was substituted with a review of the Bank Global Facility for Disaster Risk Reduction and Recovery Partnership. Additional information obtained by IAD during its risk assessment refresh showed that the risk profile of the INFRA Program follows that of the investment lending process which was being covered in other planned IAD engagements. IAD reviewed other strategically significant programs of the Bank and selected the Bank Global Facility for Disaster Reduction since it was one of the key components of the Bank’s strategic framework on Development and Climate Change and also faced significant operational and stakeholder risks.

The review of the Trust Fund Cost Recovery

aspects was originally planned as part of an advisory review of the WBG Cost Sharing Arrangements. Based on a review of the changes introduced, as part of the Trust Fund Management Framework, this area was carved out of the WBG Cost sharing review and converted into an “assurance” engagement.

During FY11, IAD introduced a Professional Practices team into its structure. This organizational change is designed to strengthen the technical practice and improve IAD’s internal processes and methodologies to achieve better efficiency and effectiveness. There will be an increased focus on (i) systematic analysis of the impact of changes in Internal Audit Professional Standards on IAD’s activities; and (ii) leveraging of global best practices in internal audit methodology and processes. Amongst a number of ‘front office’ responsibilities, the Professional Practices team will: Improve IAD’s methodology and supporting

technologies;

Support the development of IAD’s annual risk assessment and audit plan;

Build and maintain strong relationships with key stakeholders – senior management, Audit Committee, oversight units, the Multilateral Development Banks, UN Agencies and the wider internal audit community;

Conduct a systematic and comprehensive Quality Assurance and Improvement Program in line with professional standards;

Champion the training and build-out of competencies for staff development;

Advance the systematic use of data analysis in IAD’s overall audit strategy

Strengthening of IAD’s Professional Practices Team



Internal Audit Trends

Heightened focus on risk management and governance

More responsive and flexible risk-based internal audit plan

Data analysis as an “enabler” for Internal Audit effectiveness

Coordination with risk and compliance functions

Effective communication of Internal Audit value proposition to stakeholders

Source: IIA, Internal Audit Trends and Imperatives, 2010-11.


Conduct of External Quality Assessment

The International Standards for the Professional Practice of Internal Auditing require that external assessments must be conducted at least once every five years by a qualified independent reviewer or review team from outside the organization. During FY11, under the supervision of the Audit Committee, IAD commissioned the Institute of Internal Auditors (IIA) to conduct this External Quality Assessment of its internal audit activities and practices, given its background as the world’s recognized authority on internal audit and its ability to benchmark internal audit performance against an extensive set of worldwide clients. The report, issued during third quarter 2011, gave an overall opinion that IAD “generally conforms” to the IIA Standards, Definition of Internal Auditing and Code of Ethics. Generally conforms is the highest of a three-scale rating and means that the structure, policies, procedures and operating practices of IAD comply with the requirements of the Standards and Code of Ethics in all material respects. While improvement opportunities were identified, none of these were of a significant nature. Specific action plans were drawn up for addressing the areas for improvement. IAD shared the results of the review with the President and Audit Committee.


Excerpts from the IIA External Quality Assessment Review on IAD procedures and operating practices “The World Bank Group IADVP has the infrastructure in place to support a high quality internal audit activity.” “Staff is proficient and highly credentialed and work is performed with due professional care that includes an appropriate level of supervisory review and approval. The CAE has established an effective Quality Assurance and Improvement Program to promote quality and continuous improvement. In addition, IADVP is managed effectively and the annual audit plan is supported by a robust risk assessment process that incorporates input from the World Bank Group stakeholders including the senior management and the Audit Committee and that is linked to the World Bank Group entity-level risk and objectives”. “Individual audits are generally high quality and work papers are documented in an electronic work paper tool. Audits are integrated and include technology, operational, financial, and compliance components. Work papers support observations and conclusions. Audit reports are consistent with the underlying work product and focus the reader on those areas of highest relevance. Management response is a required component”. “There is a robust follow-up process in place that includes aging mechanisms and reporting.”

External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board: The need for more frequent external assessments;

and

The qualifications and independence of the external reviewer or review team, including any potential conflict of interest.

IIA Standard 1312 – External Quality Assessments

IIA Standards on Organizational Independence (Standard 1110) requires that the Chief Audit Executive must confirm to the Board, at least annually, the organizational independence of the internal audit activity. IAD reports to the President and is under the oversight of the Audit Committee, acting on behalf of the Board. The Audit Committee is responsible for the review of IAD’s Terms of Reference, Annual Work Program and the results of IAD’s work. In addition, the Vice President and Auditor General has free and unrestricted access to the Board through the Audit Committee. This reporting relationship has permitted appropriate organizational independence for IAD to fulfill its professional responsibilities.

Organizational Independence



IAD and INT signed a Memorandum of Understanding in February to improve collaboration, and enhance INT's and IAD's breadth and depth of collective oversight coverage. The units agreed on an active exchange of information regarding coverage, timing, and opportunities to partner; and leveraging resources for targeted reviews (e.g., forensic accounting); and establishing

The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.

IIA Standard 1110 – Organizational Independence

Memorandum of Understanding with INT

a joint planning process at the engagement level, where needed to identify fraud risk indicators and internal control implications. INT and IAD have agreed to form a working committee and will further develop the partnership at the operational level during FY12.

The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.


Quality Assurance and Improvement Program (QAIP)

IAD’s Quality Assurance and Improvement Program (QAIP) is intended to instill consistent quality and discipline in carrying out internal audit activities, and to further demonstrate IAD’s continued compliance with the Institute of Internal Auditors (“IIA”) Standards. IAD’s QAIP is designed to achieve full compliance with the IIA Standard (Standard 1300) and is undertaken along the following lines: The program includes both internal and external

assessments; Internal assessments include ongoing monitoring of

the performance of the internal audit activity; Ongoing monitoring is incorporated into the routine

policies and practices used to manage the internal audit activity through the use of specific quality assurance templates and checklists.

The internal assessments conducted during FY11 indicated that audit activities are undertaken and documented with due professional care that includes an appropriate level of supervisory review and approval.

Issues noted in the previous QAIP reviews are being systematically addressed. These include: Improved discipline in using the audit tool and in

time recording practices; and Establishment of KPIs to better track and monitor

engagement milestones.

Areas for improvement highlighted in the FY11 QAIP include, enhancing standards for engagement risk assessment, improving work paper structure and criteria for test evidence, and continuous maintenance of the database. During FY12, IAD plans to introduce design changes to its QAIP program to supplement individual engagement quality reviews with broader thematic reviews of specific processes. This will help identify cross-cutting issues which will inform further updates to its procedures manual and help target staff training activities.


IIA Standard 1300 – Quality Assurance and Improvement Program (QAIP)

Budget and Staffing

In FY11, IAD had a budget of $12.3 million, and total expenditures of $12.1 million, representing 98.3% of the budget. IAD has stayed within its overall budget envelope, as shown in Figure 6. At the end of FY11, IAD had 41 full time staff, including 36 auditors, all of whom are certified or accredited by relevant professional organizations. IAD continues to lead in diversity, with professionals from Sub-Saharan African and Caribbean nationalities at 17.1% and female managers at 50%, compared with the World Bank group average of 11.2% and 33.9%, respectively.

Budget and Staffing

20

11.64 11.78 12.12

2.00

4.00

6.00

8.00

10.00

12.00

14.00

FY09 FY10 FY11

Total Budget Actual Expenditures

Figure 6: Historical Budget Allocation and Actual Expenditures

Appendix A: FY11 Audit Reports

As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed.

WBG

21

# Engagements Report Number Date Issued

01 Advisory Engagement Related to the World Bank Group's Risk Management Framework

WBG FY11-01 3-Sept-10

02 Audit of the World Bank Group Global Real Estate and Facilities Management WBG FY11-04 25-Feb-11

03 Audit of the Management and Administration of World Bank Group Staff Benefits

WBG FY11-05 1-Mar-11

04 Review of the Implementation of the Code of Conduct WBG FY11-06 10-May-11

05 Advisory Engagement on the Framework for WBG Cost Sharing Arrangements and Chargeback Mechanisms

WBG FY11-07 31-May-11

06 Audit of the Risk Management Framework Governing World Bank Group Financial Models

WBG FY11-08 20-Jun-11

07 Audit of the Management of World Bank Group Corporate Insurance WBG FY11-09 27-Jun-11

08 Audit of WBG Information Security Management WBG FY11-10 5-Jul-11

09 Audit of WBG Corporate Security WBG FY11-11 15-Jul-11

10 Audit of WBG Vulnerability Management WBG FY11-12 18-Jul-11

FY11 Annual Report

IBRD/IDA


11 FY10 Testing of IBRD's Disclosure Controls and Procedures over External Financial Reporting

IBRD FY11-01 2-Aug-10

12 FY10 Testing of Bank's Internal Controls over External Financial Reporting IBRD FY11-02 12-Aug-10

13 Review of Management’s Implementation of the IDA Internal Controls Five-Point Action Plan

IBRD FY11-03 8-Sept-10

Note: Report numbers WBG FY11-02 and WBG FY11-03 were not used for issuance of FY11 reports.



22


14 Advisory Engagement Related to the Bank's Administration of the PACT Trust Fund and DGF Grants to the African Capacity Building Foundation


15 Advisory Review Related to the Development of the Risk Based Releasing Functionality within the iLAP system


16 Audit of the Bank Processes for Managing Procurement Complaints IBRD FY11-06 4-Jan-11

17 Audit of Valuation and Pricing- IBRD Finance Complex IBRD FY11-07 20-Jan-11

18 Audit of Bank Application Development and Maintenance IBRD FY11-08 15-Feb-11

19 Audit of Trust Funds Financial Risk Management IBRD FY11-09 13-Apr-11

20 Review of the Bank’s Donor Fund-Raising Activities IBRD FY11-10 14-Apr-11

21 Audit of Bank’s Process for Integrating Trust Funds in Country Programs IBRD FY11-11 15-Apr-11

22 Audit of Commercial Credit Risk Management IBRD FY11-12 19-Apr-11

23 Audit of the Bank’s eDisbursements Application IBRD FY11-13 11-May-11

24 Audit of Sovereign/ Country Credit Risk Management IBRD FY11-14 16-Jun-11

25 Audit of IBRD Trading Operations IBRD FY11-15 17-Jun-11

26 Audit of the IBRD/ IDA Trust Fund Cost Recovery Framework IBRD FY11-16 29-Jun-11

27 Audit of Administrative Expenses of the Global Environment Facility (GEF) Secretariat

IBRD FY11-17 30-Jun-11

28 Audit of Administrative Expenses of the Global Environment Facility (GEF) Evaluation Office

IBRD FY11-18 30-Jun-11

29 Audit of the Bank’s Process for Managing the Global Facility for Disaster Reduction and Recovery Partnership (GFDRR)

IBRD FY11-19 11-Jul-11

30 Advisory Engagement on the Implementation of the World Bank Policy on Access to Information

IBRD FY11-20 27-Jul-11

IBRD/IDA (continued)

FY11 Annual Report


23


31 FY10 Testing of IFC's Internal Controls over External Financial Reporting IFC FY11-01 24-Sept-10

32 Audit of the Process for Managing IFC’s Investment and Advisory Services Fees from Clients

IFC FY11-02 13-Oct-10

33 Audit of IFC’s Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Framework

IFC FY11-03 27-Dec-10

34 Review of IFC’s Donor Fund-Raising Activities for Advisory Services IFC FY11-04 25-Feb-11

35 Audit of IFC Application Development and Maintenance IFC FY11-05 9-Mar-11

36 Audit of IFC's Activities related to its Asset Management Company (AMC) IFC FY11-06 30-Mar-11

37 Audit of the IFC iDesk Platform IFC FY11-07 12-Apr-11

38 Audit of IFC’s Equity Valuation Process IFC FY11-08 12-May-11

39 Audit of IFC’s Global Trade Liquidity Program (GTLP) and GTLP II IFC FY11-09 26-May-11

40 Audit of IFC’s Equity Operations and Supervision IFC FY11-10 10-Jun-11

41 Audit of IFC’s Process for Market Risk Management IFC FY11-11 30-Jun-11

42 Audit of the IFC ICAS-E System Replacement IFC FY11-12 12-Jul-11

IFC


FY11 Annual Report


43 FY10 Testing of MIGA's Internal Controls over External Financial Reporting MIGA FY11-01 12-Aug-10

44 Audit of MIGA's Provisioning for Guarantee Losses MIGA FY11-02 22-Apr-11

MIGA

Appendix B: The Audit Lifecycle

Inputs Outputs

Risk Assessment and Annual Work Program

► Business plans and strategic priorities ► Board and Senior Management

expectations ► Results of IAD engagements ► IAD’s knowledge of risk and control issues ► Results of Integrated Risk Management

Reports (IRMRs)

► Risk and process prioritization ► Annual Work Program

Planning ► Initial risk assessment results ► Discussion with management to reflect

changes in risk profiles and recent events

► Finalization of audit scope ► Terms of reference ► Draft risk and control matrices

Testing Strategy ► Walkthroughs and process flowcharting ► Sampling Plans

► Prioritization of risks and controls ► Nature, extent and timing of procedures ► Test Plans and updated risk and control

matrices

Execution ► Testing results ► Supporting documentation for controls

► Summary of Observations and Draft Audit reports

Communicate Results

► Final Audit Reports ► Issue Level and Engagement Level Ratings ► Management action plans (MAPs) with

implementation target dates

► Engagement results reported to VPU Management

► Engagements with significant control issues are shared with Senior Management and the Audit Committee

► Updates to the risk assessment

Risk assessment and annual work program

Planning

Testing Strategy

Execution

Communicate Results

The audit process is designed to be an iterative process whereby audit results continue to build IAD’s understanding of governance, risk management and control processes within the institution. This allows IAD to focus on critical areas where WBG needs to further strengthen its control environment.


Internal Audit is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of the WBG organizations. It assists WBG in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control, and governance processes.

1818 H Street, N.W. Washington DC, 20433 U.S.A. G Building 4th Floor Tel: 202.458.7258 Fax: 202.522.3575

fiscal year report 2011 - world bankdocuments.worldbank.org/curated/en/...assessment processes, risk...

Documents