93226 Annual Fiscal Year Report 2014 Internal Audit Vice Presidency December 10, 2014 Abbreviations and Acronyms ADM Accountability and Decision Making ADR Audit Director Roundtable AG Vice President and Auditor General CAE Chief Audit Executive CAO Compliance Advisor/Ombudsman CCSA Cross Cutting Solutions Area CEB Corporate Executive Board CIF Climate Investment Fund CFO WBG Chief Financial Officer CMU Country Management Unit CRO WBG Chief Risk Office CTR Controllers' Vice Presidency ER Expenditure Review ERM Enterprise Risk Management FIF Financial Intermediary Fund FM Financial Management GAIN Global Audit Information Network GP Global Practices HR/HRS Human Resources IAD Internal Audit Vice Presidency IBRD International Bank for Reconstruction and Development ICFR Internal Controls Over Financial Reporting ICSID International Center for the Settlement of Investment Disputes IDA International Development Association IEG Independent Evaluation Group IFC International Finance Corporation IIA Institute of Internal Auditors INT Integrity Vice Presidency IPMP Integrated Project Management Plan IPN Inspection Panel IT Information Technology ITS Information Technology Services MIGA Multilateral Investment Guarantee Agency OPCS Operations Policy and Country Services Vice Presidency ORAF Operational Risk Assessment Framework PDU President’s Delivery Unit PP Partnership Program PMA Partnership Management and Administration SAP Systems, Applications and Products software SCD Systematic Country Diagnostic SMT Senior Management Team SORT Systematic Operations Risk rating Tool Representatives of the Internal Audit Services of the United Nations UN RIAS Organizations and Multilateral Financial Institutions VPU Vice Presidential Unit WBG World Bank Group IADVP FY14 Annual Report I2 Table of Contents 1. World Bank Group Internal Audit Vice Presidency . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Governance, Risk Management and Control – Executive Commentary . . . . . . . . . . 7 3. Management Response to the IAD FY14 Annual Report. . . . . . . . . . . . . . . . . . . . . . . . . . 15 4. Summary of Audit Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5. Summary of Advisory Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 6. Methodology and Professional Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 7. Appendix A: FY14 Work Program Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 8. Appendix B: IAD Reports Issued in FY14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 9. Appendix C: IAD’s Coverage in FY12-14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 10. Appendix D: Alignment of IAD’s FY15 WBG Coverage with WBG Change Agenda. . . . 52 IADVP FY14 Annual Report I3 1. World Bank Group Internal Audit Vice Presidency Internal Audit Vice Presidency‘s (“IAD”) Mandate IAD is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of WBG’s entities. It assists the Bank Group in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s governance, risk management, and control processes. IAD also focuses on raising awareness of risks and controls, providing advice to management in developing control solutions, and monitoring the implementation of management’s corrective actions to mitigate risks and strengthen controls. IAD’s work is carried out in accordance with the Institute of Internal Auditors (IIA)’s International Professional Practices Framework. Oversight of IAD IAD reports to the President and is under the oversight of the Audit Committee. The Audit Committee of the Board of Executive Directors has a mandate to assist the Board in overseeing the WBG’s finances, accounting, risk management and internal controls. The Audit Committee oversees the external auditors with respect to the integrity of the financial statements for the entities and financial reporting for trust funds; the Integrity Vice Presidency with respect to anti-fraud and anti-corruption measures; and IAD with respect to governance, risk management, and internal controls. The Audit Committee’s responsibilities with respect to IAD include:  The review of IAD’s Terms of Reference and recommendation to the Board for approval.  The review of IAD’s annual Work Program and recommendation to the Board for approval.  The review of the results of IAD’s work covering operations and compliance with key provisions of IBRD/IDA, IFC and MIGA’s charters and policies.  The review of the overall effectiveness of IAD. On an ongoing basis, but at least quarterly, IAD briefs and updates the President and the Audit Committee on engagement outcomes and the progress of management action plans to improve the Group’s controls. IAD also briefs the Audit Committee on any changes to the annual Work Program that may occur as a result of emerging risks, significant changes to the business, or requests from Management for advice on internal control matters. IADVP FY14 Annual Report I4 Foreword from the Vice President and Auditor General I am pleased to present IAD’s FY14 Annual Report, my first as WBG’s Vice President and Auditor General. I could not think of a more challenging, yet exciting, time to take the leadership of this important function. The Bank Group is in the midst of one of the most significant change processes it has undertaken in recent years, which affects all key aspects of our business and how we operate: business models, client and stakeholder engagement, internal structure, people, processes, systems and culture. This comprehensive change process presents great opportunities and significant challenges. As the institution pursues these opportunities and tackles those challenges, Internal Audit is well poised to deliver on our core dual mandates: provide, as an independent function, objective assurance that key controls over the business activities of the WBG entities are well designed and operating effectively; and leverage our group wide remit and broad institutional exposure to provide advice and business insights that add value and support the achievement of our strategic priorities. FY14 has been another significant milestone in IAD’s continuous journey to raise our line of sight whilst also building the supporting infrastructure (people, processes, and tools) needed to deliver on this mandate. In that respect, significant initiatives undertaken by IAD during FY14 include:  Implementation of a significant staff rebalancing to upgrade our skills and align our human capital with the more complex requirements of a risk-based and strategy-centered audit model;  Completion of a skills diagnostic to identify our skills gaps and talent opportunities and to inform both our training and recruitment priorities;  Development of a comprehensive and structured core curriculum to guide our investments in staff professional development in the triple areas of business skills, technical skills, and soft skills;  Comprehensive revision of our end-to-end audit methodology to strengthen, but to also streamline, the audit delivery process;  Selection of a new industry-leading audit tool to better leverage the latest enabling technology platform and support a more efficient and effective audit delivery; and  Investment in the ongoing development of a Data Analytics strategy in order to build up the tools, processes and skills needed to leverage institutional data and modern analytic tools in order to provide more and better evidence-based insights to the institution. These key investments to develop our people, to strengthen our processes and to modernize our tools will position IAD to live up to our continued commitment to align our work with the strategic priorities of the institution and to deliver relevant and high quality reviews in support of those objectives. This strategic-alignment approach has already led our function to deliver, during FY14, a range of projects designed specifically to provide assurance or advice on key areas of the ongoing reform agenda, such as: reviewing risk management and control aspects related to the integration of WBG’s Information and Technology Solutions, analyzing lessons learned from the implementation of the Operational Risk Assessment Framework (ORAF) to inform the design of a new framework for managing risks in operations, evaluating the Bank’s Environmental and Social Safeguards to support the ongoing reforms in that area, performing deep dives analyses of business processes related to fiduciary risks and Resource Management to identify efficiency improvements as part of the expenditures reviews, evaluating the existing jointness models to inform management’s decision-making over implementation the One WBG concept, assessing the Bank’s open data initiative, etc. Our FY15 work program will build on this trend and further strengthen IAD’s strategic orientation. Hiroshi Naka Vice President and Auditor General IADVP FY14 Annual Report I5 2. Governance, Risk Management and Internal Control Executive Commentary A renewal of the World Bank Group (WBG) has been set in motion over the past couple of years. The endorsement of the first WBG Strategy by the Board of Governors during FY14 has provided the authorizing environment to reposition the WBG to achieve the dual goals of ending extreme poverty and boosting shared prosperity. The Senior Management Team (SMT) has launched a comprehensive and significant change process – encompassing structure, processes, and incentives to make WBG’s services more results-focused, evidence-based, and adaptive. The change agenda is designed to drive the internal reforms necessary to achieve the new vision for the WBG, building on the simplification and harmonization efforts undertaken to date. Given the significance of this change agenda and its potentially profound ramifications for the institution, IAD has opted to focus this year’s Annual Report on the key elements of this reform in our commentary on governance, risk management and internal control. Whilst aligning our focus with the current institutional priorities, this choice also presents significant challenges: a. The various components of the reform are in an early stage of implementation, including many of the structural changes that have been put in place starting in July 2014. For several areas, while high level blueprints provide the general direction, crucial aspects of the actual implementation are being evaluated and not yet operationalized. Hence, there is an inherent limitation in our ability, at this early stage, to assess, or to opine on, the effectiveness of governance, risk management and internal controls related to the implementation of the reforms. b. As a result, the bulk of the commentary in this section provides a forward-looking perspective rather than a retrospective assessment and is informed, to a large degree, by plans formulated by Senior Management and preliminary observations rather than an in-depth analysis of actual outcomes from empirical implementation experience. Where applicable, the commentary highlights the proposed body of work that IAD plans to complete that will eventually provide evidence to support an objective assessment in each of the applicable areas. Against this backdrop, this qualitative commentary is designed to provide constructive and forward-looking input to Senior Management, drawing on IAD’s body of knowledge and experience, including institutional risk assessment exercises (such as the Bank’s annual risk scans, and IFC’s Top Risks Survey). Given the significance of the ongoing change effort, IAD’s qualitative comments are explicitly anchored around the eight broad change objectives of the new WBG Strategy. 1. Helping clients tackle the most important development challenges: The WBG is redesigning its approach to country engagement to better identify where it can have the greatest impact. The new country engagement model includes a Systematic Country Diagnostic (SCD) to identify key challenges and constrains to ending extreme poverty and boosting shared prosperity in the country to identify a selective program of engagement. As this new country- engagement model is intended to be evidence-driven, a key consideration for its successful implementation will be the availability and quality of underlying data, particularly in countries with weak statistical systems. IAD’s past body of work across many areas of the institution has consistently highlighted significant gaps and issues related to either data governance or data quality. Challenges associated with the completeness and quality of country level data have indeed been acknowledged by the WBG in its strategy. Only one-quarter of WBG member countries have adequate capacity and data to assess progress in poverty reduction and shared prosperity, and to account for sustainable development. To this end, the WBG has launched a new “Data for Goals” initiative, working with other development partners, under which member countries will be requested to gather relevant data and improve access to and dissemination of these data through a global database. IADVP FY14 Annual Report I7 2. Governance, Risk Management and Internal Control Executive Commentary (contd.) Management has also created a Data Council to strengthen data governance. Whether the scope of these initiatives and the level of resources committed are commensurate with the magnitude of the existing gaps remains to be validated. IAD’s FY15 Work Program includes coverage of the Bank Group’s governance arrangements over the end- to-end process for country level data gathering (identification, collection, review and verification, use and dissemination, accountability over key decision points and overall guidelines on management and use of poverty data). On the same topic of enhanced country engagement, the ongoing modernization of the Bank’s procurement and safeguard policies is designed to further strengthen the country engagement model by providing greater flexibility and a more adapted and comprehensive approach to country contexts and the types of WBG interventions. In this context, a key challenge remains the clear delineation of roles between the Bank and the client given the increased emphasis on building country capacity. The support of the Bank to the borrower will need to take into account the varying levels of borrower capacity. The move towards greater focus on downstream implementation of procurement and safeguards supervision in the Bank (and not just as part of project preparation) is welcome, but will need commensurate management attention and resources. IFC is also sharpening its focus on environmental, social and governance risks, drawing on lessons learned from recent operational experience, to directly support clients in adopting and applying IFC’s Performance Standards, and strengthening their corporate governance practices. 2. Delivering “integrated” world-class development solutions to clients: The successful operationalization of the new strategy hinges on the ability of the Bank Group to marshal and enhance the combined resources and expertise within and across the Bank group entities in order to serve clients – the overarching objective of the WBG’s new operating model, with the creation of the Global Practices (GPs) and the Cross Cutting Solutions Areas (CCSAs). This joint WBG model is one of the key foundational elements underpinning the “Solutions WBG” envisioned by Senior Management. IFC is also establishing a new Global Client Services VPU that encompasses investments, advice, and client relationships, as part of its new structure. A new WBG corporate results framework is expected to cascade corporate priorities identified at the WBG Corporate Scorecard apex level to individual business units over time, so that there is a system for assessing and measuring actions taken on corporate priorities. MIGA, whose guarantee business revolves around leveraging, has established a new client servicing model characterized by increased country focus and the establishment of key client service teams for targeted client engagement. For example, the recent pilot agreement between MIGA and IBRD to swap foreign exposures is a new risk management tool that is expected to free up capacity and support additional business. Although there is broad consensus on the strategic relevance of these goals, the initial implementation experience has also highlighted significant issues and challenges. Within the World Bank, challenges include: collaboration mechanisms and efficient process between GPs, CCSAs and Regions/Country Units; clarity of roles and responsibilities; clearly understood rules of engagement amongst the various units in the new operating model; effective funding models that enforce corporate discipline while allocating budgetary resources in a transparent, timely, and efficient manner across the various layers of the delivery chain; staffing considerations that balance necessary cost efficiencies with strategic delivery capabilities. Challenges related to strengthening collaboration across entities of the Bank Group include necessary changes to align and incentivize staff behavior towards working as One WBG. The increased level of integration under the new operating model would also require effective management of inter-institutional business conflicts of interest. These conflicts could arise from the differing interests of the institutions or from the legitimate, but competing interests, of IADVP FY14 Annual Report I8 2. Governance, Risk Management and Internal Control Executive Commentary (contd.) the clients of the different institutions within the group. IAD will review the process for managing inter-institutional conflicts of interest as part of its planned FY15 Work Program coverage. IAD is also well positioned to contribute to the development of a “Solutions WBG”, given our group-wide mandate and the ability to compare and contrast practices across WBG entities. During FY14, IAD’s advisory review of the WBG ITS Integration showcased the differences and similarities between the IT practices of the Bank and IFC and provided detailed inputs to management on key risk and control aspects of the integration process. IAD’s recent review of the existing institutional “jointness” arrangements was designed to distill lessons learned from existing collaboration models within the Bank group to inform management’s approach in the operationalization of the GPs and CCSAs. Another core component of the “Solutions WBG” is the introduction of a new approach to managing risks in operations to foster informed risk-taking – by increasing the candor in risk assessment and reporting, reducing duplication of efforts for identifying and managing risks holistically, and by strengthening the systems to capture risk information in a coherent manner for staff and management. We strongly support management’s renewed focus on informed risk-taking. As we have highlighted in our prior Annual Reports, in order to support informed risk-taking, two important enablers need to be in place: (i) a common institutional understanding of which risks are acceptable and which ones are not, i.e. a shared understanding of risk appetites and, (ii) clear accountability for ownership of risks in operations. The landscape of current industry practices suggests that there is no single industry standard or a uniform approach for the design of institutional risk management functions. The critical feature is that the selected architecture must fit the specific circumstances and needs of each organization, including its culture, governance and oversight environment, risk profiles, size, complexity, and degree of operational autonomies within the organization, etc. Additionally, the risk management architecture should not be static. Instead, it should evolve in a dynamic manner as these key organizational circumstances and needs evolve. IAD’s retrospective review of the Operational Risk Assessment Framework in FY14 highlighted the importance of instilling and nurturing a shared risk culture for the successful roll-out of the new Systematic Operations Risk rating Tool (SORT) in Bank operations. Key elements in this process should include: (i) outlining a common set of values and behaviors guiding risk management and results culture; (ii) institutionalizing learning around informed risk management and learning from failure; and (iii) modeling of desired behaviors by Senior Management, especially when risks materialize. In the context of the planned implementation of the new unified risk management framework for operations, clear division of responsibilities between the GPs, Regions, OPCS, and the newly constituted Risk Advisory Group (to review high-risk operations) will be crucial for establishing clear accountability and ownership.. Management has modified the Accountability and Decision Making Framework (ADM) in Bank operations to reflect the new operating model in FY15. An important development in the Bank’s risk management architecture during FY14 relates to the creation, under the WBG Chief Risk Office (CRO), of a new Operational Risk department in addition to the already existing Credit Risk, and Market and Counterparty Risk functions. In addition, the CFO has established a Finance and Risk Committee, which is intended to provide governance over finance and risk issues within the Bank. During FY14, IFC developed an Enterprise Risk Management framework (ERM) to manage risks holistically and to provide a more informed basis for discussing IFC’s risk appetite. IFC has also established a new Corporate Risk and Sustainability VPU that unifies transaction enabling services, risk management, and legal support. MIGA is also focusing on risk management and reorganizing its risk function. During FY15, IAD plans to conduct advisory reviews of: the mapping of risk management roles and accountabilities across Finance units in the Bank; the processes for managing operational risks (relating to people, processes and systems- distinct from risk within WBG operations); and the roll- out of the ADM framework in Bank operations. IADVP FY14 Annual Report I9 2. Governance, Risk Management and Internal Control Executive Commentary (contd.) 3. Collaborative external partnerships aligned with the goals: The new WBG strategy recognizes that the resources of any one institution, the World Bank Group included, are inadequate to meet the emerging development challenges. Partnerships focused on the goals (partnerships with governments, the UN system, multilateral institutions, new and emerging donors, the private sector, and civil society) will be critical to maximize the effectiveness of the Bank Group’s interventions. To this end, management has acknowledged the importance of aligning the partnership programs with the strategic goals of the institution. The new management framework for partnership programs is expected to provide for more consistent decision-making based on greater clarity on the Bank’s roles and accountabilities and the choice of financing mechanism, with special attention to financial intermediary funds. However, fund-raising has been largely decentralized to date, and there has been limited focus on corporate management of partnership programs. At present, various models for the program secretariats are developed on a case-by-case basis in the absence of institutional standards or guidelines. While the portfolio of Partnership Programs (PPs) has grown significantly in recent years, the absence of adequate cost information makes it difficult to quantify all Project Management and Administration (PMA) costs, compare and contrast them across PPs, and determine their reasonableness. Rationalization, of both the size and the activities of in-house partnership program secretariats, is needed to improve governance and oversight of partnership programs. Creating consensus among donors on the “rules of engagement” is also important to increase the efficiency of donor-funded activities as it relates to trust fund operational and reporting requirements. Partnering with the private sector to scale up impact will also be critical. In this regard, IFC is launching a client relationship model to develop long-term partnerships with clients according to their potential for development impact and their contribution to IFC profitability. During FY15, IAD will perform an advisory review of IFC’s management of client information to help IFC enhance the use of client intelligence to identify and explore more business opportunities. As part of its FY15 coverage, IAD will also review the WBG processes for donor reporting on Bank operations and the mapping of risks and accountabilities along the trust funds lifecycle. 4. A Financially Strong WBG: To deliver on the Strategy and meet the goals, it is imperative that the institution grows its financial capacity to deliver more to clients and maximize impact. The new finance and risk framework established by the Group CFO aims to strengthen the WBG’s financial capacity, optimize expenditure, and strengthen the capital base to meet client needs. Senior Management and the Board have approved a set of important measures aimed at enhancing IBRD’s revenues and capacity, thereby providing the institution with improved “margins for maneuver” to align its financial resources with its ambitious twin goals. Management is also enhancing the financial capacity by strengthening WBG's business model and by developing innovative approaches. For example, the new agreement between MIGA and IBRD to swap exposures is a new risk management tool that is expected to free up capacity and support additional business. IBRD is also exploring the use of several innovative financial structures for hedging exposures or crowding-in private sector financing, “leveraging” IBRD’s preferred creditor status. Concurrently, the group-wide Expenditure Review (ER) exercise is designed to achieve sustainable savings on the cost base, while retaining or expanding the capacity to deliver value to clients. One key aspect, however, that needs to be carefully monitored is the continued alignment of risk governance and oversight, in the financial area, as some significant changes take place in the near future. Such changes include, for example: a) the strategic shift towards Finance and Treasury as an actual "line of business" rather than just an internal support function, or b) the shift towards a more active and dynamic management of the bank's equity as opposed to the passive equity hedging strategy of the past few years. These changes are welcome and very much in line with the desire and need to build capacity and strengthen financial sustainability. However, the pursuit of higher returns goes hand in hand with a presumed willingness to take on more risks. Thus, there is a need to IADVP FY14 Annual Report I 10 2. Governance, Risk Management and Internal Control Executive Commentary (contd.) continually monitor the financial risk management framework and governance/oversight processes to ensure that they remain commensurate with increased risk-taking and effective mechanisms are in place to independently and objectively monitor, measure and report both risk exposures and returns. In addition, robust governance arrangements to monitor and periodically report on the achievement of the cost savings targets (after taking into account the upfront costs involved) to Senior Management and the Board will also be important. Management will also need to guard against possible erosion of cost savings over the medium term, which could offset the immediate institutional gains from the expenditure review savings. IAD’s FY15 work program includes an advisory engagement on the norming of Country Management Units (CMUs) to support management’s ongoing work on the Expenditure Review exercise. 5. Knowledge, Learning and Innovation: We noted in our FY13 Annual Report the importance of managing knowledge as a strategic asset at the portfolio level. The institution has historically managed knowledge in an unstructured way, resulting in missed opportunities to maximize the Bank Group’s value proposition. Fragmented knowledge management systems have not supported the production, capture, curation, and flow of knowledge. Other contributing factors include lack of incentives in building a culture that values knowledge and under- investment in knowledge governance. Management has underscored the importance of creating a new knowledge management ecosystem that includes integration of technology and knowledge platforms as well as advocating “knowledge citizenship” to foster behavioral change. While the GPs are intended to strengthen the mobilization, flow, and sharing of expertise and knowledge that has been historically fragmented across geographic and sector units, the focus on “Science of Delivery” seeks to emphasize the use of evidence and metrics to continuously measure, learn, and adapt as an organization. IAD’s FY15 Work Program includes a review to assess the processes for delivery of knowledge products within the Bank. 6. Information Technology to deliver transformative change: Information Technology systems that connect staff to information, knowledge, clients, and to each other are critical to the implementation of the change agenda. Simple and flexible IT solutions can be a significant “capacity multiplier” in fostering efficient and streamlined business processes. Management has completed the extensive systems preparatory work underpinning the transition to the new operating model with GPs and the CCSAs. As full implementation of the new operating model and other components of the change agenda get underway in FY15, continued focus will be needed to upgrade and to adapt the WBG IT infrastructure and network to enable connectivity and knowledge flows, including expanding bandwidth, migrating to cloud-based storage systems, and consolidating and harmonizing data and analytics for corporate-level dashboards. The renewal of IT infrastructure in a resource-constrained environment, based on strategic business objectives and effective needs-based prioritization, will need to be an area of focus. There are a number of areas wherein technologies and/or applications could be leveraged in a potentially more integrated manner. Differences still exist between the Bank and IFC in the understanding of IT roles and responsibilities in Country Offices, security configurations, change management, and the oversight and monitoring of processes to manage IT platforms. The ongoing Information Technology Integration initiative, which includes the process convergence work, offers an opportunity to consolidate IT infrastructure. IAD’s audit results indicate significant progress made by management in the information security area, with the implementation of its next generation cyber-security strategy to protecting information assets. On a broader scale, there is a need for better alignment of the information security strategy with institutional risk appetite, in order to determine the options and levels of risk management. The extent of Board involvement in the overall governance and oversight of IT related risks also needs clearer articulation. IAD’s IADVP FY14 Annual Report I 11 2. Governance, Risk Management and Internal Control Executive Commentary (contd.) FY15 IT coverage is designed to strike a balance between emerging areas of focus, such as Cloud Computing Infrastructure and Integration, and the Joint Cash Management System, as well as coverage of mature processes such as those relating to IT identity and access management, and database management. 7. Talent Management and HR Reforms: Improving talent management is indispensable to creating and maintaining a capable and committed workforce to deliver on the WBG strategy. A systematic corporate management of staffing practices throughout the World Bank Group is also important to: (i) align staffing with strategic priorities , for example, through the GPs and the new strategic budget planning process; (ii) achieve efficiencies, through redeployment and reassignment of staff that will be applicable across the Group including IFC and MIGA. The recent measures introduced around “employment controls” are intended to promote and preserve institutional efficiencies and to ensure staffing growth is solely driven by business needs. Management’s planned implementation of HR reforms are intended to focus on (a) improving managerial effectiveness; (b) proactively managing careers and talent; (c) rewarding and recognizing staff differentially on the basis of their performance and skills; and (d) leveraging the WBG’s global workforce. Building a culture of performance and accountability will be equally important in delivering on the WBG Strategy. Management is working to align staff and unit objectives to corporate priorities and to introduce a new performance rating system to reward performance, results, and behaviors. HR’s capacity to support the various aspects of the current reform agenda and the successful design, sequencing, and execution of reforms across the entire suite of HR areas (strategic staffing, compensation and benefits, talent management, performance, leadership and managerial development) will constitute a foundational pillar of the change process. IAD’s FY15 Work Program includes specific reviews to assess: (i) the effectiveness of change management processes in the context of the new operating model; and (ii) post-implementation of business process changes within the HR PeopleSoft system. 8. Culture and Incentives: The significance of institutional culture for successful execution of the WBG Strategy and implementation of the change agenda cannot be overstated. While structure is important, culture is paramount in successfully implementing the change agenda. The institution’s ability to deliver on its strategy and reform its processes will, to a very large extent, hinge on the extent to which management and staff behaviors are aligned with core aspects of the change process (e.g., Working as One World Bank Group, willingness to take informed risks, candidly discussing problems and failures in order to foster institutional learning, focus on solutions that work etc.,). Any misalignment between the existing incentive/reward systems could jeopardize the success of the reform agenda. For example, for the new unified risk management framework within Bank operations to be effective, management will need to articulate how the new framework incentivizes candor in reporting project level risks and in fostering risk-informed decision making. Sustained commitment to culture change will be necessary to make change stick, as changing institutional culture is admittedly a medium to longer term process. This also requires a culture of openness where staff can both express new ideas and be critical of change implementation methods without fear of retaliation, and a strong internal justice system to support that culture. WBG Management has expressed a clear intent to undertake a program of cultural transformation to encourage new behaviors among leaders and staff, including collaboration, decisiveness, informed risk-taking, results focus, and responsibility to create and share knowledge. Fostering a deeper understanding of the importance of shifting culture through staff engagement and through the role modeling of desired behaviors by leadership will send a strong signal that culture change is indeed taken seriously and will set the tone for behaviors across the institution. Formal (performance evaluation) and informal (recognition) incentives should also help reinforce these messages. IADVP FY14 Annual Report I 12 2. Governance, Risk Management and Internal Control Executive Commentary (contd.) In summary, the current reform agenda, if successfully implemented, has the potential to open up a number of significant opportunities for the WBG. Effective operationalization of the various elements of this reform agenda would undoubtedly position WBG to make significant headway towards the achievement of its new goals. Yet, this successful operationalization will also require continued attention to the equally significant challenges that inevitably come with any ambitious reform of this magnitude, as highlighted in this report:  Clarity of roles and responsibilities to drive strong accountability, and effective rules of engagement between the different business units (GPs, Cross Cutting Solutions Areas, Regions, etc.) to support the implementation of the new operating model;  Strong incentives and effective mechanisms for collaboration within the WBG entities while carefully managing potential conflicts of interest, and better leveraging of synergies across bank group entities to fully realize the benefits of an integrated model;  Clear delineation and understanding of both risk appetites and accountabilities for managing risks within those appetites;  Design of a reward system and incentive mechanisms to promote the cultural changes that must underpin any sustainable reform of the institution;  More effective alignment of partnerships and external funding with the institution’s strategic priorities, along with more streamlined processes with the various donors; and  Quality of data and effective management information systems to support timely and effective decision-making. On a closing note, while management needs to build on the momentum and maintain the sense of urgency around the key reform areas, it will be equally important to maintain focus on quality of operations and responsiveness to client needs. The implementation of the change agenda will require the organization to make decisions based on imperfect information, assumptions, and estimation. Thus, course corrections will be needed along the way, which are normal and expected with any major reform process. However, for this approach to yield long term success, effective monitoring and feedback mechanisms need to be carefully designed to continuously assess in a timely and, even more importantly, in a candid manner what's working and what's not working and to make necessary adjustments on a real-time basis as better information becomes available. Effective implementation of the WBG Strategy will also require business processes to be simplified and streamlined to foster continuous improvement and to make it easier for task teams to serve clients. OPCS is working with a cross-functional Bank team to develop an action plan for simplification, based on staff input received through a crowd-sourcing exercise. The implementation of the action plan is being closely monitored by management, with regular updates provided by OPCS. From a IADVP FY14 Annual Report I 13 2. Governance, Risk Management and Internal Control Executive Commentary (contd.) governance and role clarity standpoint, it will also be important to ensure clear ownership for each of the change work streams. Management’s Integrated Project Management Plan (IPMP) is a welcome step in establishing an overall monitoring and evaluation framework for measuring progress against the change objectives, by “unpacking” the change objectives into actionable deliverables and milestones. The President’s Delivery Unit (PDU) has also been constituted with the objective of monitoring the institutional focus on selected key indicators for results measurement. IAD looks forward to working collaboratively with Senior Management and the Audit Committee during FY15, as the institution moves forward with the implementation of the WBG Strategy. Hiroshi Naka Vice President and Auditor General IADVP FY14 Annual Report I 14 3. Management Response to the IAD FY14 Annual Report Management Response The World Bank Group (WBG)’s Management team welcomes the FY14 Annual Report on the Internal Audit Vice Presidency and appreciates the forward looking approach of IAD’s views on the challenges facing the institution as it strengthens the new structure and operating model to achieve our goals of ending extreme poverty and promoting shared prosperity. Management recognizes that leadership direction, sustained commitment to the vision, and role modeling of desired behaviors and values will be vital to success, as is putting in place the structures, processes and incentives to enable staff to perform to their highest potential and deliver for our clients. As noted in IAD’s comments, the WBG is at an early stage of implementing the new operating model and embedding the new structures, processes and procedures will take time. Management’s comments below focus on IAD’s qualitative comments of the FY14 Annual Report. The WBG strategy builds on the important foundation set by recent reform efforts, including the modernization agenda, IFC 2013 and MIGA’s strategy review. The three key elements at the core of the WBG’s Strategy are:  Tackling the biggest challenges — strengthening the focus of country programs through a more evidence-based and selective country engagement model, while supporting complementary regional and global engagements necessary to advancing the WBG goals  Becoming the “solutions WBG” — establishing global practices, undertaking more joint projects and business planning, and scaling up knowledge and innovation as key accelerators toward the goals  Working through partnerships — building on existing collaborative relationships, further leveraging private partners, actively engaging civil society, and strengthening strategic alignment of trust funds and partnership programs with the goals. Management agrees that while collaboration and cooperation across the WBG and organizationally units is paramount to successful implementation of the strategy, clarity of roles and responsibilities together with clear accountabilities is equally important. An important development to address these challenges is the implementation of the WBG Corporate results framework and Scorecard to help monitor progress and take early corrective action when needed. The introduction of the new risk management framework for operations, which is progressively being rolled out across all instruments and operations, is an important element of Management’s focus on informed risk taking and streamlining of processes. The recently formed Risk Advisory Group for high risk operations is establishing clearer accountabilities, and a series of action have been/are being taken to improve and streamline business processes (e.g. simplification, ADM, streamlined coding). Management recognizes that getting work done under the new operating model will require greater collaboration among a more diverse group of people performing new tasks, in more locations, under greater expectations. To support this new approach, Management is encouraging and enabling wider staff networks and connectivity while providing a strong sense of direction, implementing integrated workflows, and leveraging technology and aligning incentives. As highlighted by IAD, while maintaining the sense of urgency around strengthening the new operating model, it will be equally important to maintain focus on quality of operations and responsiveness to client needs. Management recognizes the complexity of the change agenda and the challenges that come with it and welcome the future IAD audit and advisory reviews that are planned to provide observation, empirical evidence and assessments that are planned in support of the efforts to strengthen the WBG. IADVP FY14 Annual Report I 15 4. Summary of Audit Results World Bank Group The Bank’s Access to Information Policy forms the The audit of the WBG Records Management covered basis for an ‘open by default’ approach, which is a the governance framework and technology solutions leading practice. The Open Data ‘terms of use’ supporting the records management program as well effectively safeguard the WBG interests by clearly as monitoring and training practices. The audit noted defining the open license for datasets, attribution significant progress made in recent years, including (i) requirements and exclusion of liability associated development of records management directives; (ii) with the use of the data provided. Although implementation of a documentation management considerable achievements have been made in each system (WBDocs and IFCDocs); (iii) establishment of stated strategic objective of the ODI, it is difficult to dedicated records management teams in both IFC and ascertain the level of progress against objectives, as MIGA; (iv) launch of training courses; introduction of specific milestones are not defined. The Open Data employee incentive programs; and, (v) communication Working Group has worked well as a ‘coalition of of qualitative metrics. However, despite this progress, the willing’ since the initial start-up phase of ODI the WBG’s records management program has until now, but it needs clearer and specific authority considerable scope for improvement in the areas of: as a governance and oversight function to ensure (i) consistent practices across units; (ii) effective broader participation across the World Bank Group monitoring of the program; (iii) representation and going forward. mandate for the primary governance body; and, (iv) accountability to manage the program. The ability to The objective of the audit of the WBG Internal effectively manage records is also hindered by the Network Security was to determine whether: (i) limited search capabilities in the electronic records governance processes have been established; (ii) the management systems. Management will reassess and internal network architecture is securely designed redefine strategies to increase adoption of the records and implemented; and (iii) controls are in place to management program, to strengthen the governance monitor and respond to network availability issues. function, the linkage between defined metrics and The audit concluded that the WBG internal network results, and to foster better accountability and is secured through multiple technologies and enforcement. controls, including but not limited to, centralized network device management, network access The audit of the WBG Open Data Initiative covered control, intrusion detection and security monitoring, management practices supporting the Open Data and network segmentation. While IAD Initiative (ODI), and highlighted the existence of acknowledged that management has made a sufficient risk management and control processes over significant effort over the past few years to improve the ODI, clear criteria for releasing data in open security of the internal network, it also noted format, and effective controls to ensure that the data existing control weaknesses in the maintenance of being released meets the requirements of being open, accessible and searchable. Contribution to Institutional Change Priorities IAD’s FY13 audit of the Bank’s Corporate Budget Process contributed to institutional actions to enhance the usefulness of the budget as a strategic tool, including: (i) greater linkage between budget allocations and strategic priorities, (ii) formulation of metrics to guide and assess reasonableness of budget allocations, (iii) informed consideration of external funds in budget decisions, and (iv) clearer delineation of the roles and authority of the corporate budget unit. The report informed Senior Management’s reform efforts in designing and rolling-out a new strategy-driven budget process during FY14, under the oversight of the Managing Director and WBG CFO. IADVP FY14 Annual Report I 17 4. Summary of Audit Results World Bank Group (contd.) the WBG internal network security. The IT integration related to cyber threat monitoring and response for project will address harmonization of remaining the iSOC are designed and operating differences between the Bank’s and IFC’s network effectively. Though no significant issues were security controls. Management will continue to seek identified during the audit, IAD noted areas to further opportunities to strengthen the WBG internal network improve cyber threat management and preparedness security. maturity and effectiveness. The objective of the audit of the WBG UNIX Server The objective of the audit of WBG Country Office (CO) Platform was to determine whether: (i) effective IT Operations was to determine whether: (i) governance processes have been established; (ii) Unix governance over CO IT operations and processes to servers are configured securely; and (iii) system manage IT infrastructure and assets are adequate to changes and patches are implemented effectively. support the country office business needs; (ii) CO IT The audit showed that the WBG has implemented a facilities, infrastructure, and assets are secure; and (iii) number of controls to secure the Unix server CO IT expenditures are effectively managed and environment. These controls are defined within the monitored. The audit did not identify any significant Unix Server Security Standards. The audit also noted control weaknesses in the IT operations of COs, and the existence of issues stemming from the overall noted that the IT infrastructure in COs, while limited governance environment that increase the risk that by design, is well managed. The audit noted, the WBG’s critical assets are not being secured in a however, that with the ITS integration and planned manner that is consistent with management intent. transition of CO IT teams to a new centralized ITS management has agreed to undertake a review of reporting structure, effective FY15, ITS Client Services the existing governance structure for managing Unix (ITSCS) has an opportunity to further break the silos, servers, develop a plan to revamp and strengthen the reduce redundancies, and increase knowledge sharing asset management process, and has taken action to between the Regional IT teams to ensure their clients ensure that the security issues noted in the Unix in country offices are being served effectively. servers have been remediated. Contribution to Institutional Change Priorities The objective of the audit of the WBG Cyber Threat IAD’s review in FY13 of the Bank’s Operational Management and Preparedness was to determine Framework for using Investigation Results in whether: (i) processes have been established to Bank-Funded Projects highlighted the need for govern the management of cyber threat consistent flow of investigation-related feedback preparedness; (ii) the WBG has developed a strategic into Bank operations, as well as effective and intelligence-driven approach to understanding corporate oversight arrangements. Management cyber threats; and (iii) capabilities are implemented has since clarified the working arrangements for identifying and containing cyber threats. The audit between INT, OPCS and Regions, including noted that the WBG Office of Information Security processes and accountability for development (OIS) has made a significant effort and investment in and monitoring of action plans addressing INT the area of developing and improving cyber threat investigations. Implementation of the working monitoring and response capabilities to strengthen arrangements in FY14, also includes annual WBG’s overall security posture. The Information discussions of the main issues arising from final Security Operations Center (iSOC), established by OIS, investigative reports and action plans, and the operates on a 24/7 schedule and provides security issuance of an annual report. A more structured incident monitoring and response capabilities. The process for identification of projects with high audit also highlighted that the controls and processes F&C risks has also been implemented. IADVP FY14 Annual Report I 18 4. Summary of Audit Results IBRD/IDA The audit of the Bank’s Management of Legal Risks Many control improvement measures to standardize covered the roles and responsibilities in the and streamline processes were either in progress or management of the Bank’s legal risks, the risk completed at the time of the audit. assessment process, and the process to manage the The audit also noted that while the existing preparation of legal contracts, along with other management-level controls mitigate key risks within related topics. The audit noted that the Bank has the process for the current scale of the reimbursable effective processes in place to identify, monitor, and advisory services operations, there is a need to mitigate legal risks in its operations and activities. The ensure that a holistic set of effectively designed and Bank’s legal department is effectively involved in the consistently implemented institutional controls are in identification and mitigation of legal risks, including place for the management of fees for the RAS. ensuring that the Bank’s immunity is effectively Management has agreed to implement an preserved, and its interests are safeguarded. institutional costing methodology and facilitate Senior Management discussions on holistic portfolio The objective of the audit of the Bank’s Management level assessments of the RAS business line as part of of Fees for Reimbursable Advisory Services (RAS) was the business planning process. to assess the effectiveness of existing governance and control processes and the design of planned control improvements. The audit highlighted that The objective of the audit of the Management of management has been proactive in the self- Ineligible Expenditure of Investment Project identification of issues relevant to RAS. Financing was to assess the governance, risk management, and controls over the processes for: (i) reviewing potential ineligible expenditures; (ii) Contribution to Institutional Change Priorities deciding on legal remedies when ineligibility has been IAD’s FY12 review of the Bank’s Policies and confirmed; and (iii) reporting ineligible expenditures Procedures Framework focused on the overall to relevant parties. Adequate controls are in place policy architecture, including the ownership of over the processes used by regions and Controllers’ policies and procedures, processes for the (CTR) to review ineligible expenditures and analyze development of new and significant revisions to the underlying root causes at the project level. existing policies and procedures, implementation Trends and lessons learnt have been captured and processes, policy retirement and archiving. The disseminated at the regional level and fed into review highlighted the need for Senior existing and future operations. The audit also Management sponsoring the development of a highlighted the need to increase efficiency of single WBG Policy and Procedures Framework, ineligible expenditure management by prioritizing including establishment of the requirements and review of potential and confirmed ineligible responsibilities for the development, approval, expenditures in view of attaining a good balance communication, implementation and review of all between costs and operational benefits. It also policies and procedures. The engagement results noted that compiling the information of ineligible helped inform the development and roll-out of a expenditure at an institutional level will streamline new group wide Policies and Procedures (P&P) communication among units involved. framework, by the Legal Vice Presidency, with clear distinction between mandatory requirements and optional guidance. IADVP FY14 Annual Report I 19 4. Summary of Audit Results IBRD/IDA (Contd.) The objective of the audit of IBRD’s Net Income projections are adequate for their current use, Projection Process was to evaluate and assess the purpose, and intended objectives. Controls are in adequacy and effectiveness of: (i) governance over the place that help ensure accurate, complete and timely projection processes including roles and reporting of the projections along with the underlying responsibilities; (ii) use of projections as a tool to assumptions to support the Board in income allocation facilitate the Board's year-end income allocation discussions and decision-making. In addition, at the decision-making, and to provide information regarding operational level, sufficient data validation controls future direction of net income for corporate planning are in place to ensure quality and reliability of the purposes; and (iii) processes for projecting income reported net income projections. The audit outlined from various sources, such as loans and investments, certain efficiency and effectiveness related aspects and expenses. The audit noted that the design and that would contribute to the future use of these implementation of controls over IBRD’s net income projections by the institution. Contribution to Institutional Change Priorities IAD’s FY13 advisory review of the Bank’s Funding of “Below the Line Grant-Making Facilities” evaluated the Bank’s budget allocation to five grant-making facilities, and highlighted that these allocations had been based on historical precedent, and not fully reassessed at the time of annual renewal. At the facility level, the absence of established financial management practices impedes comparative assessment of funding needs. This review provided an important input to management’s budget discussion of the “below the line” budget and Bank-funded grant making facilities. Management and the Board decided to eliminate the concept of “above the line” and “below the line” budget items effective FY15, and phase out the Bank’s financial contributions to grant-making facilities. IFC The objective of the audit of the IFC’s Corporate Vice President and Director levels, which are then Scorecard was to evaluate IFC’s Corporate Scorecard tracked in separate but related departmental and to assess the adequacy and effectiveness of: (i) scorecards. In addition, IFC has established the governance structure, including roles and appropriate incentive mechanisms by setting up responsibilities; (ii) linkage of scorecard indicators to variable reward programs that provide additional the institution's strategic priorities; and (iii) compensation to business units that meet or exceed Management’s use of the corporate scorecard as a their indicator targets. Notwithstanding these tool for results measurement. The audit highlighted strengths, the audit also highlighted weaknesses in strategy formulation process setting specific corporate IFC’s scorecard process as it relates to facilitation of priorities that are reflected in the core scorecard dialogue with the Board, nature of metrics to track indicators. The framework includes a robust cascading developmental impact, alignment across IFC business process that links the strategic focus areas in the lines and administration of the scorecard. corporate scorecard to the operational targets at the IADVP FY14 Annual Report I 20 4. Summary of Audit Results IFC (Contd.) The objective of the audit of IFC’s Nominee adequately designed, operate effectively, and the Directorship and Fund Committee Membership was current governance structure supports management to evaluate and assess the: (i) overall governance oversight over the funding operations. Although there framework; (ii) process for identification and selection is a robust governance structure and operational of candidates; (iii) performance monitoring and controls are operating effectively, the audit identified reporting; (iv) directorship fees and expenses; (v) legal opportunities to enhance process documentation and risk management and (vi) related information segregation of duties; and to improve efficiency technology controls. The audit noted that robust through increased automation in the debt servicing controls are in place to analyze and manage potential process. conflicts of interests within directorship assignments, ensure compliance with relevant local laws, and cover IAD’s audit of Environmental and Social (E&S) Risk potential legal liabilities to IFC and Nominee Directors. Management in IFC Projects covered IFC’s E&S risk Given the fast growth of IFC’s equity investments as management for investment and advisory services well as the increased strategic relevance of the role projects. The audit noted that IFC has strong that Nominee Directors play in enhancing the processes in place to identify, manage and monitor development mandate, further strengthening is E&S risks, with a clearly defined and publicly available required in the areas of independent performance risk framework. The E&S risk management process is monitoring, clarification of the roles that Nominee led by a department of technical experts, CES, who are Directors can play in addition to their fiduciary role, responsible for conducting due diligence, advising establishment of processes for continuous monitoring clients on how to mitigate E&S risks, and supervising of procedural restrictions and enhancement of projects' E&S performance over time. CES also has controls for timely renewal of Directors’ and Officers’ processes in place to monitor the institution's (D&O) liability Insurance. compliance with E&S procedures and to continuously IAD’s audit of IFC's Management of Funding improve implementation of the Sustainability Operations, assessed: (i) the governance structure; (ii) Framework. The audit noted some areas for funding strategies and process for issuance of debt; improvement related to the January 2012 update of (iii) trade execution, verification, confirmation and IFC's Sustainability Framework, including the Access to settlement process; (iv) cash reconciliation and trade Information Policy (AlP). IFC management has, in accounting; and (v) debt servicing, buybacks, call most cases, already recognized the need to address monitoring and trade terminations. The audit noted the identified weaknesses and has initiated efforts to that controls over IFC’s funding operations are strengthen controls. Contribution to Institutional Change Priorities IAD’s FY12 IAD’s audit of the Management of Integrity Due Diligence (IDD) in IFC's Projects assessed whether IFC has a robust IDD process for investment and advisory projects. The audit showed that IFC management has paid increased attention to integrity risk and developed an improvement plan, which introduces a more systematic approach to risk identification with a view to ensuring that all projects with a high integrity risk are identified and referred to IFC’s Integrity and AML/CFT unit. However, the plan did not include effective oversight of the business units’ rigor in adhering to IFC’s corporate principles on integrity risk management. Management has since implemented a more robust oversight process to address the weaknesses identified in the audit. IADVP FY14 Annual Report I 21 4. Summary of Audit Results MIGA The audit of MIGA Process for Pricing Guarantees implementation of controls within MIGA’s guarantee covered: (i) the governance framework for guarantees pricing process are effective. A framework exists for pricing; (ii) the pricing methodology and calculations; setting guarantee premiums with defined objectives (iii) the pricing/costing model; and (iv) the for pricing, and the principles that drive premium and development and vetting of underlying assumptions. fee setting are established in the Board approved The audit highlighted that the design and MIGA Operational Regulations. Contribution to Institutional Change Priorities IAD’s FY13 audit of Environmental and Social Safeguards Risk Management in MIGA Projects highlighted that although MIGA had adequate controls in place to identify and assess environmental and social risks in the underwriting process, its related risk monitoring of existing projects was not systematic and organized. Information about monitoring activities was not always accurate, and key project documents were difficult to locate due to the absence of an effective record management system. Since the audit, management has strengthen monitoring by redefining process and introducing a more disciplined approach to tracking implementation of environmental and social action plans. In addition, in the spirit of the One WBG approach, MIGA updated its standards and harmonized them with the E&S standards of IFC, since both entities interface with the private sector. IADVP FY14 Annual Report I 22 5. Summary of Advisory Work Advisory Reviews In addition to its audits, IAD conducts advisory reviews, which provide management with guidance on risk and controls and are typically focused on new and developing processes and systems. The objective of the advisory review of the WBG use cases and vendor cloud solutions offerings; and Information and Technology Solutions (ITS) (iii) key requirements for addressing risks related to Integration – Risk Management, was to provide security and data protection are considered prior to guidance to the newly integrated ITS security and risk cloud implementation. The review noted the management’s group on oversight of integration- significant effort and investment the WBG has made related risks. The advisory team: (i) provided a holistic over the past year to establish foundational view of the organization’s risk methodologies and capabilities to adopt cloud solutions, including the: (i) showcased the differences and similarities between establishment of a governance structure to manage the Bank and IFC practices; (ii) created an inventory of and facilitate adoption of cloud solutions; (ii) creation the current state of risk management capabilities and of risk assessment framework to manage cloud- compared them to the industry leading practices and related risks; and (iii) recognition of the need to invest the core components of an efficient risk management in enhancing and building unique cloud competencies. framework; (iii) identified and documented high-level The review’s key recommendations included: (i) observations and gaps; (iv) developed detailed development of a three-year strategy to build a cloud- recommendations for the future state of the ITS risk enabled target state environment; (ii) development of management; (v) developed tools and templates to cloud reference architectures to execute the multi- support ITS risk management activities going forward; stage roadmap and achieve the target cloud operating and, (vi) advised on industry leading practices and model; and (iii) enhancement of the effectiveness of recommended key risk indicators to appropriately risk assessment processes and development of a track risk levels. vendor risk management program. Additionally, given the dynamic technology landscape of cloud The objective of the advisory review of WBG Cloud computing, management should continue to maintain Computing was to determine whether: (i) processes its focus on further strengthening governance have been established to govern the management of processes and execution of the Cloud-First approach the cloud computing environment; (ii) ITS has at the WBG. developed an approach to evaluate cloud computing Contribution to Institutional Change Priorities With a view to supporting the Bank’s broader expenditure reviews, in FY14, IAD performed fact-based efficiency reviews during the quarter, in the areas of (i) fiduciary risk management in Bank operations and (ii) the Bank's Resource Management (RM) function. The reviews were designed to support management's effort to identify areas of efficiency gains, by providing an objective fact-base on the current state environment. The scope of work on the fiduciary piece entailed a specific focus on opportunities for efficiency gains in key fiduciary activities - such as the Bank's procurement prior and post reviews, review of FM external audit reports provided by borrowers, and Controller's disbursement processes. The RM review covered the organizational structure and service delivery model of the function with a view to identifying opportunities for leveraging economies of scale through both structural consolidation and process simplification. IAD's analyses were provided to the relevant stakeholders to help inform Senior Management decision making in these functional areas. IADVP FY14 Annual Report I 24 5. Summary of Advisory Work Advisory Reviews (contd.) The objective of the Overview of the Bank's Resource The objective of the advisory review of the Bank’s Allocation Process for Project Implementation Oversight of Costs and Expenditures of Partnership Support was to provide a fact base to support the Program Management and Administration (PMA) Bank's current institutional change initiative as Senior was to: (i) review existing controls over costs and Management thinks through a revised approach to expenditures of PMA functions; and (ii) provide managing risk in operations. The review highlighted specific recommendations to Management for similarities and differences in Regional practices: in improving the existing practices. The review noted the use of portfolio risk information to allocate that the significant growth of the partnership program monetary resources to individual projects; portfolio has resulted in inconsistencies in the internal arrangements for responding to changing operational arrangements for PMA across the partnership needs; and, management's monitoring of resource programs. PMA units were created on a case-by-case usage. IAD presented a high level analysis for basis to meet the specific needs, but without clear consideration by Senior Management as it creates a Bank-wide standards. This resulted in different new suite of risk measures and decision-making practices in the costing, funding, and reporting of PMA processes for operations. units, making it difficult to quantify all PMA costs, compare and contrast them across PPs, and determine The objective of the advisory review of the their reasonableness. IAD recommended that going Disbursement Assurance Framework (DAF) was to forward, management needs to enhance the coding evaluate the effectiveness of the DAF in enabling the and resource management approach to PMA World Bank disbursement unit to gather all relevant functions. Management committed to developing fiduciary risk information, make fully informed further guidance for PMA, recognizing that the decisions, and identify areas for improvements. The responsibility for follow-up on some of the review highlighted that the direction of the DAF recommendations may shift with ongoing changes in concept is consistent with the institutional shift to risk- Bank operational structures. based approach to internal control activities. IAD recommended that management enhance the design of the framework to increase tangible benefits in terms of both efficiency and additional assurance; and further clarify risk definitions, risk attributes, and criteria for risk rating. Contribution to Institutional Change Priorities IAD’s FY13 advisory review of the Integration of the WBG Information and Technology Organization (IMT ) facilitated the transition to the integrated IT organization, by providing a stock-take of the current state Operating Model across the information technology units of the Bank and IFC, including assessing the key similarities and differences across major functions and capabilities between the two units. The review also provided an analysis of the target operating model alternatives and the related trade-offs. The review results were a key input to facilitate the successful deployment of the new integrated organization in FY14. IADVP FY14 Annual Report I 25 5. Summary of Advisory Work Advisory Reviews (contd.) The objective of the advisory review of the Integrity the implementation of ORAF with a specific focus on Vice Presidency Independent Advisory Board (IAB) its use and effectiveness as a risk management tool; was to assess the organization of the IAB, its and (ii) review the constituent elements (culture, effectiveness and continued adequacy of its systems and tools, structure and organization) mandate. The review concluded that the IAB has underpinning the architecture of the new unified risk accomplished the various tasks it was requested to framework, informed by IAD's analysis of the lessons undertake, and has advised the President and the learnt from the ORAF implementation experience. Audit Committee on the function of INT and other The review noted that the intent and conceptual requested topics, and provided continuous underpinnings of ORAF were sound and that the assessment of INT’s performance. IAB has served as a framework was designed to promote a structured and trusted independent advisor to INT management and disciplined approach to risk identification, assessment, helped steer the function. In contrast, the views of and mitigation. However, ORAF could not be regional units and other units that interacted with IAB successfully operationalized due, in large part, to the have been mixed with respect to the usefulness of IAB lack of incentives for its use and the consequences of to the institution. The IAB’s effectiveness has also its use. The review also noted that although been affected by the weaknesses in the design of its management has recognized the significance of work processes such as the lack of an institutional culture, tools, and structure in the new framework, forum to discuss IAB recommendations involving there is a need to factor lessons learned from ORAF operational units, lack of a feedback loop to IAB, and into the design and implementation of the new the absence of systematic response to IAB’s framework. IAD provided management with an recommendation within management. analysis of lessons learned, key takeaways and considerations going forward. The objective of the advisory review of the Bank’s Environmental and Social Risk Management was to In the Status Memorandum on IFC’s Management of assess the Bank's environmental and social risk Market Risks in Equity Portfolio, IAD reviewed the management practices with a focus on: (i) analysis performed by IFC’s management to support environmental and social risks’ identification and the decision to accept the price volatility and the response; (ii) monitoring of the implementation of volatility of the foreign exchange in its equity mitigation measures, and tracking of environmental investments. IFC's Corporate Risk Committee (CRC) and social risks throughout the project lifecycle; (iii) approved the 'Equity Risk Policy Framework’, accountability arrangements and management’s acknowledging that risk acceptance posture. IAD oversight of environmental and social risk obtained and reviewed the management analysis management; (iv) the resources for environmental underpinning the risk acceptance decision and and social risk management including the allocation of overarching conclusion leading to the approval of the technical experts; and (v) the standards set for “Equity Risk Policy Framework”, but since the new and environmental and social development specialists’ approved framework introduced no new processes or technical training. The review identified improvement controls deemed auditable, no audit procedures were opportunities in the Bank’s practices for performed. IAD recommended that management: (i) environmental and social risk management related to establishes processes for ongoing measurement, institutional instructions, assignment of monitoring and analysis of risk, (ii) ensures periodic responsibilities, integration between budgeting reporting to Senior Management and the Corporate decisions, activity planning, and staffing, and Risk Committee on the results of the periodic re- institutional authority to make top-down decisions. assessment, and (iii) communicates risk acceptance decisions and underlying rationale therefor to the The objective of the advisory review of Operational Audit Committee. Risk Assessment Framework (ORAF) was to: (i) review IADVP FY14 Annual Report I 26 6. Methodology and Professional Practices IAD’s Risk Assessment Principles management process and consider the most The Institute of Internal Auditors’ International significant risks of the organization in determining Standards for the Professional Practice of Internal priorities for allocating internal audit resources. (IIA Auditing (“the Standards”) emphasize top-down, risk- Practice Advisory 2010). based planning consistent with the organization’s goals, taking into consideration the input of Senior IAD’s risk assessment process is consistent with IIA Management and the Board. Internal audit planning standards. Figure 1 describes the principles on which needs to make use of the organizational risk IAD bases its annual risk assessment. Figure 1: Principles for IAD’s Risk Assessment In accordance with IIA Standards, IAD establishes risk-based plans taking into account the World Bank Group’s risk management framework. Institutional Management’s view Priorities of risks Top-down approach Principles of Risk Assessment Principles of Risk Assessment 1. Risk assessment is aligned to WBG 4. In addition to engaging with key strategy. The objective of the process is stakeholders, risk coverage is to identify and prioritize potential audit coordinated with other oversight units. areas that pose the most significant risks to the WBG and could prevent it from IAD’s 5. Risk assessment is a continuous achieving its goals and objectives. FY14 activity. When changes occur and risks Annual shift, IAD adjusts its Work Program to Work 2. IAD’s focus is on high-rated risks. The stay aligned. IAD communicates its risk Program approach undertaken recognizes that assessment results to the Audit audit resources are limited, which Committee, including how emerging prohibits 100% coverage of all areas each risks have been addressed. year. The Work Program will aim to 6. Professional judgment is an cover most of the high risks areas each important component of the risk year. assessment process. The quantitative and qualitative factors used to evaluate 3. IAD must evaluate the effectiveness, and prioritize risks are periodically and contribute to the improvement, of evaluated in order to ensure relevance WBG’s risk management processes. in the risk assessment process. Bottom-up approach Results of IAD’s IAD’s knowledge of Ongoing consultation prior audits risks & controls with management IADVP FY14 Annual Report I 28 6. Methodology and Professional Practices Responsiveness to Institutional Changes – Risk Refresh Process Mid-Year Risk Refresh: IAD conducts a mid-year risk Practice Advisory refresh to ensure that its Work Program remains 2010-1 – Planning current. The risk refresh outputs are translated into The audit universe and related audit plan are proposed changes to the Work Program. updated to reflect changes in management direction, objectives, emphasis and focus. It is Work Program Modifications: In addition to the advisable to assess the audit universe on at least an formal and comprehensive mid-year risk refresh annual basis to reflect the most current strategies exercise, IAD also makes modifications to its Work and direction of the organization. In some Program in response to ongoing organizational situations, audit plans may need to be updated changes and institutional requirements. more frequently (e.g. quarterly) in response to changes in the organization’s business, operations, The objective, approach and output of IAD’s risk programs, systems, and controls. refresh process shown below in Figure 2. Figure 2: IAD’s Risk Refresh Process Objective Approach •Confirm that IAD's Work Program •High level validation based on a Risk Refresh Output continues to be relevant taking into top-down strategic approach •Proposed changes to account changes in: (i) risk profiles leveraging management’s view of the Work Program are including consideration of emerging risk, information from IAD deliberated by IAD’s risks; (ii) control environment; and, (iii) reviews , board papers, emerging Management Team stakeholder expectations. risk and control themes The business case for the Work Program changes are deliberated by IAD’s Management Team and approved by the Vice President and Auditor General. The proposed changes are communicated to Senior Management and the Audit Committee through IAD’s Quarterly Results Report. Responsiveness to Institutional Changes – Advisory Engagements IAD’s core remit is to provide assurance on control design and effectiveness. However, IAD is actively Definition of Advisory supporting Senior Management by increasing its Reviews by IIA advisory engagements to support WBG’s Advisory and related client service activities, the unprecedented Change and Reform agenda. Leading nature and scope of which are agreed with the industry studies on the role of the Internal Audit client, are intended to add value and improve an Profession reveal that internal audit units are organization’s governance, risk management, and increasingly looking beyond the core assurance control processes without the internal auditor mandate and aiming to provide increased value as a assuming management responsibility. trusted advisor to the business, thereby driving performance improvement initiatives and helping close internal control gaps. IADVP FY14 Annual Report I 29 6. Methodology and Professional Practices Responsiveness to Institutional Changes – Advisory Engagements (contd.)  Linkages to Assurance Work: IAD’s Advisory 2010.C1 – Planning Reviews, provide valuable knowledge, and assist in adding value and depth to its core Assurance work at a later stage. The early signals and The Chief Audit Executive should consider accepting insights on emerging issues gained feed into its proposed consulting engagements based on the Annual Risk Assessment and Annual Work engagement’s potential to improve management of Program development. risks, add value, and improve the organization’s operations. Accepted engagements must be  Entity wide Knowledge sharing: IAD’s Advisory included in the plan. Reviews, enable IAD identify and analyze issues that cut across the different Bank Group entities,  Consistent with the IIA Standard 2010.C1, IAD’s and provide the Board and Senior Management Work Program is designed to include a thematic reviews to leverage best practices and reasonable proportion of advisory reviews. knowledge sharing.  Advisory reviews provide management with  Improved management of risk and operations: guidance on risk and controls and are typically IAD acts as an in-house confidential business focused on new and developing units, processes consultant for Management, which enables and systems. Advisory engagements are building trust and candor in Management’s designed to be “preventative” in nature and relationship with IAD, and bringing issues to the assists management in developing appropriate surface early, and allow for timely detection and control frameworks. intervention. Figure 3 below has examples of high-impact advisories which IAD has conducted in FY14, and which have provided fact-based insights to inform Management decision making in executing institutional change initiatives. IAD Advisory Reviews in FY14 Change Objectives Change Objectives Help Clients • Cloud Computing Tackle the • WBG IT Integration Build Most Financial Important • Diagnostic of Jointness among Strength Challenges WBG entities • Disbursement Assurance Framework • Partnership Program Management Cost • Overview of the Bank’s Resource Allocation Process • ORAF • INT Independent Advisory Board Deliver • Safeguards Risk Management Work In Transformative • IFC’s Management of Market Risk Partnership IT in Equity Portfolio IADVP FY14 Annual Report I 30 6. Methodology and Professional Practices Institutional Risk Management Processes IAD participates in an ongoing dialogue with its approach, and helps IAD contribute to the stakeholders to understand emerging risk areas and improvement of WBG’s risk management processes. areas of priority. IAD uses the results of the Specific issues identified during IAD’s audits are institution-wide annual risk assessment and risk scans mapped to relevant WBG risk areas and clusters, to to help inform its risk-based auditing approach. IAD enable aggregation and analysis of risk and control also engages closely with the institutional risk and themes at the institutional level. The linkage of the control units, oversight functions, and the External audit results to the underlying risk dimensions is Auditors (KPMG) throughout the year, both at a reflected in IAD’s Quarterly Results Reports. strategic level, and during the course of planning and execution of its Work Program. This ongoing Figure 4 provides a snapshot of the distribution of collaboration is a significant component of IAD’s IAD’s audit results during the period of FY11-FY14 by overall risk assessment the WBG risk areas and clusters. Figure 4: Distribution of IAD’s FY12-FY14 audit results by WBG Risk Taxonomy IADVP FY14 Annual Report I 31 6. Methodology and Professional Practices IAD’s Follow-Up Process During FY14, IAD has continued to strengthen its follow-up process, with the support of the Audit Committee and Senior Management. Specifically, IAD has helped contribute to a culture of accountability, by:  independently validating the robustness of the action plans formulated by management to address the issues identified in IAD’s reviews;  vetting the reasonableness of the implementation timeline established by management for resolution of audit issues;  providing more granular information to Management and Audit Committee on overdue issues. For e.g., presenting information on overdue issues, broken out by WBG entity, to better reflect the responsiveness of individual WBG entities in addressing outstanding issues; and  flagging specific issues for Senior Management and Audit Committee attention, where enough progress has not been made with respect to implementation of agreed actions. IAD’s follow-up process is described in Figure 5 below. Figure 5: IAD’s Follow-Up Process 1 Develop action plans 2 Implement action plan 3 Follow-up on action plans 4 Validate action plan completion Report 5 5 overdue actions  Management is  Management  IAD engages  IAD validates the  IAD regularly reports responsible for the implements the closely with completed actions by the status of all development of agreed actions with a management to reviewing the overdue actions, by specific and time- view to achieving follow-up on all evidence provided by WBG entity, to bound action plans timely closure of the the issues as management and by Management and the to address the issues. and when the undertaking Audit Committee. issues identified by implementation additional testing, IAD. of the agreed where necessary, to actions, falls form an independent  IAD works closely due. view on the with management effectiveness of the to validate the completed actions. robustness of the action plans, and the reasonableness of the timeline for implementation. IADVP FY14 Annual Report I 33 6. Methodology and Professional Practices Communication with the Audit Committee and Reporting 2020 – Communication and Approval The Chief Audit Executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and board for review and approval. The Chief Audit Executive must also communicate the impact of resource limitations. Communication with the Audit Committee: IAD has several meaningful touch-points during the year with the Audit Committee. Some examples are provided below. IAD’s Annual Risk Assessment and Discussion of relevant engagement reports: The Vice Work Program: IAD’s annual risk President and Auditor General (AG) has meetings with assessment and Work Program the Audit Committee, as needed, to discuss all formulation process is designed to “Unsatisfactory” rated audits as well as specific deliver a body of work that is relevant “Needs Improvement” rated audits that warrant Audit and well aligned with the strategic Committee attention, based on the significance and objectives of the WBG. The Work potential impact of the issues. In addition, the AG also Program document, describes IAD’s has frequent informal discussions with the AC Chair risk assessment principles, coverage of and AC members. high risk areas, linkage with change Discussion of significant policy changes: The Vice priorities, and the consultation President and Auditor General participates in Audit process, to provide a holistic view to Committee discussions involving policy changes the Audit Committee of IAD’s implemented by management that have been approach in developing the Work informed by IAD’s work (e.g., WBG Policy and Program coverage. Procedures framework, and IBRD Corporate Scorecard). IIA Insight: Delivering Value to Stakeholders: “……Insight is an end-product from internal audit’s work and involves ‘connecting the dots’…” IAD’s Annual Report, which is a publicly disclosed document, includes a qualitative commentary on broader risk management, governance and control themes, designed to provide valuable "insights" beyond individual engagement results. These candid, constructive and forward-looking perspectives draw upon the sum total of IAD’s institutional knowledge and understanding of business processes. These perspectives reflect ongoing challenges and emerging priorities that require continued management attention. IAD has raised the level of public disclosure by publicly disclosing its Annual Report, and also publishing a quarterly summary of the results of all its engagements in its Quarterly Activities Report. IAD’s Annual Report: IAD’s Annual IAD’s Quarterly Activity Reports: Report summarizes audit results for The Quarterly Activity Report the fiscal year and includes a provides a high level overview of commentary on broader themes. IAD’s quarterly activities and engagement results. IADVP FY14 Annual Report I 34 6. Methodology and Professional Practices Coordination with WBG Oversight Units The mandates of the oversight functions (IAD, IEG, and IIA Standard 2050– INT) are both distinct and complementary to better Coordination inform and strengthen the oversight architecture of the The Chief Audit Executive should share information institution. IAD’s mandate covers risk management, and coordinate activities with other internal and governance and internal controls while IEG and INT external providers of assurance and consulting focus on evaluation of development effectiveness and services to ensure proper coverage and minimize integrity risks of WBG projects. Taken together, they duplication of efforts. better inform and strengthen the oversight architecture of the institution. Coordination of risk coverage with other oversight functions (INT, IEG) is a key tenet of IAD’s risk assessment and Work Program delivery process. The objective is to engage in both upstream and downstream collaboration to optimize risk coverage, reduce potential for overlap, and drive valuable insights for the organization. Input to Risk Assessment Considerable progress has been made in moving away from an informal and ad-hoc collaboration to a more disciplined and systematic approach, both in terms of better coordination and exchange of relevant operational information for IAD’s annual risk assessment and Work Program formulation. In FY14, IAD built on the practice of sharing and discussing its Work Program proposals at an early stage of IAD’s Work Program formulation exercise to maximize leverage. Improved collaboration IAD has pro-actively engaged with IEG and INT in the course of its engagements to utilize their existing bodies of work, and/or technical expertise. In FY14 this was achieved through: Ongoing meetings and collaboration at the engagement level as required, to share information across Work Program areas. Knowledge sharing In FY14 this was achieved through: Quarterly meetings of the Principals of IAD, IEG and INT (and Principals of Accountability Units - IPN and CAO) to discuss common issues of strategic importance; IAD also reviews all Final Investigation Reports (FIR) from INT and analyzes control themes to inform its own continuous risk assessment. Benchmarking and Sharing Best Practices IAD routinely benchmarks its processes and methodologies with leading practices, and shares best practices with other MDBs and peer groups. IAD participates in a number of global internal audit best practice studies, including those conducted by the Institute of Internal Auditors (IIA) - the Chief Audit Executive (CAE) Roundtable Survey and the Global Audit Information Network (GAIN) benchmarking study. IAD also participates in peer group discussions with the Audit Director Roundtable (ADR) of the Corporate Executive Board (CEB) and the Representatives of the Internal Audit Services of the United Nations Organizations and Multilateral Financial Institutions (UN RIAS). IADVP FY14 Annual Report I 35 6. Methodology and Professional Practices Organizational Independence IIA Standards on Organizational Independence (Standard IIA Standard 1110 – 1110) requires that the Chief Audit Executive must Organizational confirm to the Board, at least annually, the Independence organizational independence of the internal audit The Chief Audit Executive must report to a level activity. within the organization that allows the internal audit activity to fulfill its responsibilities. The Chief Audit IAD reports to the President and is under the oversight Executive must confirm to the Board, at least of the Audit Committee, acting on behalf of the Board. annually, the organizational independence of the The Audit Committee is responsible for the review of internal audit activity. IAD’s Terms of Reference, Annual Work Program and the results of IAD’s work. In addition, the Vice President and Auditor General has free and unrestricted access to the This reporting relationship has permitted appropriate Board through the Audit Committee. organizational independence for IAD to fulfill its professional responsibilities. Staffing and Budget IAD continued to leverage internal efficiency gains to fully deliver its FY14 Work Program, within a flat budget envelope of $11 million. In line with the institutional ‘One World Bank Group’ theme, to achieve greater efficiency, and eliminate working in silos, during FY14, IAD strengthened its delivery model to provide for greater fungibility and internal mobility of staff across functional areas. Consistent with leading practices and the approach followed in prior years, IAD leveraged external subject matter expertise for highly technical IT and business areas. IADVP FY14 Annual Report I 36 7. Appendix A FY14 Work Program Overview 7. Appendix A: FY14 Work Program Overview The FY14 Work Program was designed to focus on the most significant risks for the institution, consistent Figure 1: FY14 Work Program Breakdown by with the IIA’s International Standards for the Entity (based on staff days) Professional Practice of Internal Audit (Performance Standard 2010), which requires the Chief Audit Executive to establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. The objective was to provide balanced coverage of core operational WBG processes, corporate and finance areas, and 37% IBRD/IDA information technology. 43% The development of IAD’s FY14 Work Program was undertaken through a comprehensive risk assessment IFC process and extensive consultations with 17% management. IAD’s risk assessment was driven by a MIGA number of qualitative factors such as: (i) linkage to 3% strategic objectives and internal reforms; (ii) pace of change within the area; (iii) extent of fiduciary broader thematic conclusions as well as compare and responsibilities; (iv) complexity of the process; (v) contrast practices across entities. Consequently there potential impact of external events; and, (vi) results has been a reduction in specific coverage of each entity from IAD’s prior reviews and known risk mitigation (IBRD/IDA, IFC, and MIGA), relative to FY13. mechanisms. In determining audit priorities, IAD also took into account areas of focus for the President and the Audit Committee. Appendix C provides a snapshot of IAD’s coverage of key risks in the three-year period FY12 to FY14, mapped to WBG risk taxonomies. Twenty-four engagements were completed during FY14 comprising reviews of key end-to-end business processes, spanning operations, corporate and information technology areas. These included eight Group-wide process reviews, ten IBRD/IDA Figure 2: FY14, FY13, and FY12 Work Program engagements, five IFC specific reviews, and one MIGA Breakdown by Entity (based on staff days) engagement. 100% Appendix B lists all IAD engagement reports issued in 22% FY14. Figure 1 shows the Work Program break-down 80% 38% 37% by World Bank Group entity for FY14, and Figure 2 7% shows the Work Program break-down by World Bank 60% 27% 2% 3% Group entity for the three year period FY12-FY14. 24% 17% 40% In FY14, relative to the previous years, IAD increased 20% 44% 43% 36% its proportion of Group-wide engagements, to draw 0% FY12 FY13 FY14 WBG MIGA IFC IBRD/IDA IADVP FY14 Annual Report I 39 7. Appendix A: FY14 Work Program Overview The new WBG strategy is designed to reflect a more the ongoing change initiative; (ii) providing unified institution built on the common twin goals assurance on governance and control effectiveness of Ending extreme poverty and Boosting shared for key business areas that are subject to relatively prosperity, while respecting the distinct mandates less significant change; (iii) continuing to closely and strengths of each WBG entity. monitor emerging risks within dynamically evolving areas as part of IAD’s continuous risk monitoring; A major institutional change process is underway to and (iv) providing for bandwidth within the Work drive internal reforms and realign and reposition Program to absorb management requests for the WBG to implement the new strategy. Given the advisory natured engagements during the course of significance of the ongoing change process, IAD’s the year. FY14 risk assessment exercise was underpinned by IAD’s FY14 Work Program remained well aligned to the following additional considerations: (i) focusing these institutional change focus areas. Figure 3 our advisory work primarily on areas where IAD below provides an overview of IAD’s FY14 coverage involvement can add value to the institution and of the WBG Change Agenda components. Figure 3: Alignment of IAD’s FY14 WBG Coverage with WBG Change Agenda WBG goal - Deliver the best development solutions that will help end extreme poverty and boost shared prosperity IBRD/IDA: Resource Allocation Process for Project Implementation Support, Management of Legal Risks, Disbursement Assurance Framework (DAF), INT Independent Advisory Board (IAB), Help clients tackle the most important Retrospective Review of the Operational Risk Assessment Framework challenges (ORAF) Implementation, Safeguard Risk Management. IFC: Environmental and Social Risk Management in Projects, IFC’s Corporate Scorecard. IBRD/IDA: Management of Fees for Reimbursable Advisory Services (RAS), Management of Ineligible Expenditures of Bank-Funded Build financial strength Projects, Process for Net Income Forecasting. IFC: Management of Funding Operations, Management of Market Risk in Equity Portfolio. MIGA: Process for Pricing Guarantees Deliver transformative IT WBG: Cyber Threat Management and Preparedness, UNIX Server Platform, Internal Network Security. Become the Solutions WBG WBG: Country Office IT Operations, Data Privacy, Cloud Computing Work in partnership IBRD/IDA: Review of Partnership Program Management Cost Enhance KLI WBG: Open Data Initiative, Records Management Align leadership, culture and values WBG: Diagnostic review of the Jointness, IT Integration Advance talent management IFC: Management of Staff Directorships IADVP FY14 Annual Report I 40 7. Appendix A: FY14 Work Program Overview (continued) The FY14 assurance engagements were rated in Figure 4: FY14 Engagement Ratings by Entity accordance with IAD’s ratings framework. WBG 8 ► Satisfactory 3 IAD actively supported Management’s Change initiatives during FY14, and consequently there was an ► Needs Improvement 3 increase in the overall proportion of advisory ► Unsatisfactory 0 engagements as compared to the previous years. ► Unrated (Advisory) 2 IBRD/IDA 10 The following engagement level ratings were used for ► Satisfactory 2 FY14: ► Needs Improvement 2 ► Unsatisfactory 0  Satisfactory – Internal Audit identified no Unrated (Advisory) ► 6 significant issues related to the design of controls IFC 5 or to the proper functioning of controls as designed. If issues were noted, they were ► Satisfactory 2 considered minor in nature. ► Needs Improvement 2 ► Unsatisfactory 0  Needs improvement – Internal Audit identified ► Unrated (Advisory/Memo) 1 issues related to the design of the controls and/or MIGA and ICSID 1 In the functioning of the controls. Although none ► Satisfactory 1 of these issues, either individually or in the ► Needs Improvement 0 aggregate, indicate significant weaknesses, management should address these issues in a ► Unsatisfactory 0 timely manner to further strengthen the system ► Unrated (Advisory) 0 of controls. 24  Unsatisfactory – Internal Audit identified issues that indicate significant weaknesses in the design and/or operating effectiveness of controls. Management should take immediate action to establish a satisfactory system of controls. Summaries of engagement outcomes were included in the quarterly reports provided to the President and to the Audit Committee. Full audit reports for assurance engagements rated “Unsatisfactory” were systematically circulated to the President and to the Audit Committee for discussion. IADVP FY14 Annual Report I 41 8. Appendix B IAD Reports Issued in FY14 8. Appendix B: IAD Reports issued in FY14 WBG Engagements No. Entity Engagement Title Report No. Date Issued 1 WBG Audit of the WBG Records Management WBG FY13-07 Aug 15, 2013 2 WBG Audit of the WBG Open Data Initiative WBG FY14-01 Oct 10, 2013 Review of WBG Information and Technology Solutions 3 WBG WBG FY14-02 Dec 4, 2013 Integration – Risk Management 4 WBG Audit of WBG Internal Network Security WBG FY14-03 Feb 25, 2014 5 WBG Audit of WBG UNIX Server Platform WBG FY14-04 April 4, 2014 6 WBG Audit of Cyber Threat Management and Preparedness WBG FY14-05 Jun 27, 2014 7 WBG Audit of WBG Country Office IT Operations WBG FY14-06 Jun 30, 2014 8 WBG Review of WBG Cloud Computing WBG FY14-07 Jun 30, 2014 ------------------------------------- *As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY14 Annual Report I 44 8. Appendix B: IAD Reports issued in FY14 IBRD/IDA Engagements No. Entity Engagement Title Report No. Date Issued Overview of the Bank's Resource Allocation Process for Internal Audit 9 IBRD/IDA Aug 15, 2013 Project Implementation Support Memo 10 IBRD/IDA Audit of the Bank’s Management of Legal Risks IBRD FY14-01 Dec 16, 2013 11 IBRD/IDA Review of the Disbursement Assurance Framework (DAF) IBRD FY14-02 Feb 3, 2014 Audit of the Bank’s Management of Fees for Reimbursable 12 IBRD/IDA IBRD FY14-03 Feb 5, 2014 Advisory Services (RAS) Review of the Bank’s Oversight of the Costs and 13 IBRD/IDA Expenditures of Partnership Program Management and IBRD FY14-04 Apr 10, 2014 Administration 14 IBRD/IDA Review of Operational Risk Assessment Framework (ORAF) IBRD FY14-05 May 28, 2014 Review of the Integrity Vice Presidency INT Independent 15 IBRD/IDA IBRD FY14-06 May 30, 2014 Advisory Board (IAB) Audit of Management of Ineligible Expenditures of 16 IBRD/IDA IBRD FY14-07 Jun 28, 2014 Investment Project Financing 17 IBRD/IDA Audit of IBRD’s Net Income Projection Process IBRD FY14-08 July 10, 2014 Review of the Bank’s Environment and Social Risk 18 IBRD/IDA IBRD FY14-09 July 15, 2014 Management ------------------------------------- *As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be pub licly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY14 Annual Report I 45 8. Appendix B: IAD Reports issued in FY14 IFC Engagements No. Entity Engagement Title Report No. Date Issued 19 IFC Audit of IFC's Management of Funding Operations IFC FY14-01 Oct 16, 2013 Audit of Environmental and Social Risk Management in IFC 20 IFC IFC FY13-09 Oct 21, 2013 Projects 21 IFC Audit of IFC's Corporate Scorecard IFC FY14-02 Jan 14, 2013 Audit of IFC’s Nominee Directorship and Fund Committee 22 IFC IFC FY14-03 Jun 3, 2014 Membership Memo on IFC’s Management of Market Risks in Equity Internal Audit 23 IFC Jun 5, 2014 Portfolio Memo MIGA Engagements No. Entity Engagement Title Report No. Date Issued 24 MIGA Audit of MIGA Process for Pricing Guarantees MIGA FY14-01 Jan 6, 2014 ------------------------------------- *As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be pub licly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY14 Annual Report I 46 9. Appendix C IAD’s Coverage in FY12-14 Appendix D: IAD’s Coverage in FY12-14 IAD’s Coverage in FY12-14 WBG Risk # FY14 Engagements FY13 Engagements FY12 Engagements Taxonomy STRATEGIC EFFECTIVENESS 1 Strategy and • IT Integration • Bank and IFC Corporate • Information Management Planning Budget Processes and Technology (IMT) • Bank Corporate Scorecard Strategy Implementation • Bank Knowledge Portfolio Management 2 Corporate • IFC Development • Management of Integrity Due • Management of World Bank Governance, Indicators and Diligence in IFC's Projects Group (WBG) Offshored Accountability, Corporate Scorecard Corporate and Back Office and Functions Organizational • Quality Assurance Process for Structure Investment Lending Operations in IBRD/IDA • IFC’s Risk Management Process for Decentralized Investment Operations • Fund Management Operations of IFC Asset Management Company (AMC), LLC OPERATIONAL EFFICIENCY 3 Operational • Retrospective Review • Management of Operational • World Bank Group (WBG) Areas and of ORAF Waivers in Bank Projects Framework for Policies and Policy Implementation • WBG Management of its Procedures Framework • Fee Management of Climate Investment Funds • Institutional Control Reimbursable (CIF) Activities Framework for Financial Advisory Services • Management of IFC’s Activities of Country Offices (RAS) Performance Based Grant (Bank) Initiative • Management of Climate Change Operations • Institutional Framework for Managing Financial Activities in Country Offices (IFC) • Bank’s Management of Rapid Response Operations IADVP FY14 Annual Report I 48 Appendix D: IAD’s Coverage in FY12-14 (continued) IAD’s Coverage in FY12-14 (continued) WBG Risk # FY14 Engagements FY13 Engagements FY12 Engagements Taxonomy OPERATIONAL EFFICIENCY 4 Implementation • Management of • Resource Allocation Process • Regional Integration Projects /Supervision Ineligible for Projects’ Implementation in the Africa Region Expenditures of Bank- Support • ICSID's Case Management Funded Projects Process 5 Environment • Safeguards Risk • Environmental and Social and Social Management Safeguard Risk Management in Safeguards IFC and MIGA projects 6 Fraud and • Review of INT • Bank's Operational Framework Corruption Risks Independent Advisory for using Investigation Results Board (IAB) in Bank Funded projects 7 FM, • Disbursement • Bank’s Fiduciary Monitoring of • Management of Procurement Procurement, Assurance Bank-Funded Projects Through Risk for Bank-Funded Projects and Framework External Financial Audits Disbursement 8 Management of • Partnership Program • Commitments and External Funds management Costs Disbursements of Below-the- Line Grant Making Facilities • Bank Financial Intermediary Funds (FIFs) Disbursements 9 Human • WBG Staff Financial Assistance Resources Programs • Bank HR Systems Renewal Program • HRS Global Staff Mobility Processes and Infrastructure • HR Integration IADVP FY14 Annual Report I 49 Appendix D: IAD’s Coverage in FY12-14 (continued) IAD’s Coverage in FY12-14 (continued) WBG Risk # FY14 Engagements FY13 Engagements FY12 Engagements Taxonomy OPERATIONAL EFFICIENCY 10 Information • Unix Operating • Management of Global IT • World Bank Data Technology System Communications Management • World Bank Open • WBG IT Integration • Bank's Server Virtualization Data Initiative • Bank and IFC Bank Windows • SAP Upgrade Project • Country Office IT Server Platform • IFC Data Management Operations • IFC's Server Virtualization • Cloud Computing • Post-Implementation Review • Cyber Threat of the MIGA Guarantee Management and System Preparedness • Data Privacy 11 Corporate Areas: • Bank’s Internal Controls over • Bank's Internal Controls over (i) Financial External Financial Reporting External Financial Reporting Reporting • Bank's Disclosure Controls • Bank's Disclosure Controls and and Procedures over External Procedures over External Financial Reporting Financial Reporting • IFC's Internal Controls over External Financial Reporting • MIGA's Internal Controls over External Financial Reporting Corporate Areas: • Bank’s Management • WBG Records Management • Management of World Bank (ii) Other of Legal Risks • Selection and Use of Group (WBG) Vendors Corporate Areas Consultants for Operational • World Bank Group (WBG) Purposes by WBG Entities Pension Plan Administration • Loan Accounting Operations • World Bank Group (WBG) Pension Plan Investments IADVP FY14 Annual Report I 50 Appendix D: IAD’s Coverage in FY12-14 (continued) IAD’s Coverage in FY12-14 (continued) WBG Risk # FY14 Engagements FY13 Engagements FY12 Engagements Taxonomy OPERATIONAL EFFICIENCY 12 Security and • WBG Internal • Emergency Relocation/ • World Bank Group (WBG) Business Network Security Evacuation Process in WBG Business Continuity Disruption Country Offices Management • Bank Mobile and IFC • World Bank Group (WBG) Computing Management of Two-Factor Authentication • World Bank Group (WBG) Network Perimeter Security STAKEHOLDER SUPPORT 13 Stakeholder • Management of IFC • World Bank Group (WBG) Support Staff Directorships External Web and Social Media • Reserves Advisory and Management Program (RAMP) • Portfolio Analytics Tool: Version 2 (PAT II) FINANCIAL SOUNDNESS 14 Financial Risks • Process for Pricing • Bank Capital Markets • Audit of MIGA’s Portfolio Risk MIGA Guarantees • Management of Finance Monitoring and Reinsurance • Bank Process for Net Systems Renewal Processes Income Forecasting • IFC Liquid Assets and Cash • IBRD’s Market Risk • IFC – Management of Management Management Process Market Risks in Equity • IFC' s Loan Collateral • IFC’s Process for Credit Risk Portfolio Management Processes Management • IFC – Management of • Counterparty Credit Risk • IFC’s Asset and Liability Funding Operations Management Management Framework • IFC’s Treasury Valuation Process • IFC's Investments in Private Equity Funds • IFC's Structured Finance Operation • IFC's Profitability Measurement IADVP FY14 Annual Report I 51 10. Appendix D Alignment of IAD’s FY15 WBG Coverage with WBG Change Agenda 10. Appendix D: Alignment of IAD’s FY15 WBG Coverage with WBG Change Agenda WBG Change Agenda IAD’s WBG Coverage Item Help clients tackle the • Processes for collection of country level poverty data. most important • Identification and monitoring of problem projects in the Bank. challenges • Bank’s management of financial intermediary lending. • IFC’s framework for gathering, analyzing and utilizing client information. Become the Solutions • Processes for delivering Bank knowledge products. WBG • Management of IFC’s PPP advisory services projects. Work in partnership • WBG processes for donor reporting on operations. • Risk and controls mapping within the trust fund lifecycle. Build financial strength • Capturing, recording and monitoring of costs in Bank systems. • Expenditure review (ER) work on norming in Bank’s country office operations. • Use of externally financed outputs in IBRD operations. Enhance KLI • Processes for delivering Bank knowledge products. • Management of PPP advisory services projects. Deliver transformative IT • PeopleSoft post-implementation business processes review. • Cloud computing infrastructure and integration. • Pre-implementation review of IBRD/IFC Joint Cash Management system. Align leadership, culture • WBG processes for managing operational risks (risks relating to people, and values processes and systems – distinct from risk within WBG operations). • WBG processes for conflict of interest management. • MIGA integrity due diligence. Advance talent • Specific assurance work in this area has not yet been built into the Work management Program, recognizing that the related HR strategic initiatives are underway. IAD will reassess this as part of its continuous risk monitoring. ------------------------------------- *As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY14 Annual Report I 53