Quarter’s Engagements                                                             2


Annex: List of Engagements in the FY17 Q4 Activity Report                     10




              The Internal Audit Vice Presidency (IAD) is an independent,
              objective assurance and consulting activity that helps to improve
              WBG operations. It assists the institution in accomplishing its
              objectives by evaluating the effectiveness of WBG governance,
              risk management, and control processes. Furthermore, IAD
              advises management in developing control solutions, and
              monitors the implementation of management’s corrective actions.

              IAD’s work is carried out in accordance with the Institute of
              Internal Auditors (IIA) International Professional Practices
              Framework.

              IAD’s Quarterly Activity Report summarizes IAD’s engagement
              results for the quarter.




                        IADVP FY17 FOURTH QUARTER ACTIVITY REPORT
                                                                                      1
1. Special Review of the Formulation of the New WBG Global Security Management
Strategy
The objective of this special review was to review the new WBG Global Security Management
Strategy, and assess it for adequacy of identified risks and controls.

The special review noted that the General Services Department’s Corporate Security function
(GSDCS) has developed a roadmap for implementation of WBG’s new Global Security
Management Strategy and of the specific initiatives to address strategic and operational gaps.
Moreover, despite the uncertainty and evolving security needs across the globe, GSDCS has
made tangible progress towards accomplishing the tasks outlined in this roadmap. Specifically,
GSDCS is:

• Finalizing the new Framework of Accountability for the Bank Group Security Management
  System;
• Updating the Security Risk Management (SRM) Framework to expand on management roles
  and responsibilities in GSDCS’ security risk assessment and management processes;
• Drafting or updating specific policies and procedures related to ‘Country Evacuation and
  Relocation’, ‘Travel/Road Safety’, ‘Operating Status’ and ‘Non-Family Duty Station
  Designations’; and
• Implementing a newly developed Critical Incident Review Process in the event of death or
  serious injury of a Bank Group employee.

The steps taken by GSDCS have created a sound framework for improved coordination among
various WBG stakeholders. However, the WBG’s ability to effectively implement the Global
Security Management Strategy can be enhanced by (i) strengthening the current security
oversight structure, (ii) providing a clearer definition of the operational decision-making authority
and associated thresholds for security-related decisions, (iii) clarifying institutional roles and
responsibilities for requisitioning and securing contingency funding, and (iv) engaging country
offices in the security risk assessment.




                           IADVP FY17 FOURTH QUARTER ACTIVITY REPORT
                                                                                                  2
2. Audit of WBG's Network Security (Internal and External)
The objective of this audit was to assess WBG’s internal and external network security to
determine whether the existing policies, procedures, processes, and controls are adequately
designed and implemented to safeguard WBG assets and provide protection against current and
emerging threats.

The audit concluded that the WBG’s internal and external network design, architecture,
governance processes, and risk management controls provide reasonable assurance that the
confidentiality, integrity, and availability of the WBG’s network operating environment are
adequately safeguarded. Critical improvements in recent years include:

 Centralized governance and management of network devices through consistently
  implemented security baselines and supporting policies across the managed devices.
 Implementation of a bi-annual review of all critical firewall rulesets to identify insecure or un-
  optimized rules that could introduce unexpected security risks to the WBG.
 Improved segmentation and reduced complexity to prevent unauthorized or malicious users
  from accessing critical systems in the event certain areas of the WBG network are
  compromised.
 Deployment of security detection, prevention and forensic capabilities at all critical entry and
  exit points of the WBG’s network, providing the consistent ability to alert and identify threats
  that could impact the WBG’s network and/or data centers.
 Conservative expansion into the cloud as part of the cloud first initiative to allow for the
  implementation of network security controls in an effort to protect critical data and sensitive
  systems in the same manner as on-premises datacenters.

While no significant control gaps were noted, IAD identified opportunities to further strengthen the
network vulnerability and change management processes as well as the implementation of the
Network Access Control.


3. Audit of WBG’s Remote Access Services
The objective of the audit was to assess the governance, risk management and control
processes for WBG’s Remote Access Services.

The audit concluded that the design and implementation of the WBG’s Remote Access Services
architecture, management processes, and security controls provide reasonable assurance that
remote access services are readily available to staff, appropriately hardened (secured), and
accessible only by authorized individuals. ITS has implemented controls in a manner that
prioritizes security requirements while promoting an end-user experience that is seamless and
attempts to replicate in-office connectivity.




                           IADVP FY17 FOURTH QUARTER ACTIVITY REPORT
                                                                                                  3
4. Audit of WBG’s Software Asset Management

The objective of the audit was to assess the governance, risk management, and controls over the
management of WBG software assets maintained at HQ and Country Offices.

The audit concluded that the current system of internal controls over the software asset
management process provides reasonable assurance that the WBG’s software assets are being
managed effectively.

While no significant gaps were noted in the audit, the current control environment could be further
strengthened with regard to the installation and monitoring of non-standard or unapproved
software applications in the WBG environment.
5. Audit of WBG’s Sanctions Process

The objective of the audit was to evaluate the design adequacy and operating effectiveness of
controls for managing risks in the WBG’s sanctions process.

The WBG has a well-defined framework that operates as designed. There are adequate internal
checks and balances, along with mechanisms for the screening of firms and individuals against
the suspended and debarred lists. This framework is effective in preventing firms and individuals
engaged in sanctionable practices from obtaining new WBG-financed contracts. Confidentiality is
maintained by limited sharing of information until firms and individuals are formally sanctioned;
after which, all sanctions decisions are made public. A respondent’s compliance with conditions
for release from sanctions is monitored and reviewed by an independent unit within INT.

However, improvements are needed in the areas of (i) strategic oversight by a Senior
Management forum, and (ii) use of sanctions-related information in the Bank’s operations.

6. Advisory Review of the World Bank’s Enterprise Architecture

The objective of the advisory review was to help Bank’s senior management understand the
current approach being taken on enterprise architecture (EA) and to provide information that
would be useful for deciding how to improve the implementation of EA in support of strategic
initiatives and high-level end-to-end process re-engineering.

Recognizing that EA is a powerful tool that business leaders use to support design and
implementation of strategic initiatives and significant process (re)design, the review concluded
that the Bank’s unit with a mandate to enact EA (ITSEA) has the tools, capabilities, and
processes to perform EA for the institution. However, this unit is under-leveraged as a result of
the unit’s limited mandate and a lack of accountability of business units to contribute to and use
EA as part of strategic initiatives or process reengineering. IAD recommended that (i) the
mandate of ITSEA be strengthened; (ii) ITSEA be invited to contribute to and collaborate with key
ongoing (and future) business process re-engineering initiatives; and (iii) the awareness and
exposure of ITSEA’s information repository be promoted across the Bank.


                          IADVP FY17 FOURTH QUARTER ACTIVITY REPORT                            4
7. Special Follow-up Review of Bank’s Action Plan to Improve Management of Safeguard
and Resettlement Practices
The objective of the engagement was to provide independent validation of management’s
implementation of the action plan to which it committed in a March 2015 press release. The
report was intended to help management understand the areas that are not yet sufficiently
actioned and require additional attention during the implementation of the Environmental and
Social Framework (ESF).

Management has made progress on the implementation of the action plan since its original
commitment. As of June 16, 2017, IAD had validated the design of 15 (of 23) action items and
was able to partially validate the 8 other items. In the case of partially validated action items, the
design of management’s solutions or actions is pending the implementation of the ESF.

However, a number of areas will need concerted attention from management as the Bank
embarks on the implementation of the ESF in the context of an evolving operating model. The
ESF represents a significant broadening of scope for environmental and social risk management,
and plans are in place to strengthen capacity in several areas, namely risk management and
oversight systems and procedures, staffing according to project risk profiles, training and capacity
development, recruitment of additional specialists, and strengthening incentives for managing
environmental and social risk.


8. Advisory Review of the Bank’s Workforce Planning
The objective of this advisory review was to assess the completed workforce planning exercises
and provide fact-based analyses and insights to inform the design of future strategic workforce
planning. Specifically, the review focused on the overall maturity of the Bank’s workforce planning
capability.

The review found that the workforce planning capability has improved significantly since its
inception in 2014. It has enhanced business conversations about the future talent and skills
required at the Bank, based on strategic priorities. The workforce planning capability has been
set up with strong governance in place and a consistent corporate process defined. However,
there is room for improvement across many of the capability dimensions, particularly data,
technology, and integration with other talent processes.




                           IADVP FY17 FOURTH QUARTER ACTIVITY REPORT                               5
9. Advisory Review of Bank’s Management of Climate Change Operations – Key Business
Enablers
The objective of the advisory review was to review the institutional arrangements that are in place
in the climate change business, and to provide forward-looking recommendations to management
on areas that would be essential to deliver on the Bank’s (IBRD and IDA) climate change
objectives.

IAD’s review indicated that the Bank has taken important steps to support the scaling up of
climate in its operations. Key progress includes:

• The Bank’s 28% climate target for 2020 has been cascaded to Sectors, and Regional Vice
  Presidents have recently committed to climate targets for 2020.
• A process to harmonize the Bank’s climate change definitions and methodology with other
  multilateral development banks is in place.
• A defined process to identify, track and report on climate finance is in place.
• The climate change group (CCG) has established a Climate Focal Point Network, designed to
  be a formal link between CCG and Sector/Regional teams to further embed climate in the
  Bank’s operations.
• CCG has developed tools to support the mandate that all projects be screened for climate
  change risk, effective FY18.

However, management needs to: (i) strengthen Regional and Sector management buy-in on
climate change priorities; (ii) increase sector-specific climate guidance to enable Sectors and
Regions to better identify projects with climate co-benefits; (iii) enhance information flow and
collaboration between and amongst various internal climate stakeholders; (iv) undertake a
coordinated approach across the institution to engage donors on climate finance, given that
concessional financial resources are dwindling; and (v) conduct portfolio level monitoring of
climate related trust funds to support effective decision-making in prioritizing and optimizing the
use of scarce climate resources.




                          IADVP FY17 FOURTH QUARTER ACTIVITY REPORT                              6
10. Advisory Review of Bank’s Risk Management in Recipient Executed Trust Funds
(RETFs)
The objective of the advisory review was to assess, at the trustee level, the institutional risk
management processes and practices over Recipient Executed Trust Funds (RETFs), and
provide insights and recommendations that would help management gain further efficiencies in
the execution of its fiduciary responsibilities to development partners.

IAD noted that risks in RETFs can be categorized into two: (i) risks inherent at the trustee level,
and (ii) risks at the project level financed by the RETFs. Trustee level trust fund risks are
assessed at the inception of all new trust funds using the Trust Fund Risk Assessment Form
(TRAF). At the project level, risks are assessed in line with the specific risk management
framework of the applicable financing instruments, and these risks are captured across
instruments using an overarching risk assessment framework for Bank operations, known as the
Systematic Operational Risk-rating Tool (SORT).

Under the current institutional risk management framework and practices, opportunities for
management to leverage risk information at the trustee and project level in the management of
risks in RETFs include: (i) the further expansion of trustee level risk management practices to
encompass the entire trust fund lifecycle from establishment to closing, and help strengthen the
monitoring of the overall RETF portfolio; (ii) the systematic aggregation and analysis of project
level risk information at the Trustee level, to help management better identify high-risk RETFs,
appropriately calibrate their actions for managing these risks, and improve reporting of critical
risks to donors; and (iii) the provision of RETF-related risk information – both at the trustee level
and at the project level – to Senior Management and the Board, to facilitate their strategic
consideration of the use of RETFs in operations.




                           IADVP FY17 FOURTH QUARTER ACTIVITY REPORT                             7
11. Advisory Review of IFC’s and MIGA’s Management of Climate Change Operations –
Key Business Enablers
The objective of the engagement was to review the institutional arrangements that are in place in
the climate business, and to provide forward-looking recommendations to management on areas
that would be essential to deliver on the IFC’s and MIGA’s climate change objectives.

Recognizing the challenge of meeting the target of 28% as the climate-related share of their
portfolios by 2020, IFC and MIGA have taken concrete steps to support the scaling-up of climate
in their operations. Both institutions have made considerable progress. For example, IFC has
made progress with regard to (i) climate definitions, methodologies and tools to track and report
climate finance; (ii) awareness and understanding across the Industries and Regions of the IFC’s
role in climate business; (iii) the various roles taken on by the Climate Business Department
(CBD) to scale up climate business; and (iv) the establishment of a climate anchor as a formal
link between CBD and industry/regions. MIGA now has a climate team in place and has recently
developed a Guidance Note that refines its previous approach to calculating climate co-benefits.

Despite the progress, a substantial increase in climate work is needed over the next three years
to achieve the 28% target by 2020. The review recommended that IFC (i) strengthen Industry and
Regional management buy-in on climate change priorities; (ii) cascade the climate targets down
to Industries and Regions, with mechanisms to enforce accountability; (iii) increase sector-
specific climate guidance supporting private sector friendly policies; and (iv) increase the
availability and use of blended finance and processes to define, track and monitor private sector
mobilization targets.




                         IADVP FY17 FOURTH QUARTER ACTIVITY REPORT                           8
12. Audit of IFC’s Oversight and Working Arrangements with the IFC Asset Management
Company (AMC)
The objective of the audit was to assess whether IFC’s arrangements for overseeing AMC’s
activities in its various roles with AMC are adequately designed and are operating effectively. The
audit also examined how IFC manages conflicts of interest arising in those roles, and reviewed
IFC’s IT systems in place supporting IFC’s business arrangements with the AMC.

The audit noted that IFC has well-established processes for investing in AMC’s funds, sharing
equity investment opportunities with AMC, and supporting AMC with investment-related services
such as project appraisal and supervision. However, IFC needs to improve its oversight and
working arrangements with AMC in the areas covering: (i) IFC’s oversight of the AMC business
relationship; (ii) operational arrangements with AMC (iii) IFC-AMC information sharing and
access management; and (iv) IFC’s conflicts of interest.
13. Audit of IFC’s Equity Investments
The objective of the audit was to evaluate the design and operating effectiveness of IFC’s equity
investment process.

IFC has instituted a comprehensive set of procedures to govern various aspects of the equity
investment lifecycle, and the audit found that investment staff follow these procedures. IFC has a
well-defined due diligence process for the approval of new equity investments and an established
decision-making framework and governance mechanism for such investments. After subscription,
equity investments’ financial performance and development impact are continuously monitored.

The audit identified opportunities for improvement relating to: (i) the need for consistent
development and monitoring of strategies and action plans that outline investment-specific value
creation milestones; (ii) the absence of a process to identify and prioritize critical directorship
positions that need to be filled; (iii) the need for Corporate Governance specialists to be more
involved in the post-appraisal stages of equity investment projects; (iv) the lack of clear guidelines
on the selection of investments among alternative pipeline opportunities; (v) the absence of a
platform to effectively govern valuation models; and (vi) the need to enhance the reporting and
analytical capabilities of existing information systems that support the equity investment process.




                          IADVP FY17 FOURTH QUARTER ACTIVITY REPORT                              9
 No.                                                       Engagement                                                    Report No.
WBG
  1    Special Review of the Formulation of the New WBG Global Security Management Strategy                            WBG FY17-07
   2   Audit of WBG's Network Security (Internal and External)                                                         WBG FY17-08
   3   Audit of WBG's Remote Access Services                                                                           WBG FY17-09
   4   Audit of WBG's Software Asset Management                                                                        WBG FY17-10
   5   Audit of WBG's Sanction Process                                                                                 WBG FY17-11
IBRD/IDA
   6 Advisory Review of the World Bank's Enterprise Architecture                                                        IBRD FY17-03
   7   Special Follow-up Review of Bank's Action Plan to Improve Management of Safeguard and Resettlement Practices     IBRD FY17-04
   8   Advisory Review of the Bank's Workforce Planning                                                                 IBRD FY17-05
   9   Advisory Review of Bank's Management of Climate Change Operations – Key Business Enablers                        IBRD FY17-06
  10   Advisory Review of Bank's Risk Management in Recipient Executed Trust Funds (RETFs)                              IBRD FY17-07
IFC/MIGA
   11 Advisory Review of IFC's and MIGA's Management of Climate Change Operations – Key Business Enablers             IFC-MIGA FY17-01
  12   Audit of IFC’s Oversight and Working Arrangements with the IFC Asset Management Company (AMC)                    IFC FY17-03
  13   Audit of IFC Equity Investments                                                                                  IFC FY17-04




                                         IADVP FY17 FOURTH QUARTER ACTIVITY REPORT                                             10