75052 Internal Audit Vice Presidency (IADVP) FY13 Second Quarter Activity Report January 25, 2013 Table of Contents 1 Summary of Key Engagement Outcomes ……………………………………… 2 2 Budget Update …………………………………………………………………….. 5 3 Annex 1: List of Engagements in the FY13 Q2 Activity Report ……………… 6 The Internal Audit Vice Presidency (IAD) is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of the WBG organizations. It assists WBG in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes. The purpose of this report is to provide a high level overview of IAD activities in the quarter to Senior Management and the Audit Committee. This Quarterly Activity Report is also publicly disclosed, under the Bank’s Access to Information Policy. IADVP FY13 Second Quarter Activity Report 1. Summary of Key Engagement Outcomes Eight audits and two advisory reviews were finalized during the quarter. These included: two World Bank Group (WBG) advisory reviews, four International Bank for Reconstruction and Development/International Development Association (IBRD/IDA) audits, and four International Financial Corporation (IFC) audits. 1. IAD’s audit of Bank Windows Server Platform covered Windows servers at the Bank, focusing on the processes to IAD conducted audits of manage, secure, and monitor these servers. Although Windows server platform, management has implemented a number of robust controls to secure the Windows server environment, weaknesses and mobile computing, in exist in the understanding of roles and responsibilities, parallel, for both the security configurations, change management, and the Bank and IFC. oversight and monitoring. Unclear roles and responsibilities for managing a specific domain has led to inconsistencies in adherence to security policies and standards as well as additional overhead. To mitigate the risks identified by IAD during the audit, Information Management and Technology (IMT) is (i) transitioning all the responsibilities for managing the domain Differences exist to IMT; (ii) conducting a forensic analysis of the affected between the Bank and servers to ensure that they were not compromised; and, (iii) IFC in the understanding has published a new configuration standard for Windows of roles and servers. responsibilities, security 2. IAD’s audit of IFC Windows Server Platform evaluated IFC configurations, change Windows servers, focusing on the processes to manage, management, and the secure, and monitor these servers. Controls over Windows oversight and monitoring servers are designed and operating effectively. In particular, of the processes to policies and standards have been implemented to manage and secure Windows servers in accordance with leading manage, secure, and security practices. Although no major issues were identified, monitor the Windows IAD noted that IFC currently does not have an automated server platforms. process to report server inventory changes. In response to the audit, Corporate Business Technologies (CBT) will implement a process to reconcile the list of servers. IADVP FY13 Second Quarter Activity Report 2 1. Summary of Key Engagement Outcomes (contd.) 3. IAD’s audit of IFC’s Mobile Computing evaluated processes for managing, securing and controlling the mobile devices connecting to the IFC network or containing IFC data. IFC rules for Personal Productivity Devices (PPDs) provide sufficient guidance for the Apple iOS platform, they do not provide similar policy guidance for BlackBerry devices. The lack of WBG Information Security Standards (ISS) for Mobile Devices has resulted in inconsistent security configurations for IFC BlackBerry and Apple iOS devices. In addition, while a process to manage mobile communication costs is in place, inconsistent compliance with the monitoring process, and the Currently the Bank and absence of a mobile usage pattern analysis to guide users IFC have distinct mobile towards more cost effective alternatives, has resulted in high charges being billed for extended periods of time, across computing policies and several IFC units. To mitigate the risks identified by IAD, rules, different Mobile IMT together with IFC’s Corporate Business Technology Device Management (CBT) has finalized the WBG ISS and communicated them to (MDM) solutions and all stakeholders. CBT has also agreed to update the existing separate provisioning PPD rules to include guidance for BlackBerry devices, and the interim mobile guidelines will be revised to emphasize and help desk functions. cost reduction and monitoring approaches. 4. IAD’s audit of Bank’s Mobile Computing evaluated processes for managing, securing and controlling the mobile devices connecting to the Bank network or containing the Bank data. Mobile computing policies and relevant procedures are defined and implemented to assure protection of the Bank’s assets, and to provide sufficient guidance to users. Processes exist to evaluate and appropriately manage risks associated with mobile computing, and mobile device provisioning and tracking processes are also operating effectively. 5. IAD’s audit of Bank’s Management of Rapid Response Operations evaluated the application of relevant Bank policies to individual projects, project preparation and Opportunities exist for supervision, and management’s oversight of rapid response operations at corporate and regional levels. The Regions more effective monitoring review the streamlined preparation process for Rapid of risks in the Bank’s Response projects, OPCS confirms the review, and rapid response management actively monitors the implementation of the operations. projects. In response to the audit, management is working with INT to improve documentation for tracking risks by incorporating risk assessments into Implementation Status and Results Reports (ISRs), and making it mandatory to update the Operational Risk Assessment Framework (ORAF) in ISRs. IADVP FY13 Second Quarter Activity Report 3 1. Summary of Key Engagement Outcomes (contd.) 6. The audit of Financial Intermediary Funds (FIFs) Disbursements reviewed the adequacy and effectiveness of There is an effective the governance structure, risk management, controls over governance structure data quality and accuracy of FIFs. Current automated and and risk management manual controls are effective to ensure data quality and framework over the FIF accuracy; disbursements authorized by the FIFs’ governing commitment and bodies are processed accurately; cash transfer limits are enforced; and, IT general and application controls are in disbursement processes. place. 7. The audit of IFC’s Liquid Asset and Cash Management reviewed the design and implementation of controls within IFC’s liquid asset and cash management. Strong governance exists over the process, and there are clearly defined roles and responsibilities, effective policies and Strong governance exists procedures, and sufficient management oversight of portfolio over the process of performance, asset allocations, and exposures. IFC has a IFC’s liquid asset and clearly defined strategy which guides trading activities, cash management. sufficient segregation of duties, and strong controls over trading activities. 8. IAD’s review of IFC’s Institutional Framework for Managing Financial Activities in Country Offices highlighted that controls over the management of IFC country Opportunities exist to office financial activities exist at the institutional, regional and country office levels. The institutional control activities are improve the design of the provided to IFC by Bank Controller’s (CTR), and were regional and country- reviewed in a previous Bank audit. IAD identified the level controls over following opportunities for improvement in it its review of the management of IFC’s design of the regional and country-level controls over the country office financial management of IFC country office financial activities: (i) develop a methodology for on-site country office reviews and activities. monitoring program for the implementation of corrective actions on issues identified by the reviews; (ii) review and monitor training needs for country office based accounting and finance staff, and country heads; and (iii) identify and disseminate institution-wide best practices in management and oversight of country offices. IADVP FY13 Second Quarter Activity Report 4 1. Summary of Key Engagement Outcomes (contd.) 9. The objective of the Advisory Review of Emergency Relocation/Evacuation Processes in WBG Country The WBG is effectively Offices was to examine the governance, risk management meeting its primary and control processes over the emergency relocation and/or objective of protecting evacuation of staff and their eligible dependents during the safety and security of security emergencies in Country Offices. Although the WBG is effectively meeting its primary objective of protecting the its staff. safety and security of its staff, IAD provided recommendations to management for strengthening the overall framework and policy. 10. The objective of the advisory review of the WBG Staff Financial Assistance Programs (SFAP) was to assist HR The review noted that management in its evaluation of the Programs. SFAP SFAP administration is administration is hampered by fragmentation across Bank hampered by units and field offices, and policies and procedures governing fragmentation across the SFAP have not been updated. IAD recommended that Bank units and field the operations and administration of the SFAP be streamlined with increased oversight. Management should offices, and policies and determine if the evolution of the SFAP is consistent with its procedures governing the expectations for the Programs and its broader benefits SFAP have not been framework. IAD also provided management comparative updated. financial assistance benchmarking practices from peer organizations offering similar programs. 2. Budget Update Total expenditures during FY13 Q2 were $4.48 million representing approximately 40% of the FY13 budget of $11.2 million. IADVP FY13 Second Quarter Activity Report 5 Annex 1: List of Reports issued in the FY13 Q2* WBG Engagements No. Entity Engagement Title Report No. Date Issued Advisory Review of Emergency Relocation/Evacuation 1 WBG WBG-FY13-01 10-Jan-13 Processes in WBG Country Offices Advisory Review of the WBG Staff Financial Assistance 2 WBG WBG-FY13-02 10-Jan-13 Programs IBRD/IDA Engagements No. Entity Engagement Title Report No. Date Issued 3 IBRD/IDA Audit of Bank’s Mobile Computing IBRD FY13-04 30-Nov-12 Audit of the Bank’s Management of Rapid Response 4 IBRD/IDA IBRD FY12-14 3-Dec-12 Operations 5 IBRD/IDA Audit of Bank Windows Server Platform IBRD FY13-05 15-Jan-13 6 IBRD/IDA Audit of Financial Intermediary Funds (FIFs) Disbursements IBRD FY13-06 17-Jan-13 IFC Engagements No. Entity Engagement Title Report No. Date Issued 7 IFC Audit of IFC’s Mobile Computing IFC FY13-02 29-Nov-12 8 IFC Audit of IFC’s Windows Server Platform IFC FY13-03 20-Dec-12 9 IFC Audit of IFC’s Liquid Asset and Cash Management IFC FY13-04 16-Jan-13 Limited Review of IFC’s Institutional Framework for Internal Audit 10 IFC 20-Dec-12 Managing Financial Activities in Country Offices Memo FY12 carry-overs: One audit has been carried over from FY12. ------------------------------------- *As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be pub licly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY13 Second Quarter Activity Report 6