Group Internal Audit FY20 Annual Report The World Bank Group comprises five institutions: the International Bank for Reconstruction and Development (IBRD), the International Development Association (IDA), the International Finance Corporation (IFC), the Multilateral Investment Guarantee Agency (MIGA), and the International Centre for Settlement of Investment Disputes (ICSID). In the context of this report, “World Bank Group institutions” refers to IBRD, IDA, IFC, MIGA, and ICSID. “The Bank” refers to IBRD and IDA. The World Bank Group has two goals: To end extreme poverty and promote shared prosperity in a sustainable way. II Group Internal Audit FY20 Annual Report CONTENTS FOREWORD BY THE AUDITOR GENERAL....................................................2 WORK PROGRAM OVERVIEW........................................................................4 OUR PRODUCTS.............................................................................................................. 4 OUR WORK PROGRAM.................................................................................................... 5 FY20 KEY THEMES...........................................................................................6 WHO WE ARE.................................................................................................13 OUR MANDATE............................................................................................................... 13 OUR REPORTING LINES................................................................................................ 13 OUR VISION AND MISSION............................................................................................ 13 ...................................................................................................................... 14 OUR TEAM. HOW WE DELIVER.........................................................................................16 .................................................................................... 17 STAKEHOLDER ENGAGEMENT. DYNAMIC RISK ASSESSMENT AND WORK PROGRAM DEVELOPMENT.................. 18 DELIVERING RESULTS TO INFLUENCE POSITIVE CHANGE..................................... 19 APPENDIX: FY20 ENGAGEMENTS...............................................................20 Contents 1 FOREWORD BY THE AUDITOR GENERAL When I wrote the Foreword to last year’s Annual Report – one year after having joined the World Bank Group – I described a changing environment as the institution moved forward with its ambitious development program. But while I expected FY20 to be a year of change, I did not envisage the profound transformation that would take place across the world due to the COVID-19 pandemic. This has resulted in unprecedented challenges and risks to the Group Internal Audit (GIA) and our clients – and the need for GIA to respond and adapt quickly to meet new and urgent needs and support the Bank Group’s critical mission. GIA started FY20 with a clear mandate and vision, a robust work program, and well-defined goals focused on improving our delivery model. Despite the recent challenges of working from home during the pandemic, GIA staff delivered a comprehensive work program of high-impact and high-priority engagements covering corporate processes, information technology, finance, strategy, and development operations. GIA’s work across these engagements helped improve processes and procedures as well as strategic thinking regarding key institutional priorities, and ultimately GIA’s impact with our clients. I am proud that GIA achieved the following – and more – during FY20: • We restructured our unit to strengthen our expertise, focus, and efficiency. We onboarded new managers, formed new engagement delivery teams, and established a new group focusing on bringing innovative, technical, and creative ways of working to GIA. • We continued to build deeper partnerships and coordination with Senior Management, including the risk management and governance functions, as well as the Audit Committee and Board of Directors, strengthening our ability to understand and advise on key risks. • We increased our outreach, dialogue, and engagement with all stakeholders to further clarify GIA’s mandate, role, and value to the institution. • These stronger relationships and collaboration also resulted in a stronger risk assessment process, helping GIA develop a more holistic view of risk management, controls, and governance across the Bank Group. • We adopted more agile internal processes and offered deeper analysis to our clients by increasing usage of new technologies and tools, which also allowed us to keep our productivity high during the working from home period. 2 Group Internal Audit FY20 Annual Report While these achievements are significant and have taken GIA to a higher level of service and professionalism, we must now adapt to a new, uncertain, and rapidly shifting risk landscape. The needs and priorities of the Bank Group’s clients have increased and changed, and the organization is responding with tremendous urgency. Given this, risks are evolving and sometimes heightened, and the timely assurance, advice, and insight that GIA provides is even more critical. Our core mandate, however, remains the same – to provide an independent view on whether processes for managing risks, and overall governance of these processes, are adequately designed and functioning effectively. GIA plays a key role in supporting the World Bank Group to be as effective as possible and in maintaining strong controls and governance. Going forward, I see this role as providing increased value to the institution. In this new environment, what do I intend to focus on for GIA in the coming fiscal year? • Further revise GIA’s audit methodology and internal processes, to find new efficiencies and tools so that we can be more nimble and responsive, and add more value to our engagements. • Continue to deepen collaboration across the Bank Group to ultimately provide senior management and the Board a holistic and comprehensive picture of key risks across the Bank Group, who owns them, and how robustly they are managed. • Identify ways for GIA to be involved and integrated earlier in discussions about strategy and priorities, so that our advice is forward-looking, timely, and helps inform management’s decision making. • Expand our service delivery products to provide more real-time insight, advice, and foresight. • Equip our staff with new skills and training, to increase their business knowledge and keep up with the latest industry standards and developments. This Annual Report gives an overview of GIA’s FY20 work program, with highlights of the key themes and risk areas we have identified through our engagements and dialogue with colleagues, management, and the Board. The report offers high-level advice and recommendations going forward to address the trends we have observed throughout this period. In what has been an extraordinary and challenging year, I extend my deep appreciation to the World Bank Group’s President and to the Audit Committee for their support, guidance, and trust. I thank also management and colleagues across the organization for their collaboration and assistance throughout the year. And of course, I am grateful to the staff of GIA for their commitment to delivering on our program, despite difficult circumstances. I look forward to continuing our work together, to taking GIA to the next level of professionalism, and further supporting the goals of the World Bank Group. Anke D’Angelo byThe ForewordBy Foreword the Auditor General 3 WORK PROGRAM OVERVIEW OUR PRODUCTS GIA provides two services (assurance and advisory) and delivers three engagement products (audits, assurance reviews, and advisory reviews). The selection of product for each engagement is primarily determined by the maturity of the process to be reviewed and the needs of the client. ASSURANCE ADVISORY Audits and assurance reviews provide Typically for processes in design or early the Audit Committee and management implementation, GIA provides management with independent assurance on the risk with nonbinding advice relating to risk management, control, and governance management, control, and governance processes of the organization: processes. Advisory reviews provide management with recommendations (rather • Audit: Provides an overall report rating than issues), and only a summary is reported and individual ratings on all issues, to the Audit Committee. and is for mature processes. Issues identified require management action plans that are monitored by GIA up to implementation, and their progress is reported to the Audit Committee. • Assurance Review: Provides assurance on early implementation of new processes, and input for course correction before processes are fully established. While no overall report rating is provided, issues identified are rated and require management action plans that are monitored by GIA and reported to the Audit Committee. 4 Group Internal Audit FY20 Annual Report OUR WORK PROGRAM GIA’s FY20 work program delivered 19 ENGAGEMENT PRODUCTS assurance and advisory engagements, which focused on the most significant 11% 21% risks for the Bank Group institutions. The work program covered core development operations, corporate and administrative areas, and information technology (IT). The list of engagements, plus a summary of key findings, is provided in the appendix “FY20 Engagements.” Given the maturity of business processes across the institution, the GIA FY20 work 68% program provided an adequate mix of audits (68%), assurance reviews (11%), and Audit Assurance Review Advisory advisory reviews (21%) that balance GIA’s primary role as a provider of assurance with the delivery of additional consulting services. RISK CATEGORIES A breakdown of these engagements by entity, product, and risk category is presented in the 11% following charts. 21% ENTITY BREAKDOWN 5% 8 7 3 63% 1 Operational Risk Strategic Risk Financial Risk Development Outcome Risk/ MIGA IFC WBG BANK Business Risk Work Program Overview 5 FY20 KEY THEMES This section provides forward-looking recommendations to Senior Management for future strategy implementation and organizational initiatives that support achievement of the WBG’s goals. The recommendations are built on key observations and trends in the Bank Group’s overall risk management, control, and governance environment. These observations are primarily based on GIA’s work in FY20 through assurance and advisory engagements of business processes and initiatives, monitoring of risks to the WBG, and ongoing dialogue with management and the Board of Directors. The information presented in the Key Themes is neither comprehensive nor exhaustive in content, but rather selective. Change Management and (iii) Implementing the Bank’s Environmental Implementation of WBG-wide and Social Framework (ESF) Internal Capacity. Strategic Initiatives In all these engagements, progress The successful implementation of WBG-wide strategic initiatives in implementation was confirmed with requires continued senior management’s continued commitment. The management attention on change WBG Gender Strategy has been integrated management into the Systematic Country Diagnostics (SCDs) and Country Partnership Frameworks WBG-wide strategic initiatives are designed (CPFs). Gender has also been cascaded to strengthen the quality and effectiveness down to operational front-line units with the of the Bank Group’s business and development of specific action plans and the enhance its development impact. WBG establishment of focal points, community of effectiveness involves leveraging the unique practice, training, and a knowledge repository. and competitive advantage of each WBG Collaboration between the Bank and IFC institution. has been strong, particularly for resource During FY20, GIA performed three engage- mobilization, joint research, and reporting to ments, focusing on the implementation of key the Board. strategic initiatives: (i) Implementation of the Regarding Cascade Decision-Making, key WBG Gender Strategy; (ii) Implementation of steps have been taken and a renewed focus Cascade Decision-Making Approach as part established by senior management to support of Maximizing Finance for Development; and the implementation of the Cascade approach. 6 Group Internal Audit FY20 Annual Report These include the issuance of guidance, their implementation phase by giving those development of case studies and training initiatives the necessary senior management materials, inter-institutional efforts to promote prominence. In addition, stable leadership collaboration, and recent establishment of throughout the change process helps deliver three Group-level working groups to fully consistent messages on the initiatives. integrate the Cascade approach into WBG Second, monitoring and oversight can Operations. be strengthened by maintaining detailed For the ESF, management has completed plans with time-bound and agreed- the deliverables established as part of upon implementation milestones, along the Readiness Indicators, including the with measurable metrics, during the development and issuance of the ESF implementation phase. Guidance Notes, the Bank ESF Directive, and Third, both the required human resources Good Practice Notes; as well as templates (staff with the necessary skills and for Borrowers, Bank staff, and the supporting competencies) and the underlying budget information system. need to be assessed and monitored across As these initiatives shift from a design to the various units that are involved in the implementation phase, management should implementation of the strategy. continue its change management efforts. The Finally, careful consideration needs to implementation of strategic initiatives entails a be given to incentive mechanisms. While fundamental shift in staff behavior and how the incentives to staff are key for change WBG conducts its operations, which requires management, setting effective incentives is time and constant nurturing. The following not easy. To enhance the overall effectiveness four points are key lessons learned from the of incentive mechanisms, before launching initiatives: a new set of incentives it is important to First, senior management focus is essential conduct a comprehensive analysis of the for effective implementation of strategic existing incentive structure to incorporate initiatives across the WBG. Given the many lessons learned. Such actions will help to give demands on management, it is important to staff a positive perspective of the initiative sustain the focus on new initiatives during and strengthen the likelihood of success. FY20 Fy20 Key Themes 7 Recognizing the specific roles of staff who development. Development projects follow the facilitate the implementation of change is processes and controls laid out in the project also crucial and may require definition of cycle, which is the framework used to design, a competency framework to strengthen prepare, implement, and supervise projects. motivation. The Bank, IFC, and MIGA have monitoring In addition, given the current COVID-19 crisis controls in place to manage risks identified and the need to “reinvent work,” now is a during the project preparation and good time for management to take stock and implementation phases. These risks include, prioritize the various commitments that have among others, fiduciary, environmental and been made. This evaluation should include social, and integrity risks, including fraud and an assessment of the resources, change corruption. Continuous monitoring of risks in management capacity, and skills needed to projects by the WBG institutions helps their effectively implement initiatives as originally clients solve issues early on and identify new intended. risks and opportunities. Monitoring of risks is particularly critical for projects in high-risk Supervision of Development environments (such as countries experiencing fragility, conflict, and violence) and emergency Projects situations, such as the current COVID-19 Timely capture of risk information pandemic. in institutional information systems facilitates monitoring development During FY20, GIA performed three projects in an increasingly dynamic engagements that assessed controls environment in project supervision: (i) the Bank’s Management of Procurement Risk in WBG institutions provide financing and Investment Project Financing (IPF) Projects; services to low- and middle-income (ii) MIGA’s Environmental and Social (E&S) countries and the private sector to support 8 Group Internal Audit FY20 Annual Report Risk Management; and (iii) IFC’s Integrity Due and emerging risks. The WBG’s existing Diligence (IDD) Process in Operations. risk management information systems play a critical role in assisting management with These engagements identified that, compared this task by focusing attention on changes with extensive analysis and discussion of risks in the risk profile of operations, both at the involved in projects during preparation, risk project and portfolio level. Looking ahead, the information was not consistently updated in systematic use of these systems will be more designated information systems during the important than ever. project implementation phase. In addition, the status of the implementation of risk mitigation measures by clients – which were agreed Monitoring Controls with the WBG institutions – was not always Systematic and ongoing registered in the information system, although monitoring of controls improves staff supervising the projects generally knew the effectiveness of risk about the conditions of the projects, and risk management activities information is included in other documents. Monitoring of controls required by internal Incomplete or outdated information on risks procedures is essential for effective risk in the institutional systems and mitigation management. measures limits management’s ability to analyze projects at the portfolio level efficiently In FY20, the importance of control monitoring and prioritize attention, resources, and action. was highlighted in two engagements: (i) the WBG’s Management of Safety and Security of Following these engagements, management Staff in Non-Headquarter Offices; and (ii) the is implementing actions by fully integrating Bank’s Integrity Due Diligence (IDD) process. requirements for registering risk and mitigation information in the appropriate institutional On staff safety and security, overall security fiduciary, E&S, and IDD systems. In addition, risk management has improved in the last Bank management is implementing various three years, with systematic evaluation enhancements in use of the Systematic of threats, identification of vulnerabilities, Operations Risk-Rating Tool (SORT) during better allocation of resources, centralized the project supervision phase. IFC has also procurement of guards and equipment, and initiated design improvements to its systems an internal quality review of the security such as iPortal to strengthen controls to management program. However, staff monitor integrity risks during the supervision adherence to the security directive, training phase of the project cycle. requirements, and other internal procedures was not consistent due to an unclear The WBG’s operational response to accountability for monitoring and enforcement COVID-19 has been unprecedented, both of controls. Unclear accountability limits in scale and speed. Vigilance in project management’s ability to detect areas preparation and supervision of implementation where process activities deviate from what is required, and management needs all is intended or required, posing potential available tools to identify and address new risks to the organization. In response, FY20 Fy20 Key Themes 9 management plans to update the Framework Cybersecurity of Accountability to further clarify roles The WBG’s focus on cybersecurity and responsibilities, with an emphasis on needs to be maintained, and even compliance and enforcement obligations and strengthened given the increased decision levels. risk due to COVID-19 On the Bank’s IDD of third parties, Cyber risk is a constant threat to the WBG management has recently taken steps to and its staff. Like other global organizations, strengthen IDD practices by establishing the COVID-19 pandemic has increased the an IDD Working Group and has started Bank Group’s potential cyber risk exposure, to formalize IDD processes. To move given a remote work environment with these actions to the next level of maturity, accelerated digitalization and rapid expansion management needs to designate a corporate of technology solutions. It is likely that the function that will set minimum standards, future work environment for the WBG will be a harmonize practices, and monitor control hybrid of office-based and remote work. With activities across business units. In response, that ‘new normal’ in mind, the institution and management plans to establish clear staff must remain cyber vigilant and constantly accountability for IDD from both a business adapt to new threats and protections. unit and a corporate oversight perspective, based on its own assessment of the IDD risks Given the inherent high risk, GIA audits in various functions. different aspects of cyber and information security controls in each annual work program These, and other engagements in the past, and has noted significant improvements in point to a common challenge in the monitoring the WBG cyber security risk management and enforcement of controls – some functions practices in recent years. In FY20, GIA that set rules and requirements act only in completed several IT audits in areas an advisory capacity and do not have an including Operating Systems Security, Mobile enforcement mandate, which limits their ability Technology, and IT Risk Management, to influence behaviors and correct actions, and assessed the effectiveness of many where needed. Strengthening the mandate information security controls and cyber of these functions to enforce, rather than only hygiene practices that help improve the advise, is key to improving risk management. overall cybersecurity position of the WBG. Through these audits, GIA also highlighted As part of the Global Footprint strategy, a few areas that require attention to further the WBG’s business model is becoming improve the control environment. For increasingly decentralized – moving staff from example, the audit of Mobile Technology Headquarters in Washington, DC to be closer and Security Management concluded to clients in country. As a result, establishing a that the controls are designed and clear accountability framework for monitoring operating effectively, and the mobile device controls is critical for consistent management management solution is generally configured of risks in line with institutional standards. to follow the Center for Internet Security (CIS) 10 Group Internal Audit FY20 Annual Report benchmarks for securing mobile devices. defend against common cyber threats. The However, areas related to the management annual mandatory cybersecurity training and of third-party mobile application vulnerabilities phishing exercises are key components of and risk management needed management’s the WBG Information Security Awareness attention. GIA also recommended that the program, which increases staff awareness phishing exercises conducted to gauge and of the newest schemes to watch out for and influence the effectiveness of the cybersecurity provides advice on protecting both staff and awareness campaign could benefit from the institution. Such guidance, together with expanding the scope from personal computer senior management’s repeated message on and email-targeted exercises to also include the importance of cyber risk management, specific tests for mobile devices. has positioned the WBG to better cope with cyber threats. GIA will continue to review key Going forward, and specifically to navigate cyber-related controls to provide continued successfully through the COVID-19 crisis, in assurance and to further improve risk an extended remote working arrangement it management in this area. is essential that the WBG remains attentive to risks related to connectivity and bandwidth, Externally, the WBG could be affected by use of unauthorized collaboration tools, increased third-party cyber risks. While the access to business applications, and data use of cloud services and third-party solutions loss and document security. In that regard, has helped with the smooth transition to management has established regular home-based work, it is essential to validate cybersecurity communications and education the technology vendor’s control framework. on various security topics to continue to inform If the WBG’s vendors are also moving their and equip WBG users with the knowledge to workforce to a remote environment, their Fy20 FY20Key KeyThemes Themes 11 control environment must conform to the solution did not involve a capital investment highest standards if the WBG is to rely on process, the implementation was managed their services going forward. Establishment outside the well-established IT governance of the WBG IT vendor risk management approach. This resulted in implementation program, under the IT risk management challenges including technical understanding of function, is a positive step and will be the solution by the business unit, coordination assessed as part of future GIA engagements among involved units, resource allocations, in the vendor risk management area. and overall project management. While non-capital business solutions projects Governance and Project may be infrequent, it is still important to Management for the establish a robust governance and minimum Implementation of Business project management standard applicable to Solutions all significant system implementation projects, regardless of the source of funding. As an Non-conventional funding of important step, management recently issued business solutions requires a new WBG Directive requiring all institutions attention to governance and to involve the IT function before procuring IT project management in system implementation solutions, irrespective of the funding source. Management also plans to define associated Adopting new business solutions with governance procedures, including those information technology to enhance related to budget and corporate procurement capability is crucial for business units to for business solutions. continue meeting changing demands. Implementation of business solutions has GIA’s IAP engagement highlights an important been an important area in GIA’s risk coverage. development: given the pace of technological GIA’s assessments over recent years show change, business units now have many IT that the WBG has a long-standing, well- solutions available to them outside the capital defined governance process for system budget process, and decisions on whether to implementation projects funded through adopt non-capital IT solutions are becoming capital budget resources. A review in FY20 of more diversified. This increases the risk that the Investment Administration Project (IAP) the IT function may not have a complete picture brought useful learning on the implementation of the WBG’s IT landscape and the business of a business solution that was not funded units might not get the solution they envision. through the regular capital investment Going forward, business units should involve process. the IT function early in the development of IT solutions and lean on their technical expertise In this case, the business solution project to throughout project preparation, development, replace an existing system was based on and implementation, regardless of the source the software-as-a-service approach. As the of funding. 12 Group Internal Audit FY20 Annual Report WHO WE ARE OUR MANDATE GIA is an independent and objective assurance and advisory function that adds value to and improves the operations of the World Bank Group. GIA’s work assesses whether the risk management, control, and governance processes of the Bank Group entities are adequately designed by management and functioning effectively. Specifically, GIA applies a systematic and OUR REPORTING LINES disciplined approach to its assessments to provide reasonable assurance that: The Auditor General reports to the President of the World Bank Group, and is under the • Risks are appropriately identified and oversight of the Audit Committee. managed • Governance issues impacting the Bank BOARD OF Group are recognized and addressed GOVERNORS appropriately • Significant financial, managerial, and operating information is accurate, EXECUTIVE reliable, and timely DIRECTORS • Institutional policies and procedures are complied with • Resources are acquired economically WBG and used efficiently PRESIDENT • Quality and continuous improvement are AUDIT fostered VICE COMMITTEE PRESIDENT • Institutional assets (physical and & AUDITOR intellectual), records, and data are GENERAL safeguarded OUR VISION AND MISSION Our vision is to be the agent of positive change to help the World Bank Group achieve its goals. Our mission is to protect and enhance the value of the World Bank Group by providing independent, objective, and insightful risk-based assurance and advice. Who We Are 13 OUR TEAM 14 Group Internal Audit FY20 Annual Report We are a small and diverse team: 35 STAFF SPEAKING A WITH 51% 66% TOTAL OF FEMALE 35 27 49% DIFFERENT SPEAKING COUNTRIES LANGUAGES 3 OR MORE MALE GIA staff home countries Qualifications GIA staff are highly skilled, combining internal audit experience, knowledge of the Bank Group, and experience from external organizations to deliver value to clients and stakeholders. As essential partners to our clients, GIA staff bring technical expertise in critical processes, a passion for learning, and a commitment to the Bank Group’s mission. GIA staff have a range of professional qualifications to enable GIA to fulfill its role, including Certified Internal Auditor (64% of staff); Certified Public Accountant, Chartered Accountant, or similar (61%); Certified Information Systems Auditor (21%); and Certified Fraud Examiner (21%). A significant portion of GIA staff (63%) have worked in other parts of the Bank Group, and almost all staff worked in the private sector before joining the organization. To complement the strength of the GIA team, we also engage subject matter experts from our co-sourcing partners that currently come from the Big Four consulting firms, as and when needed. Who We Are 15 HOW WE DELIVER GIA’s work is focused on the most significant risks facing the Bank Group, with continuous reviews to align with the Group’s strategic priorities. Our engagements are carried out in accordance with the International Professional Practices Framework of the Institute of Internal Auditors (IIA). Stakeholder Engagement 1 Dynamic Risk Delivering Results 5 2 Assessment and to Influence Work Program Positive Change Development Coordination and 4 3 Learning, Innovation, Collaboration with and Knowledge Risk and Other Sharing Oversight Functions 16 Group Internal Audit FY20 Annual Report STAKEHOLDER ENGAGEMENT GIA places a high priority on ensuring that its stakeholders across the World Bank Group institutions are familiar with GIA’s mandate and have confidence in GIA’s value proposition. Robust relations with the Audit Committee and management are essential for GIA’s effectiveness as this helps GIA deepen its understanding of institutional strategies and knowledge of the business, and enables GIA to promptly identify and respond to stakeholder concerns and emerging risks. To further strengthen relations, GIA’s engagement with stakeholders went beyond the collaboration necessary to complete engagements. Depicted below is a snapshot of the additional interaction GIA had with stakeholders in FY20. 265 265 Interactions by Interactions by Stakeholder Group Organization WBG Senior Management 121 143 GIA Stakeholder Outreach Management IBRD/IDA 38 88 Board IFC 84 45 10 MIGA ICSID 1 How We Deliver 17 DYNAMIC RISK ASSESSMENT AND WORK PROGRAM DEVELOPMENT GIA adds the most value by focusing on the key risks to the institution, which requires constant learning about and assessing changes in the external and internal environment in which the organization operates. GIA’s work program is developed based on a dynamic risk assessment process throughout the year, which also considers the institution’s strategic priorities and emerging risks. The COVID-19 pandemic disrupted ‘normal operations’ for the Bank Group. That disruption accelerated change across the Bank Group’s business landscape. Risk assessment must keep pace with the speed of business to remain relevant. GIA has begun adapting. We are pairing the rigor and scope of our current work program development process with an agile-based monthly risk intelligence program. GIA is transforming how it applies knowledge and technology to synthesize the information into the most critical issues that require the Board and management’s attention. Drive Value with an Enabling Environment Monthly Intelligence Program – identify changes in residual risk at an auditable entity GIA Focuses on level, potential indicators for emerging risk, What Matters Most and business landscape trends • Institutional Risks Process Rigor + Agile Adaption – • High-Risk Themes of knowledge and technology to • Assurance, Insight accelerate risk assessment that is Timely and Actionable Structured Stakeholder Engagement – GIA Adjusts for the a ‘seat at the table’ builds relationships and Speed of Business communicates insight that GIA returns as value-added recommendations Quarterly GIA Risk Debrief – to facilitate a rolling 12- and 36-month Work Program review 18 Group Internal Audit FY20 Annual Report DELIVERING RESULTS TO INFLUENCE POSITIVE CHANGE Management takes action to address weaknesses in governance, risk management, and controls that were raised through GIA’s assurance and advisory engagements. The following are examples of the significant actions management completed in FY20 to strengthen the Bank Group’s risk and control framework. Business Engagement Impact Area 1 Legal Risk Bank’s Management completed its action plan for establishing a Management Management systematic process to manage legal risks relating to country of Legal Risks office administration. This process includes: identification, Related to assessment, and monitoring of legal risk using key risk Country Office indicators supported by legal record management, as well as Administration knowledge sharing and awareness training. (FY18) 2 Data World Bank’s Bank management established the new World Bank Data Governance Management Governance Body at the senior management level and the of Corporate Steering Committee with an aim to improve data governance Data Used in through strategy, policy and culture, and oversight. GIA’s Operations advisory review in FY19 that diagnosed the existing (FY19) conditions provided insights and triggered a corporate-wide discussion on the need for a better governance model for data. 3 Operational IFC’s IFC management updated the Operational Risk Risk Management Management (ORM) framework, which includes delineation Management of Operational of roles and responsibilities using the three lines of defense Risks (FY19) model; operational risk appetite statements; risk and control self-assessments (RCSAs); specific board reporting requirements; and a clear definition of training requirements. 4 Information WBG’s Management has developed a Privileged Identity and Security Privileged Access Management (PIAM) strategy and implementation Identity and roadmap. The PIAM strategy and implementation roadmap Access is intended to improve the WBG’s overall PIAM security Management posture and to further leverage automation in securing and (FY19) controlling privileged identities. 5 Corporate WBG’s Use Management swiftly moved the corporate insurance function Insurance of Corporate under the Chief Risk Office to integrate it into operational Insurance risk management. Oversight for corporate insurance was in Risk strengthened with the assignment of the accountability for Management the function to a Managing Director. (FY20) How We Deliver 19 APPENDIX: FY20 ENGAGEMENTS Entity No. FY20 Engagements Product Type WBG Strategy 1. Implementation of the WBG Gender Strategy Advisory Review The objective of this engagement was to assess the implementation of the World Bank Group Gender Strategy (FY16–23) and provide recommendations to address gaps and weaknesses in the implementation of the Gender Strategy. The engagement reviewed the internal business model and accountability structures, and whether processes for the implementation of the Gender Strategy across the Bank and IFC have been adequately designed. Good progress has been made in the first half of the implementation of the WBG Gender Strategy. However, management needs to focus on the following recommendations for effective and consistent implementation, especially considering the institutional realignment within the Bank and COVID-19’s effects on gender equality in both the public and private sectors: (i) use existing governance mechanisms to strengthen leadership and provide oversight and support during the implementation phase of the WBG Gender Strategy; (ii) revisit metrics to measure progress against commitments and support timely course correction; (iii) assess resource needs for gender work at the institutional level to support efficient and effective implementation of the WBG Gender Strategy; and (iv) establish a gender competency framework to recognize and provide a career path for gender experts. Corporate Processes 2. World Bank Group’s Use of Corporate Insurance Advisory Review in Risk Management The objective was to review the existing governance, risk management, and control activities of the WBG corporate insurance program; identify opportunities for improvement; and provide recommendations, focusing on the following corporate insurance areas: (i) institutional governance framework over corporate insurance decisions including definition and clarity of roles and responsibilities; (ii) process for procuring the insurance broker and renewing of insurance coverages; (iii) process and framework for identifying and monitoring emerging insurable risk; (iv) case management process for determining, monitoring, and reporting on loss events and related claims; (v) process for monitoring insurance activities including analysis of coverage limits and deductibles and re-evaluating their reasonableness; and (vi) process for communicating insurance needs and insurance program changes to management. GIA’s recommendations covered three themes: (i) Governance Framework: a senior management-level decision maker for corporate insurance should be designated, 20 Group Internal Audit FY20 Annual Report WBG and the scope of the corporate insurance function should be redefined to make it an institutional corporate insurance risk management function; (ii) Risk Management Process: all the insurable risks in the WBG should be identified and aligned with the respective WBG entity’s risk tolerance, and the use of insurance as a risk response for all forms of insurable risks should be further integrated into existing risk management frameworks; and (iii) Corporate Insurance Process: the corporate insurance program (including coverages, policy limits, deductibles, and premiums) should be re-assessed and validated at least annually, and the frequency of the insurance broker selection cycle should be increased to keep the insurance program, pricing, policy limits, and coverage terms market-current and competitive. 3. WBG’s Global Payments Process Audit The objective of the audit was to assess the governance, design adequacy, and operating effectiveness of the Global Payments process. Specifically, the audit reviewed whether: (i) adequate governance arrangements are in place to manage the Global Payments Program (GPP) (including the roll-out of the second phase of the program) and risk management processes exist to identify, assess, and respond to emerging risks; (ii) management has designed and implemented adequate business processes, IT systems, and related controls to support the GPP, including the identification and management of fraud risks; and (iii) post-implementation reviews are performed to assess whether the GPP achieved its intended objectives, and issues identified from such reviews are addressed. The audit concluded that management has designed and implemented adequate business processes, IT systems, and related controls to support the GPP. However, the audit identified two issues concerning the design of controls in the program risk management framework and a review of the implementation benefits from the GPP. Information Technology 4. WBG’s Server and Operating System Security Audit (Windows) The objective of the audit was to assess the design adequacy and operating effectiveness of controls and processes relating to Windows Server Security. Specifically, the audit sought to provide reasonable assurance that: (i) policies, procedures, standards, roles, and responsibilities are defined and up-to-date to provide adequate guidance for managing and securing WBG Windows servers; (ii) Windows servers are configured adequately to safeguard the confidentiality, integrity, and availability of critical WBG services, applications, and data residing on the servers; and (iii) processes and controls are designed and implemented effectively to identify, mitigate, and report current and emerging security threats, security incidents, configuration deviations, and system availability issues. The audit concluded that, except for one issue relating to configurations, Information and Technology Solutions (ITS) has designed and implemented processes and controls within the Windows environment to provide reasonable assurance that current and emerging security threats, security incidents, configuration deviations, and system availability issues are identified, mitigated, and reported. Appendix: FY20 Appendix: Fy20 Engagements 21 WBG 5. WBG’s Server and Operating System Security (UNIX) Audit The objective of the audit was to assess the design adequacy and operating effectiveness of controls and processes relating to UNIX operating systems within WBG’s computing environment. Specifically, the audit sought to provide reasonable assurance that (i) policies, procedures, standards, roles, and responsibilities related to UNIX servers administration are defined and up-to-date to assign accountabilities for managing and securing WBG UNIX servers; (ii) UNIX servers are configured adequately to safeguard the confidentiality, integrity, and availability of critical WBG services, applications, and data residing on the servers; and (iii) processes and controls are designed and implemented effectively to identify, mitigate, and report current and emerging security threats, security incidents, configuration deviations, and system availability issues. The audit concluded that the UNIX-based servers deployed within the WBG’s computing environment generally support the maintenance of the confidentiality, integrity, and availability of WBG’s data and systems; and highlighted two issues that need to be addressed to improve the effectiveness of operating system level security. 6. WBG’s Mobile Technology and Security Management Audit The objective of the audit was to assess the design adequacy and operating effectiveness of processes and controls relating to the management of WBG-provisioned and personal mobile devices, and the supporting technologies deployed in the WBG. Specifically, the audit aimed to provide reasonable assurance that: (i) mobile computing policies, procedures, and standards are defined and implemented, and risks associated with mobile computing are evaluated and managed, to protect the Bank’s assets; (ii) mobile device security is adequately implemented to protect the confidentiality and integrity of WBG data while stored on a mobile device or during transmission; (iii) controls for provisioning, tracking, monitoring, and deprovisioning of mobile devices are effective, and processes support efficient mobile cost management; and (iv) mobile application deployment and management processes are defined and implemented to protect the security of WBG data. The audit concluded that the controls for the provisioning, tracking, monitoring, and deprovisioning of mobile devices are designed and operating effectively to support effective mobile risk and cost management. However, the audit identified two issues concerning: (i) the detection of third-party mobile application vulnerabilities and (ii) reviews of the process followed by management for mobile security risk acceptance. 7. WBG IT Risk Management Audit The objective of the audit was to provide reasonable assurance that the controls over IT risk management are adequately designed and operating effectively. Specifically, the audit focused on whether (i) processes to develop and approve the risk governance mechanisms, including setting the risk appetite, policies and procedures, risk taxonomies, and roles and responsibilities for managing IT risk are adequately designed and operating effectively as per an appropriate IT risk management framework; (ii) the IT risk management framework and processes inform the broader institutional risk management frameworks; 22 Group Internal Audit FY20 Annual Report WBG (iii) risk management processes, including the identification, assessment, response, and monitoring, are operating effectively to manage risk within the defined risk appetite; (iv) risk management program results are reported to relevant stakeholders in a timely and effective manner to enable risk-informed decision making; (v) IT risk and controls data are secure and adequately support accurate, reliable, and timely capturing, monitoring, and reporting of risks; and (vi) adequate job-related training is provided to the ITRM team and information dissemination activities exist to create risk awareness among those taking IT risk acceptance or mitigation decisions. The audit concluded that the controls over the IT risk management framework incorporating IT risk identification, IT risk evaluation, IT risk response, and IT risk reporting and monitoring are adequately designed and operating effectively. Bank Development Operations 8. Bank’s Processes for Managing Reimbursable Advisory Advisory Review Services (RAS) The objective of the review was to review the Bank’s processes for managing Reimbursable Advisory Services (RAS) and provide advice on governance, risk management, and controls in the design and delivery of RAS. Specifically, the review focused on: (i) operational processes for the business development, preparation, resource allocation, execution, and closure of RAS projects; (ii) quality control processes of RAS projects throughout the lifecycle; (iii) costing, pricing, and billing of RAS projects to enable financial sustainability; (iv) review and monitoring of the RAS portfolio; and (v) periodic review and oversight of the RAS framework and processes. GIA identified the need to establish and communicate to all operational levels a clear institutional understanding of the strategic positioning and institutional prioritization of RAS in the context of the range of Bank products and services. Based on this institutional prioritization of RAS, management should then review and strengthen the control elements that would be necessary to drive high-quality RAS engagements in alignment with client needs. The control elements should include: (i) a defined approach for quality assurance for RAS projects; (ii) a systematic mechanism to obtain and respond to client feedback during RAS projects; and (iii) an enhanced risk management framework that covers the entire lifecycle of a RAS project. 9. Bank’s Management of Procurement Risk in Investment Audit Project Financing (IPF) Projects The objective of the audit was to assess the design adequacy and operating effectiveness of controls over the Bank’s management of procurement risk in IPF projects. Specifically, the audit assessed whether: (i) procurement risks are identified and assessed, and adequate mitigation measures are set up; (ii) borrowers’ implementation of mitigation measures is monitored, and procurement risks are tracked throughout the project lifecycle; (iii) procurement issues raised during supervision or through the complaint mechanism are adequately addressed and managed; (iv) information systems, data, and tools enable the Appendix: FY20 Appendix: Fy20 Engagements 23 Bank efficient and effective management of procurement risk; (v) portfolio-level monitoring and reporting of procurement risk is systematic and timely for decision making; and (vi) the efficiency and effectiveness of the new procurement framework is periodically assessed, monitored, and reported to senior management and the Board. The audit concluded that procurement risk mitigation measures are established at the project preparation phase and recorded in the project appraisal documents following risk identification and assessment, and procurement risks and emerging issues are discussed with the borrower on an ongoing basis. However, several key controls for procurement risk management across the project lifecycle are not being implemented as designed in the IPF and procurement policy and procedures frameworks. The key controls requiring improvement or consistent application relate to procurement supervision and procurement risk assessment. 10. Bank’s Integrity Due Diligence (IDD) Process Assurance Review The objective of the assurance review was to assess the design adequacy and operating effectiveness of the Bank’s governance structures, processes, and supporting systems to manage integrity risks arising from the Bank’s engagement with nongovernmental institutions or persons. Specifically, the review focused on whether: (i) governance and oversight mechanisms are in place and a framework to address integrity risks has been established and coordinated with the other WBG entities; (ii) adequate procedures have been designed to identify the external institutions or persons required to be screened and to perform IDD to identify, assess, and address associated integrity risks; and (iii) mechanisms to effectively monitor, escalate, and report integrity risks on an ongoing basis are established and adequately supported by information systems. The assurance review concluded that management has recently taken steps to strengthen IDD practices in the Bank and has started to formalize IDD processes. However, governance, IDD coverage, and monitoring of the IDD screening system need strengthening in line with the Bank’s low risk appetite for IDD concerns. Corporate Processes 11. EBC’s Investigatory Process and Procedures Advisory Review The objective of the advisory review was to provide advice and recommendations to the Ethics and Business Conduct Department (EBC) to support management’s efforts to enhance the investigatory process. The review assessed the effectiveness and efficiency of: (i) the intake process for receiving and evaluating allegations of misconduct; (ii) the decision-making framework for managing the investigatory processes; (iii) timeliness of the investigatory processes; (iv) systems and tools that support tracking, analysis, confidentiality, and timely reporting on the investigatory processes; and (v) the feedback loop for monitoring and reporting on the outcomes of cases and leveraging lessons learned. The advisory review concluded that the investigatory process is well defined and supported by policies, procedures, and systems. However, controls can be improved to enable systematic and consistent implementation of the procedures. GIA made recommendations 24 Group Internal Audit FY20 Annual Report Bank to: (i) strengthen the investigatory process, including by improving processing and tracking at intake; (ii) enhance the case management system by strengthening controls; and (iii) improve the feedback loop for the investigatory process by enhancing the capturing and sharing of lessons learned. 12. Bank’s Progress on the Implementation of the Audit Knowledge Management Action Plan (KMAP) The objective of the audit was to provide an independent validation of the implementation status of the Bank’s Knowledge Management Action Plan (KMAP). Specifically, the audit assessed whether: (i) the implementation of the KMAP is on track to achieve the intended objectives, including root cause analysis for delayed or stalled action items; and (ii) progress toward the implementation of the KMAP is measured, monitored, and reported to senior management for early course correction. The audit covered Phase 1 of the implementation of the KMAP, consisting of 16 action items. The audit concluded that a comprehensive KMAP has been designed and committed to by management, but essential elements for its timely implementation are either not yet in place or are not operating effectively. As a result, its implementation is not progressing at the intended pace and the Bank may not achieve the intended KMAP objectives. These essential elements relate to (i) the institutional arrangements for the timely implementation of the KMAP, including executive sponsorship, a governance structure, an institution-wide KM strategy, and more widespread collaboration with operations; and (ii) program management controls over the implementation of the KMAP such as the identification, escalation, and remediation of roadblocks. 13. Bank’s Investment Administration Project (IAP) Assurance Review The objective of the assurance review was to assess the design adequacy and operating effectiveness of governance, risk management, and controls relating to the Investment Administration Project (IAP). Specifically, the review sought to provide reasonable assurance on whether: (i) business objectives and requirements were clearly defined to deliver anticipated benefits and value to the business; (ii) project approval, initiation, and planning processes were effective to facilitate delivery of the anticipated outcomes; (iii) governance and oversight arrangements in place over the project, including cross- functional collaboration and stakeholder involvement, were appropriate and commensurate with the IAP’s magnitude and risk profile; and (iv) project management processes and monitoring activities were established to enable effective delivery of the solution. The assurance review concluded that some steps required in the planning and initiation phases of a project of the size and nature of the IAP had not taken place. These gaps related to the sufficiency of the business case and the decision to proceed, evaluation of the implementation approach and level of effort required, project governance and management, and stakeholders’ expected roles and responsibilities. Appendix: FY20 Appendix: Fy20 Engagements 25 Bank Finance 14. Implementation of IBRD’s Loan Pricing Audit The objective of the audit was to assess the design adequacy and operating effectiveness of the loan pricing processes of the International Bank for Reconstruction and Development (IBRD). Specifically, the audit assessed whether: (i) the current IBRD loan pricing framework, including the IBRD pricing measures in the 2018 Capital Package, is being applied appropriately and consistently to all applicable IBRD Flexible Loans (IFLs); (ii) processes to recover IBRD’s funding costs are in place and are effective; (iii) the process to track and report the incremental revenue generated from the 2018 price increase is in place and is effective; and (iv) systems supporting the implementation of IBRD loan pricing are adequately secure and loan pricing data is accurate and complete. The audit concluded that the processes and internal controls for the implementation of IBRD’s loan pricing are effective and operating as designed. Factors contributing to the effective control environment over the implementation of IBRD’s loan pricing are: (i) IBRD’s loan pricing systems have been updated to accurately reflect the new pricing measures introduced in the 2018 Capital Increase package; (ii) a two-step approval process has been implemented to input and update loan pricing components, with appropriate segregation of duties; (iii) effective processes are in place to recover IBRD’s funding costs for both fixed spread and variable spread loans; and (iv) World Bank Group Finance and Accounting effectively tracks and reports the incremental revenue generated from the 2018 price increase. As a forward-looking consideration, GIA recommended that management should consider moving to a one-pool funding model, as the existing multi-debt pool model, which distinguishes debt funding for different loan products and liquidity, involves significant manual intervention and is prone to operational risks. 15. Reserves Advisory and Management Program (RAMP) Audit The objective of the audit was to assess the design adequacy and operating effectiveness of controls and processes relating to the management and oversight of the Reserves Advisory and Management Program (RAMP). Specifically, the audit assessed the adequacy and effectiveness of: (i) processes that facilitate the achievement of the primary objective of RAMP (to build clients’ asset management capacity) including client selection and ongoing engagement, collaboration with Bank operations, and monitoring and reporting on development outcomes; (ii) processes to track and recover RAMP costs; and (iii) processes to safeguard against potential conflicts of interest between Treasury’s responsibility in managing the Bank’s liquid asset portfolio and its role in managing RAMP clients’ investment assets. The audit concluded that Treasury has designed and implemented processes and controls around RAMP to provide reasonable assurance that the Bank’s primary objective for RAMP is being achieved, including processes to track and recover RAMP costs and to safeguard against potential conflicts of interest. The following factors contribute to the effective control environment: (i) processes that facilitate the achievement of the Bank’s primary objective for RAMP are working effectively; (ii) a cost-recovery model has been implemented so that RAMP can effectively serve clients without requiring financial support from the Bank; and 26 Group Internal Audit FY20 Annual Report Bank (iii) conflict of interest and adherence to investment management agreements are managed through employee education surrounding ethical standards and trading rules. IFC Corporate Processes 16. IFC’s Knowledge Management Approach Audit The objective of the audit was to evaluate the knowledge management (KM) approach that supports IFC operations across both the investment and advisory project lifecycles. The engagement specifically reviewed whether: (i) a systematic KM plan and structure that supports IFC operations is in place and is measured against set objectives; (ii) knowledge sharing is promoted through clear accountabilities, role modeling, effective performance management, and adequate incentives; and (iii) KM processes and tools effectively, sustainably, and securely enable the exchange of knowledge, including information acquisition, curation, dissemination, and findability. The audit concluded that the changes being brought about by the IFC 3.0 Strategy require a more deliberate management of knowledge than in the past. The key components necessary for establishing, implementing, maintaining, reviewing, and improving an effective KM program are either not in place or not well defined. This may affect IFC’s ability to improve project quality through the sustainable sharing of practices, expertise, and lessons learned. In addition, the KM technology, tools, and systems being developed do not yet enable an efficient cross-unit flow of knowledge at IFC. This makes retrieval of knowledge across the various information repositories a time-consuming activity and relevant accumulated knowledge may not be systematically disseminated to investment and advisory staff during the project lifecycle. 17. IFC’s Management of Legal Risk Audit The objective of the audit was to review management’s design and implementation of processes to manage legal risks, and specifically to determine whether IFC: (i) identifies legal risks on an ongoing basis; (ii) assesses, monitors, and mitigates the legal risks associated with IFC’s contractual obligations to its clients and stakeholders; (iii) selects, assigns, and oversees internal and external legal resources based on the level of legal risk; (iv) utilizes suitable systems and tools to support the legal risk management processes; and (v) implements periodic reviews of the legal risk management processes, including risk reporting, with a focus on efficiency, effectiveness, and continuous improvement. The audit concluded that the processes and internal controls for IFC’s management of legal risks are effective and operating as designed. The factors contributing to the effective control environment include: (i) at the corporate level, IFC has processes to discuss and identify legal risks on an ongoing basis in key corporate leadership and management committees; (ii) legal counsels are an integral part of the project teams and are involved from the early stages of project preparation and throughout its lifecycle; (iii) an adequate number of legal counsels with valuable expertise and experience are hired at a senior level; and (iv) the legal clearances at key project milestones, as mandated by the policies and procedures framework, are hardwired in iPortal’s project workflow. Appendix: FY20 Appendix: Fy20 Engagements 27 IFC 18. IFC’s Internal Control over Financial Reporting (ICFR) Audit The objective of the audit was to provide reasonable assurance that IFC’s ICFR program is effective and efficient. Specifically, the audit evaluated whether: (i) processes, information systems, and risks related to financial reporting are identified, assessed, and monitored to effectively support the identification of key controls; (ii) key controls (including entity level and IT controls) are adequately identified, documented, tested, and regularly reviewed and updated to cater for changes in the operating environment (such as organizational changes, changes to accounting standards); and (iii) ICFR results are adequately communicated and timely action is taken to remediate identified control weaknesses. The audit concluded that IFC’s ICFR program is fulfilling its objective of providing management with a reasonable basis for its annual assertion of the effectiveness of ICFR. However, the audit identified three issues relating to: (i) inconsistencies in the ICFR process, risk, and control inventory; (ii) the updating of program standards for reviews of ICFR control testing results and testing of controls; and (iii) the outdated documentation of core components of the framework. MIGA Development Operations 19. MIGA’s Environmental and Social (E&S) Risk Audit Management The objective of the audit was to assess the design adequacy and operating effectiveness of the processes for due diligence and monitoring of Environmental and Social (E&S) risks during the lifecycle of projects and activities supported by MIGA. Specifically, the audit focused on whether: (i) governance and oversight mechanisms such as policies, procedures and guidelines, roles and responsibilities, and reporting arrangements are adequately designed to manage the E&S risks of the projects and activities supported by MIGA; (ii) key controls are operating effectively to assess E&S risks, prepare mitigation measures in project preparation, comply with public disclosure requirements, monitor risks after the issuance of the guarantee (including clients’ conformance with E&S covenants), and oversight of third parties contracted by MIGA to perform E&S due diligence and monitoring; and (iii) systems and controls are in place to support the completeness, accuracy, and validity of data and information used for the management of E&S risks. The audit concluded that MIGA has developed E&S review procedures for project due diligence, execution, disclosure, and monitoring, and introduced an E&S Review Documentation system to support its E&S processes. However, the audit identified three issues relating to: (i) clarification of the terms governing risk management of joint projects with IFC and the Bank; (ii) consistent monitoring of the portfolio of Environment and Social Action Plans; and (iii) the availability of E&S project information on MIGA’s website. 28 Group Internal Audit FY20 Annual Report In addition to the above 19 engagement reports issued in FY20, four engagements, which were at the draft reporting stage at the end of the fiscal year and completed shortly thereafter in FY21 Q1, are also referenced in the Key Themes. A summary of each of the four engagements is provided below. Entity No. FY20 Engagements Product Type WBG Strategy 1. Implementation of the Cascade Decision-Making Assurance Review Approach as part of Maximizing Finance for Development The objective of the assurance review was to assess the progress made by management in the early stages of implementation of the Cascade approach. The review focused on whether management has provided strategic direction, incentivized staff, developed processes to incorporate the Cascade approach within operations, and is monitoring and reporting on the progress of implementation. GIA acknowledged that the implementation of the Cascade approach entails a fundamental shift in staff behavior and the way the WBG conducts its operations, which takes time and requires constant nurturing and management focus. In the early years of implementation, key steps have been taken and a renewed focus has been established by senior management to support the implementation of the Cascade approach. The key steps include development of relevant guidance and communication materials; inter- institutional efforts to promote collaboration; and establishment of three Bank-IFC VP-level working groups. However, the current efforts and institutional arrangements need strengthening to effectively implement the Cascade approach across WBG institutions. Specifically, three issues need management attention: (i) although certain initiatives are in place to incentivize staff, these have not been effective in motivating staff to adopt the Cascade approach; (ii) although the guidance and initiatives taken by management have created an enabling environment, a systematic and consistent process is needed to incorporate the Cascade approach within operations; and (iii) the adoption of the Cascade approach will benefit from systematic monitoring and review using measurable metrics across WBG institutions to harness lessons learned. Appendix: FY20 Appendix: Fy20 Engagements 29 WBG Corporate Processes 2. Management of Safety and Security of Staff Audit in Non-Headquarter Offices The objective of the audit was to evaluate whether governance, risk management, and control activities provide reasonable assurance that risks to the safety and security of staff working on WBG business at Non-HQ Offices are managed effectively as per the ‘Operational Security Duty of Care’ and WBG staff and premises are adequately protected. Specifically, the audit assessed whether: (i) the overall framework for managing staff safety and security at Non-HQ Offices including policies, procedures, guidelines, organizational accountability, roles, and responsibilities are defined, understood, and effectively implemented; (ii) processes, systems, and controls to identify threats and manage risks to safety and security of staff at Non-HQ Offices are operating effectively; and (iii) key security resources including guard forces and security equipment are procured and managed effectively, as per WBG policies. The audit concluded that processes to support the Heads of Offices in discharging their security-related obligations are established, and several good practices for security risk management in Non-HQ Offices exist. Specifically, processes are in place to evaluate threats, identify vulnerabilities, and allocate resources to address risks in Non-HQ Offices. However, GIA identified issues that require management’s attention. Those are: (i) accountability, decision making, and enforcement of WBG security management practices; (ii) institutional security oversight; (iii) security risk assessment and countermeasures implementation; (iv) compliance with field mission protocols; (v) the security focal point role, scope of duties, and incentives; (vi) compliance with mandatory security training; and (vii) security training coverage and offerings. Bank Development Operations 3. Bank’s Environmental and Social Framework (ESF) Audit Internal Capacity The audit evaluated whether the key elements of the Bank’s internal ccapacity to launch and implement the Environmental and Social Framework (ESF) had been adequately designed and were operating as intended. Specifically, the audit covered (i) policies and procedures; (ii) training and accreditation programs; (iii) relevant systems and tools; (iv) the process to share good practices between the Bank and IFC; and (v) change management activities, such as internal communication and arrangements to monitor implementation progress, capture feedback and lessons, and implement course correction. Management has made significant progress with the preparation, launch, and embedding of the ESF. Specifically, management has completed the deliverables established under the Readiness Indicators, including the development and issuance of the ESF Guidance Notes, the Bank ESF Directive, Good Practice Notes, as well as templates for borrowers and Bank staff and the supporting system. As the ESF’s embedding and operationalization are ongoing, sustained change management remains critical 30 Group Internal Audit FY20 Annual Report Bank to promote the cultural and behavioral changes among staff and managers and the shift to the judgement-based treatment of E&S risks. In this regard, GIA identified the need for (i) sustaining change management efforts and (ii) strengthening the training and accreditation of staff assigned to ESF projects. IFC Development Operations 4. Integrity Due Diligence (IDD) Process in IFC Operations Audit The objective of this audit was to assess the design adequacy and operating effectiveness of risk management, controls, and governance over the Integrity Due Diligence (IDD) process in IFC operations, including investment operations and advisory services. Specifically, the audit covered (i) governance and oversight arrangements; (ii) the process for identification, assessment, and mitigation of integrity risks; (iii) alignment of IDD Programs with IFC’s Corporate Strategy, including its enablers such as resources, information systems, and underlying data; and (iv) monitoring of risks in the portfolio and reporting to Senior Management and the Board. The audit concluded that IFC’s IDD process is adequately designed as governance and oversight mechanisms are well established; the process for identification and assessment of integrity risks, along with roles and responsibilities, is clearly defined; business units are supported by the Business Risk and Compliance (CBR) unit in the assessment and ongoing screening of integrity risks; and periodic reporting to IFC’s senior management by CBR is in place. However, the operating effectiveness of the IDD process needs to be strengthened through improvements in: (i) the monitoring of integrity risks during project supervision; (ii) the IDD approach for its operations in countries experiencing fragility, conflict, and violence (FCV); and (iii) controls over the IDD screening system. Appendix: FY20 Appendix: Fy20 Engagements 31 CONTACT US +1 (202) 458-7258 www.worldbank.org/internalaudit Group Internal Audit The World Bank Group 1818 H Street NW Room G 4-401 Washington, DC 20433 United States