74886 Annual Fiscal Year Report 2012 Internal Audit Vice Presidency January 16. 2013 PUBLIC Abbreviations and Acronyms ADR Audit Director Roundtable AMC Asset Management Company BCM Business Continuity Management CAE Chief Audit Executive CAO Chief Administrative Officer CEB Corporate Executive Board COO Chief Operating Officer CRO Chief Risk Officer CAS Country Assistance Strategies CFP Concessional Finance and Partnerships CFR Corporate Finance and Risk Management CM Country Manager CTR Controllers' Vice Presidency GAIN Global Audit Information Network HQ Head Quarters HR Human Resources IAD Internal Audit Vice Presidency IBRD International Bank for Reconstruction and Development ICAS-E Integrated Corporate Accounting System for Equity ICFR Internal Controls Over Financial Reporting ICSID International Center for the Settlement of Investment Disputes IDA International Development Association iDesk IFC's document repository system IEG Independent Evaluation Group IFC International Finance Corporation IIA Institute of Internal Auditors IMT Information Management and Technology INT Integrity Vice Presidency IT Information Technology IRMR Integrated Risk Monitoring Report MGS MIGA Guarantee System MIGA Multilateral Investment Guarantee Agency MLT Matrix Leadership Team OC Operations Center OPCS Operations Policy and Country Services Unit ORAF Operational Risk Assessment Framework PAT II Portfolio Analytics Tool (version 2) PRAMS Procurement Risk Assessment and Management System RAMP Reserves Advisory and Management Program RI Regional Integration RM Resource Management SAP Systems, Applications and Products software TQC Trust Fund Quality Assurance and Compliance Group Representatives of the Internal Audit Services of the United Nations Organizations and UN RIAS Multilateral Financial Institutions VPU Vice Presidential Unit WBG World Bank Group Table of Contents World Bank Group Internal Audit Vice Presidency . . . . . . . . . . . . . . . . . . . . . . 4 Foreword from the Vice President and Auditor General . . . . . . . . . . . . . . . . . . 5 Risk and Control Themes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Management Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 FY12 Work Program Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Summary of Audit Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Summary of Advisory Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Methodology and Professional Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Appendix: IAD Reports Issued in FY12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 World Bank Group Internal Audit Vice Presidency Internal Audit Vice Presidency‘s (“IAD”) Mandate IAD is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of WBG’s entities. It assists the Bank Group in accomplishing its objectives by bringing a systematic and disciplined approach, to evaluate and improve the effectiveness of the organization’s governance, risk management, and control processes. IAD also focuses on raising awareness of risks and controls, providing advice to management in developing control solutions, and monitoring the implementation of management’s corrective actions to mitigate risks and strengthen controls. IAD’s work is carried out in accordance with the Institute of Internal Auditors (IIA)’s International Professional Practices Framework. Oversight of IAD IAD reports to the President and is under the oversight of the Audit Committee. The Audit Committee of the Board of Executive Directors has a mandate to assist the Board in overseeing the WBG’s finances, accounting, risk management and internal controls. The Audit Committee oversees the external auditors with respect to the integrity of the financial statements for the entities and financial reporting for trust funds; the Integrity Vice Presidency with respect to anti-fraud and anti-corruption measures; and IAD with respect to governance, risk management, and internal controls. The Audit Committee’s responsibilities with respect to IAD include:  The review of IAD’s Terms of Reference and recommendation to the Board for approval.  The review of IAD’s annual Work Program and recommendation to the Board for approval.  The review of the results of IAD’s work covering operations and compliance with key provisions of IBRD/IDA, IFC and MIGA’s charters and policies.  The review of the overall effectiveness of IAD. On at least a quarterly basis, IAD briefs and updates the President and the Audit Committee on engagement outcomes and the progress of management action plans to improve the Group’s controls. IAD also briefs the Audit Committee on any changes to the annual Work Program, that may occur as a result of emerging risks, significant changes to the business, or requests from Management for advice on internal control matters. IADVP FY12 Annual Report I4 Foreword from the Vice President and Auditor General Against the backdrop of an uncertain global environment, the World Bank Group has sought to be increasingly responsive to the immediate needs of its clients and shareholders by modernizing its products, organization and processes. The ability to identify, measure, and report on results, supported by strong and effective accountability mechanisms, is central to this objective. The focus on results will also entail effective identification and management of risks, since key to achieving results is taking the right risks and managing these risks effectively. In FY12, IAD has continued to improve its own processes to support the institutional focus on results. We have continued our shift away from compliance-focused work to providing risk-based assurance on the most significant business processes of the WBG. We have redesigned our risk assessment process to identify and prioritize areas that pose the greatest risk to the institution, taking into account the organization’s strategic priorities and the input of senior management and the Board. IAD’s FY13 Work Program document provides explicit links to high rated risks identified by management. In terms of improvements in reporting, we have introduced a summary of high risk-rated issues in our quarterly reports to help management with the prioritization of issues. We have developed a one page reporting tool to highlight key messages and results for the Bank’s Senior Management team, and have designed a separate reporting product to provide the basis for IAD’s quarterly updates to IFC’s Corporate Risk Committee. IAD has also continued to focus on the follow-up of audit issues, with the full support of the Audit Committee, to foster greater management ownership for timely mitigation of identified risks. During the past year, we have made significant progress in coordinating our activities with the other oversight functions, management’s risk and control functions, as well as with the Group Chief Risk Officer, and the external auditors. This coordination is vital since it helps improve the overall effectiveness of the organization’s risk management processes. IAD is in a unique position within the World Bank Group organization – able to provide an institutional view on matters of governance, risk management, and control. We are starting to better leverage this Group-wide remit by comparing and contrasting control practices across business units and entities. During FY13, we will increase our focus on institutional learning by sharing insights on control practices. Such insights, will shed light on what has worked and what has not, and thereby help management to replicate good practices and avoid previously identified issues. I would like to extend my gratitude and appreciation to Senior Management and the Audit Committee for their continued support and guidance. I would also like to thank all IAD staff for their passion and commitment to the World Bank Group’s mission and IAD’s mandate. Clare Brady Vice President and Auditor General IADVP FY12 Annual Report I5 Risk and Control Themes This qualitative commentary is intended to provide expectations exist within the organization with respect IAD’s perspective on broader risk management, to the Bank’s fiduciary role in borrowers’ procurement governance and control themes. Our comments draw activities, as a result of unclear risk appetite. on the body of work undertaken by IAD during the year, through assurance and advisory engagements, Poorly defined risk appetites can potentially lead to observation of control practices, ongoing dialogue with significant exposures, at both cultural and practical WBG management and the Audit Committee, and levels. In terms of organizational culture, in the knowledge of historical risk and control issues. By its absence of clearly articulated risk appetites, there is a very nature, the control environment is dynamic and widespread perception, within the Bank, that risk- evolving, which requires the institution to constantly taking is not encouraged, thus potentially reinforcing a tailor its risk management, governance and control culture of risk aversion that may be inconsistent with practices to meet changing business needs. As such, long-term strategic results, goals, and desired the perspectives provided below reflect ongoing developmental impact. At a practical level, the lack of challenges and emerging priorities that require a structured approach to managing risk makes continued attention. effective aggregation and analysis of risk profiles at the institutional level difficult, if not impossible. Progress has been made in the integration of the WBG Strategy formulation and implementation is also risk management framework but more work is weakened in the absence of clear parameters on the required to develop risk appetites in the Bank and to nature or level of risks deemed acceptable to achieve achieve greater consistency in risk management strategic objectives, or how those risks are factored in activities across the Group. The WBG continues to the assessment of performance and strategy make progress in laying the foundations of an implementation. The risk aversion culture stemming integrated risk management framework. During the from the lack of clarity in risk appetites contributes to past year, a unified Integrated Risk Management Report duplication of checks and balances as opposed to (IRMR) was produced, focusing on shared risks and streamlining of controls, with resultant inefficiencies common issues across the WBG entities collectively. and higher transaction costs. However, despite noticeable improvements in both harmonizing risk definitions and developing risk Management has begun the process of developing thresholds in some areas, there is still weak articulation appetites and tolerances for some of the risk areas in of institutional risk appetites. the institutional risk taxonomy. In developing these risk thresholds, we recognize that management needs to build in flexibility to accommodate the diversity of Risk-setting approaches and practices within the Bank environments in which the Bank operates. remain largely fragmented, inconsistent across operational areas, and are often ad hoc or informal in nature. While financial risks (liquidity, credit, and A shortfall in change management capacity and skills market) are generally well defined, measured and could hamper the Bank’s ability to implement monitored, the institutional approach remains far less changes to corporate processes. An ‘organizational structured with respect to non-financial risks. This inertia’ caused, in part, by the lack of a structured and inconsistency can potentially undermine the ability of rigorous approach to change management, sometimes management to make cohesive business decisions. impedes the “operationalization” of key corporate IAD’s audits of operational areas in the Bank have initiatives. While strategic initiatives are conceptually pointed to the need for greater clarity in the well designed, the institution struggles with successful establishment of risk appetites and tolerances. IAD’s implementation. review of the Bank’s procurement process, for example, indicated that different interpretations and IADVP FY12 Annual Report I6 Risk and Control Themes (continued) Mainstreaming of organizational initiatives is often  Although the Operational Risk Assessment delayed for unduly long periods of time as a result of Framework (ORAF) is a significant initiative by weak change management practices: management to support systematic risk assessment in the Bank’s Investment Lending  The scope and complexity of change is quite operations, the lack of a structured often underestimated; implementation can implementation approach has resulted in an therefore be fragmented or weakened, without inconsistent understanding and application of the commensurate level of support. the risk-based approach.  Detailed plans with time-bound and agreed upon  While management presented its vision of project implementation milestones are not managing knowledge products as a portfolio to always established, making it difficult to monitor prioritize knowledge activities, essential delivery. elements of knowledge portfolio management were not in place before roll-out, thereby  Funding and staffing considerations are not fully slowing down the progress of implementation. considered in the upstream project planning process. Senior management attention to the Bank’s institutional change management capacity will help to  IT tools and system requirements to ensure promote the focus on accountability and results. successful implementation are also not always thoroughly considered at the outset, leading to Accountability for the Bank’s corporate oversight and downstream project implementation delays. monitoring requires strengthening. While primary accountability appropriately rests with each business  Adequate guidance at the operating/business to manage the risks related to their core activities, the process level in order to successfully transition roles and responsibilities of corporate functions and from design to implementation is often lacking, management control units, designed to act as a resulting in inconsistent practices across units. “second line” of defense, are often poorly defined. IAD’s reviews have highlighted the lack of clarity in the These weaknesses have been observed consistently in roles and mandate of management control units (such a number of areas. For example: as CFR, CFP, OPCS, CRO, TQC) as well as the high degree of “optionality” in the recommendations  IAD’s review of the Bank’s operational provided by such units due to unclear expectations procurement process indicated that the and accountability processes. This ambiguity in the implementation rate of the tools (P-RAMS and definition of roles and responsibilities, in turn, Post Procurement Review System) introduced to weakens accountability. tighten fiduciary controls in procurement is low across the Bank, even though the underlying  IAD’s review of the Bank’s Quality Assurance control gaps were originally identified in 2008. Process for Investment Lending operations These new tools, which were designed to highlighted the need for greater clarity in the facilitate systematic risk assessment and role of OPCS, and the division of responsibility strengthen corporate monitoring of between OPCS and the Regions. Although the procurement risks, were not embedded into day- new corporate quality assurance model to-day operations, although the use of the tools envisioned a lessening of corporate-level was mandatory. oversight in favor of a more significant role for the Regions, the exact role of OPCS with regard to quality monitoring and reporting was not defined. IADVP FY12 Annual Report I7 Risk and Control Themes (continued)  Following a reorganization of its structure, one of The transition to new leadership presents an the key roles of OPCS will be to work with the opportunity to further consider the Bank’s Regions to strengthen risk management organizational structure. Over the past two years, practices in operations; it is however unclear to important milestones have been reached by the Bank what extent this mandate involves responsibility in strengthening its focus on results, openness, and for oversight or is limited to an advisory and accountability. At the same time, the transition to reporting role. new leadership provides a valuable opportunity to examine the current organizational structure, in the  While Networks have a mandate to promulgate context of supporting the broad areas of strategic their technical expertise and knowledge in importance identified for the institution – the support of front-line operations, IAD’s reviews operational model, the business model and have indicated that a clear role for Networks has modernization, the knowledge agenda, and the not yet been established in providing systematic financial model. support to operational teams. Specifically, sustained institutional focus will be Consistent with these observations, IEG’s report on required to: the Bank’s matrix system has also highlighted the challenges associated with the Bank’s organizational  Promote a “One-Bank” and client-centric structure and the weak linkages between Regions and approach through harmonization across Regions, Networks. Management has recognized the Networks and Corporate Units, centered around importance of clarifying accountability arrangements providing a suite of products and services to and certain steps have already been taken. meet the diverse demands of clients. Specifically: (i) the portfolio of the Managing Directors have been realigned to foster greater ownership and  Simplify and streamline internal business accountability; (ii) a new accountability and decision- processes and reduce operational complexity making framework is being piloted to introduce across functional boundaries to further enable specific protocols for the assignment of responsibility, the focus on results. authority, and defining staff roles in decision making; (iii) The Network Anchors have adopted the MLT–  Deepen synergies and opportunities for endorsed “10 Point Program’ towards enhanced integration to drive cost efficiencies as the Bank Sector Practices; and (iv) the role of OPCS in quality seeks to strengthen its financial model. monitoring and reporting is being more clearly defined.  Break down institutional silos by sharing lessons learned and fostering the internal dissemination The effective operationalization of accountability of knowledge. measures will continue to require careful sequencing, and clear assignment of responsibilities for To this end, the Bank could potentially implementation, and oversight across all reform strengthen its organizational structure with the components. During FY13, IAD will review the addition of a Chief Operating Officer (COO) to operational processes underpinning the compilation of help create a clear line of sight that: (i) connects the Bank’s Corporate Scorecard. Senior Management with the operational teams; (ii) strengthens management’s focus and operational discipline to the implementation aspects of corporate strategies and initiatives; and, (iii) looks across functional boundaries to maximize synergies. IADVP FY12 Annual Report I8 Risk and Control Themes (continued) HR Reforms are critical for modernizing the These policies are in turn translated into specific management of the Group’s global workforce. exposure limits and management level guidelines, Effective management of the Bank’s human capital which are monitored by the risk functions and remains a significant challenge. The recent regularly reported to the Board. Consequently, even institutional risk management reports and internal in the midst of significant uncertainty around global surveys point to the need to have a more strategic financial markets and conditions, the WBG entities approach to all areas of human capital management, have not faced any significant financial losses. including recruitment, compensation and benefits, However, while the short-term horizon is stable, mobility, career and succession planning, and medium to longer term prospects could be impacted particularly performance management. by several factors including: the impact of crisis conditions on the creditworthiness of both sovereign While significant progress has been made over the and commercial counterparties, the adverse effects of past year in the improvement of operational processes persistently low interest rates combined with high for benefits, rationalization of the Bank’s overall market volatility on the income dynamics of WBG benefits framework is pending completion of ongoing institutions, and the uncertainty of future cash flow reviews. Similarly, performance management transfers from donors faced with significant continues to be consistently identified as an important uncertainties. The combination of these risk factors area for improvement in both formal institutional risk heightens the need for continued management focus surveys as well as in informal management and staff on strengthening financial risk management feedback. The Bank’s recruitment cycle times still processes, especially in areas such as independent risk remain long, although Bank Senior Management has measurement, group-wide methodologies for stress established aggressive targets for reducing these cycle testing and scenario analysis, portfolio level times. A significant reorganization of the HR function monitoring of credit risk, risk-adjusted performance has recently been undertaken. The new structure will measurement, and assessment of pricing and bring greater connectivity between HR units by valuation methodologies. eliminating the departmental pillars and will create clear accountability for core HR deliverables. Implementation of the Federated Model has Specifically, on performance management, a collective improved the collaboration and engagement effort with managers, staff, and the Staff Association between the business and IMT. The IMT Three-Year has been launched to build a stronger culture of Strategy developed in 2010, was designed to align the performance and accountability. IT operating model with the overall WBG Strategy and business drivers. As noted by IAD in its FY11 Annual Although Bank group entities are in a generally Report, the success of the model required strong strong balance sheet position, continued central IT coordination across different lines of management of financial risks remains a priority. As business in order to deliver on the shared market conditions remain weak, with significant responsibilities across the WBG. Previously uncertainty on the horizon for key stakeholders (both decentralized IT organizations within the Vice donors and borrowers), WBG entities continue to face Presidential Units have been consolidated into Line of potential market, credit and liquidity risks. These Business Centers of Excellence to better realize exposures are partially mitigated by generally opportunities of scale and efficiency. Dedicated IMT conservative policies. The Board and Senior units are now partnered with the World Bank Group’s Management have a low risk appetite that is primary lines of business – Operations, Finance embodied in restrictive Board policies that limit the Complex, Corporate Units and IFC – with the business types of investments, loans or guarantee governing decisions on IT priorities and investments, arrangements, particularly in the case of the Bank. thus fostering direct line-of-business management accountability for technology investment priorities. IADVP FY12 Annual Report I9 Risk and Control Themes (continued) While the maturity level of the governance structure During FY13, IAD will conduct pre-implementation varies for each line of business and turnover has reviews of the Finance Complex Renewal and HR occurred in several key IMT leadership positions, each Systems Renewal projects to provide timely input to of the planned committees has been formed and is management on project governance and the accountable for the prioritization and monitoring of alignment of the IT systems with the underlying investments. Continued focus will be required to business needs. deliver the other integral elements - sourcing strategy, IT funding model reform, technology roadmap, IT risk Implementation of the Bank’s Trust Fund assessment framework, and the next generation cyber Management Framework requires continued focus. security strategy, to ensure successful implementation The Trust Fund Management Framework, introduced of the IMT Strategy. in 2007, with the goal of mainstreaming trust funds into the Bank’s strategies and business processes, has Improvements are required in the governance of sought to enhance the strategic relevance, risk WBG Systems Renewal projects. The systems within management and controls, and efficiency of trust the three institutions have historically not kept pace funds. Trust funds are now more explicitly considered with the developments in the business (e.g., People by both the Bank and recipients as an integral part of Soft system, IFC’s ICAS-E and iDesk systems). overall country programs. Management’s umbrella Significant dependence on manual processes increases trust funds initiative will also seek to enhance the the level of operational complexity and the likelihood results orientation while reducing fragmentation. of errors. In addition, the lack of automated processing often results in significant reliance on a While some consolidation has been achieved in the limited number of key staff, with potentially adverse past years, significant work remains to be done and implications for process sustainability. Although a will require management’s continued focus in several number of systems renewal projects have recently areas: been identified by each of the operating institutions, there is a need for a mechanism by which projects can  Integrating trust funds into the Bank’s multi-year be prioritized based on risk and business impact. budget planning framework, and mainstreaming While substantial resources have been allocated to trust fund processes into IBRD/IDA processes. important initiatives, such as the Finance Complex Systems Renewal and the HR System Renewal, needs  Developing and implementing a framework for exceed available resources. It is, therefore, important “Partnership Programs” (programs that are that: (i) gaps between business requirements and outside the Bank’s existing governance existing IT infrastructure are properly assessed; (ii) the structures and that involve shared decision- risks associated with those gaps are evaluated to making processes) to improve selectivity and support trade-off decisions and set priorities; and, (iii) oversight over these programs. there is effective oversight and monitoring of implementation to reduce cost and time overruns. Management should also look to align systems  Improving the internal management reporting of renewals with changes in business processes, so that trust fund data by standardizing the underlying system fixes do not become an after-the-fact, isolated coding and data architecture of trust funds. exercise. IMT has now developed an IT portfolio planning and management framework to assess During FY13, IAD will review the integration of funding prioritization of IT investments. external funds into the Bank’s corporate budget and planning process. IADVP FY12 Annual Report I 10 Risk and Control Themes (continued) While IFC’s project level risks are generally well  IAD’s reviews of the market risk management managed, further improvements are needed in processes for the Bank and IFC highlighted the portfolio level monitoring. Risk management need for the market risk function in the Bank to functions within IFC have made significant progress in strengthen its ability to independently measure reassigning and relocating resources from market risk. On the other hand, IFC requires a headquarters to the field and have been successful in more comprehensive top-down approach to mitigating significant risks at the project level. Sound market risk management via a formal policy risk management practices exist in key areas such as framework. Asset and Liability Management, profitability measurement, and the fund management operations  The review of data management practices of the of IFC Asset Management Company. A number of Bank and IFC indicated that, while the Bank has IAD’s IFC reviews, both in the operational and financial focused substantial effort on instituting policies areas, have found that individual projects are well and practices to manage documents and records designed and managed. However, the Corporation (unstructured data), structured data is not being can still improve its portfolio level monitoring to managed comprehensively. In contrast, IFC has achieve greater consistency in monitoring and risk robust controls over structured data, but does management. not yet have an enterprise-wide program for managing unstructured data. MIGA continues to strengthen its risk management framework consistent with the dynamic nature of its  The reviews of server virtualization of the Bank portfolio. IAD’s MIGA reviews have highlighted the and IFC indicated some common areas for continued focus by management on strengthening its improvement. In terms of differences, the Bank core processes of portfolio risk monitoring and had developed a risk and controls catalog to reinsurance through more effective use of portfolio specifically address virtualization risks which IFC level analytics and its economic capital framework. In had not. IFC is now leveraging this work in the addition, MIGA’s Executive Vice President has made development of its own virtualization security changes to the structure of the Management Team, to standards. promote greater accountability. There are also opportunities for the Bank and IFC to In FY12, IAD endeavored to promote process collaborate more closely in a number of corporate improvements by comparing operating practices areas to achieve greater synergies (e.g., treasury and across Group entities. Specific examples from IAD’s model risk management, IT and shared services). reviews include the following:  IAD’s review of the WBG Framework for Policies and Procedures indicated that control practices differed significantly both within and across the WBG institutions in the areas of development, communication, and management of policies and procedures. Unlike IFC, the Bank does not have a common repository to capture and archive all relevant organizational policies and procedures and is now drawing on IFC’s model in the design of an institutional policy framework. IADVP FY12 Annual Report I 11 Management Response The World Bank Group’s Management Team internal coordination and quality of business welcomes the FY12 Annual Report of the Internal processes. The existing matrix of regional and Audit Vice Presidency (IADVP). The main themes network VPUs is now under a common reporting presented in this report are a timely and valuable structure. input to the strategic planning and change process that has been launched by new leadership of the The WBG Management Team is committed to creating World Bank Group. This collaborative reform process, a more results-focused and agile institution. building on the Bank’s ongoing modernization Successful implementation of the reform agenda will program, is developing concrete proposals to achieve require a shift in culture from risk-avoidance to one of our common vision of eliminating poverty and building risk management, as well as harmonization across shared prosperity. To implement the change agenda, entities to harness synergies and break down a new position of Senior Vice President for Change institutional silos. IAD’s evidence-based assessments Management has been established. This will establish and its ability to compare and contrast practices a focal point of accountability and ownership for across units to foster institutional learning will be coordinating and pushing forward a complex change particularly useful in supporting these reform agenda which includes initiatives that touch many priorities and in providing an independent opinion to different parts of the organization. To strengthen our management on the extent of progress. We look organizational structure and enhance effectiveness, forward to partnering closely with IAD as we move the positions of the Managing Directors have been ahead to becoming a more effective institution. realigned to increase the accountability, oversight, IADVP FY12 Annual Report I 12 FY12 Work Program Overview The FY12 Work Program was designed to focus on the Figure 1: FY12 Work Program Breakdown by most significant risks for the institution, consistent Entity (based on staff days) with the IIA’s International Standards for the Professional Practice of Internal Audit (Performance Standard 2010), which requires the Chief Audit WBG Executive to establish risk-based plans to determine 22% the priorities of the internal audit activity, consistent with the organization’s goals. The objective was to IBRD/IDA provide balanced coverage of core operational 44% processes, corporate and finance areas, and information technology. MIGA & The development of IAD’s FY12 Work Program was ICSID undertaken through a comprehensive risk assessment 7% process and extensive consultations with management. IAD’s risk assessment was driven by a number of qualitative factors such as: (i) linkage to strategic objectives and internal reforms; (ii) pace of change within the area; (iii) extent of fiduciary responsibilities; (iv) complexity of the process; (v) IFC potential impact of external events; and, (vi) results 27% from IAD’s prior reviews and known risk mitigation mechanisms. In determining audit priorities, IAD also took into account areas of focus for the President and the Audit Committee. Figure 2: FY11 Work Program Breakdown by Entity (based on staff days) The FY12 Work Program, in addition to entity-specific reviews, contained Group-wide reviews to enable IAD to draw broader thematic conclusions as well as compare and contrast practices across entities. WBG 19% IBRD/IDA Thirty-eight engagements were completed during 49% FY12 comprising reviews of critical end-to-end business processes, operations, corporate and administrative processes, and information technology areas. These included nine Group-wide process MIGA & reviews, 14 IBRD/IDA engagements, 11 IFC specific ICSID reviews, three MIGA engagements and one ICSID 5% review. Appendix A lists all audit reports issued in FY12. Figure 1 and Figure 2 show the Work Program breakdown by World Bank Group entity for FY12 and FY11 respectively. IFC 27% IADVP FY12 Annual Report I 13 FY12 Work Program Overview (continued) The IBRD/IDA internal reform effort is a core part of the four pillar framework for modernizing the World Bank, endorsed by the Bank Governors in the Spring of 2010. At its core, the modernization agenda is about strengthening the institution’s focus on results, openness, and accountability. A number of IAD’s reviews in the FY12 Work Program were designed to cover the IBRD/IDA modernization components. Figure 3: IAD FY12 Work Program Alignment with IBRD/IDA Modernization World Bank Group Strategic Priorities Target the Poor Create Provide Strengthen Manage Risk and Vulnerable Opportunities Cooperative Governance and Prepare for for Growth Models Crises Four Pillars of IBRD/IDA Modernization Business (Internal Post-Crisis Directions Finances Governance Reform) Focus areas of reform BUSINESS MODERNIZATION Products and Services Processes & Systems Organization Financing Knowledge Operational Matrix Knowledge Services Policies & Information Partnerships Global Procedures Management & Decentralization Partnerships Technology & Programs Budget & Human Resources Disbursement Modernization IAD FY12 Reviews IAD FY12 Reviews IAD FY12 Reviews Reserves Advisory and Management of Procurement Institutional Control Management Program (RAMP) Risk for Bank-Funded Projects Framework for Financial Activities of Country Offices Knowledge Portfolio Quality Assurance Process for Management Investment Lending Offshored Corporate and Back Operations Office Functions IMT Strategy Implementation Data Management Market Risk Management IADVP FY12 Annual Report I 14 FY12 Work Program Overview (continued) The FY12 assurance engagements were rated in Figure 4: FY12 Engagement Ratings by Entity accordance with IAD’s ratings framework*. WBG 9 During FY12, there was a slight increase in the overall ► Satisfactory 5 proportion of “Satisfactory” rated audit reports, and a ► Needs Improvement 3 corresponding decrease in the “Needs Improvement” rated audit reports, as compared to FY11. A key ► Unsatisfactory 1 contributing factor to this shift has been an ► Unrated (Advisory) 0 improvement in controls in the treasury and ► Internal Controls over Financial information technology areas. Reporting (ICFR) testing on behalf 0 of management The following engagement level ratings were used for IBRD/IDA 14 FY12: Satisfactory ► 4  Satisfactory – Internal Audit identified no ► Needs Improvement 4 significant issues related to the design of controls ► Unsatisfactory 1 or to the proper functioning of controls as ► Unrated (Advisory) 3 designed. If issues were noted, they were considered minor in nature. ► Internal Controls over Financial Reporting (ICFR) testing on behalf 2  Needs improvement – Internal Audit identified of management issues related to the design of the controls and/or IFC 11 In the functioning of the controls. Although none ► Satisfactory 3 of these issues, either individually or in the ► Needs Improvement 6 aggregate, indicate significant weaknesses, management should address these issues in a ► Unsatisfactory 0 timely manner to further strengthen the system ► Unrated (Advisory) 1 of controls. ► Internal Controls over Financial Reporting (ICFR) testing on behalf 1  Unsatisfactory – Internal Audit identified issues of management that indicate significant weaknesses in the design and/or operating effectiveness of controls. MIGA and ICSID 4 Management should take immediate action to ► Satisfactory 1 establish a satisfactory system of controls. ► Needs Improvement 0 Summaries of engagement outcomes were included in ► Unsatisfactory 1 the quarterly reports provided to the President and to ► Unrated (Advisory) 1 the Audit Committee. Full audit reports for assurance ► Internal Controls over Financial engagements rated “Unsatisfactory” were Reporting (ICFR) testing on behalf 1 systematically circulated to the President and to the of management Audit Committee for discussion. 38 The proportion of advisory engagements remained largely unchanged from the previous year, at * During FY11, IAD introduced issue level ratings and approximately fifteen percent. modified its engagement level rating descriptions to better reflect IAD’s overall assessment of the internal controls in the areas under review. IADVP FY12 Annual Report I 15 Summary of Audit Results World Bank Group Audits IAD’s audit of WBG Network Perimeter Security IAD recommended a more strategic approach to covered the configuration and management of managing the overall vendor portfolio, to complement network security devices. Management has management’s focus on transactional controls. implemented network perimeter security controls, such as network traffic filtering and network security IAD’s audit of WBG’s Business Continuity monitoring, to prevent and detect threats and attacks Management (BCM) covered business impact analysis, from external parties. The audit identified findings in recovery and resumption planning, testing of the the areas of security standards, configuration of business continuity plans, plan maintenance, and network security devices, and the firewall review management reporting. The audit noted that the process. IAD provided specific recommendations for overall BCM program has been enhanced since IAD’s configuring security settings of network devices in FY08 audit (e.g., expanded scope of Business accordance with the industry best practices. Continuity Plans, enhanced recovery capabilities, increased involvement of the Board and Audit IAD’s audit of WBG Framework for Policies and Committee); however, further improvements in the Procedures focused on the overall policy architecture, areas of governance, risk assessment and testing were including the ownership of policies and procedures, needed to meet the complex demands of the World processes for the development of new and significant Bank Group. lAD recommended that the BCM revisions to existing policies and procedures, Program Office review the overall scope of the implementation processes, policy retirement and business continuity program and identify critical archiving. IAD recommended that Senior processes according to the WBG impact grading scale Management sponsor the development of a single and risk tolerance level. WBG Policy and Procedures Framework, taking into account the various initiatives underway. The IAD’s audit of the Management of WBG Offshored framework should establish the requirements and Corporate and Back Office Functions covered controls responsibilities for the development, approval, over administrative management, local disaster communication, implementation and review of all recovery and business continuity, crisis management policies and procedures. planning, safety and security, and local human resource management. IAD recommended that IAD’s audit of WBG Vendor Management covered the management continue to explore further adequacy of risk management, control, and opportunities for synergies and efficiencies, and governance processes of the management of WBG’s regularly perform a quantitative cost benefit vendors to support service excellence, cost control, assessment of the offshoring model. and risk mitigation throughout the contract lifecycle. Following a change in leadership, management had IAD’s audit of the Management of WBG Pension Plan self-identified important areas of enhancement and Investments indicated that controls are in place launched an initiative to strengthen procurement covering the areas of portfolio management, processes. Management had also initiated a “Vendor performance measurement and benchmarking, cash Management Project” to clean up the vendor master management, risk management, operations and file and to develop tools and processes in SAP for reporting. managing vendors through the procurement lifecycle. IADVP FY12 Annual Report I 16 Summary of Audit Results (continued) World Bank Group Audits (contd.) IAD’s audit of WBG Pension Plan Administration IAD’s audit of the WBG Management of Two-Factor covered roles and responsibilities, key controls in the Authentication covered systems such as webmail, pension cycle, and support operations. The results remote access, Summit, Client Connection and indicated that controls are in place for all significant administrator access to servers, databases, and pension processes including enrollments, network devices (i.e. firewalls and routers). WBG two- contributions, benefit calculations and payments, factor authentication provides one layer of a defense- terminations, retiree management, and other in-depth approach for a secure environment. The processes relevant to pension payments. audit noted that the management of two-factor authentication includes a number of good practices, IAD’s audit of WBG External Web and Social Media such as token provisioning, monitoring, secure covered key risks and controls across the WBG in the infrastructure, and help desk support. areas of external web governance, content management, and publishing, and the management of public social media channels such as blogs, Facebook, Twitter, Flickr, and YouTube. Staffing, processes, and technologies contributed to the successful implementation of the external web and social media program. IADVP FY12 Annual Report I 17 Summary of Audit Results (continued) IBRD/IDA Audits IAD’s audit of the Bank’s Reserves Advisory and IAD’s audit of the Quality Assurance Process for Management Program (RAMP) covered the Investment Lending Operations in IBRD/IDA focused institutional governance structure, program-level key on the effectiveness of the Bank’s processes: (i) to performance indicators to track developmental provide project task teams timely feedback on quality impact, reporting to the Board, and the process for throughout the project lifecycle; and, (ii) to produce managing risks associated with development of timely and reliable information on operational quality proprietary software packages, for use by RAMP to report to senior management. The Bank has a clients. Management implemented several changes, system to provide project task teams with timely based partly on IAD’s audit recommendations and feedback on the quality of Investment Lending partly on Treasury management’s own observations. projects, especially during the preparation stage. The These included organizational changes to better audit results indicated that there is a need to better manage the RAMP business; establishment of a differentiate quality assurance from quality controls to committee for a stronger quality assurance process; clarify accountability for results. IAD also and creation of an oversight body to strengthen recommended that management develop a corporate fiduciary oversight of third-party client engagements. methodology for capturing and aggregating information on operational quality. IAD’s audit of the Management of Procurement Risk for Bank-Funded Projects focused on: (i) assessment IAD’s audit of IBRD’s Market Risk Management of procurement risks and the development of related Process covered: (i) the governance structure; (ii) action plans at the project level; and, (ii) reviews of processes for setting market risk strategy, limits, the borrowers’ procurement performance through policies and procedures; (iii) quality of risk “prior” and “post” procurement reviews and other measurements, assumptions, data inputs, and supervision activities. The audit concluded that prior outputs; and, (iv) risk monitoring, reporting and and post reviews of contracts for individual projects compliance with established risk tolerance guidelines. were carried out by properly accredited staff, The risk function (CFRMC) within the Corporate according to project supervision plans, with close Finance and Risk Management (CFR) Vice Presidency monitoring of delivery by the Regions. Issues had been working towards developing and expanding identified in post reviews were also promptly followed some of its own risk measurement and analytics up by project teams within a reasonable time frame. capabilities. In order to further enhance CFRMC’s However, the implementation rate of the new ability to act as an independent risk assessment and institutional control tools was low. Procurement- measurement function, IAD made specific related information systems were not integrated to recommendations for more comprehensive and support better risk monitoring and decision making. consistent execution of market risk stress testing and IAD recommended that management achieve full scenario analysis practices and for consolidating and compliance with the usage of the new Procurement updating policies and procedures. risk assessment tool and develop a common procurement dashboard to harmonize the integration of multiple systems across Regions. IADVP FY12 Annual Report I 18 Summary of Audit Results (continued) IBRD/IDA Audits (contd.) IAD’s audit of Bank Data Management noted that the IAD recommended that management align the server Bank has focused substantial effort on instituting hardening procedures with the WBG Virtualization policies and practices to manage documents and Security Standards, and implement risk based records (unstructured data). However, the Bank did monitoring of the hypervisor layer. not have an enterprise-wide governance program to address the structured data needs across VPUs and IAD’s audit of the Institutional Control Framework for relied heavily on manual processes to gather and Financial Activities of Country Offices in IBRD/IDA consolidate data from disparate systems to meet covered key controls in fourteen country offices across business reporting needs. IAD recommended the six regions and included a review of transaction testing development of an enterprise-wide governance by Controllers’ (CTR) Assurance and Country Office program to address structured data needs across Accounting Unit in Chennai, India. It was observed VPUs. IAD also recommended the formulation of a that the oversight by the Regional Chief Administrative robust quality management program to drive data Officers (CAOs) and CTR’s real time compliance testing consistency and reliability as well as to monitor data through on-site reviews are strengths of the current integration and reporting activities. control framework. To further strengthen the control environment in country offices, IAD recommended IAD’s audit of the Information Management and better structured training for Country Managers (CM) Technology Network (IMT) Strategy Implementation and country Resource Management (RM) staff on concluded that IMT efforts and investments are financial activities. aligned with the principles and objectives of the IMT Strategy, and recognized the implementation of the IAD's objective in performing a follow-up review of the Federated Operating Model, as one of its most Bank's Regional Integration (RI) Projects in the Africa significant accomplishments. Previously decentralized Region was to determine whether management has IT organizations within the Vice Presidential Units taken the necessary corrective actions to address (VPUs) have been consolidated into Line of Business control weaknesses identified in management's past Centers of Excellence to better realize opportunities of reviews. The main areas analyzed included the scale and efficiency. A new governance model has strategic alignment of RI projects with Country also been established to provide direct line-of business Assistance Strategies (CASs); accountability management accountability for IMT investment arrangements, fiduciary and safeguard risk priorities. management; and, management information of RI projects. The audit results indicated that IAD’s audit of the Bank's Server Virtualization management recognized the distinctive operational reviewed the process of managing, securing and challenges of RI projects and had developed an configuring virtualized servers. The results showed operations framework to meet the needs of RI that the Bank’s server virtualization approach is projects. aligned with IMT’s strategy of capacity building with a focus on the quality and efficiency of service delivery through institutional standards to improve speed, flexibility, security and cost effectiveness. Weaknesses were noted in the areas of hypervisor security hardening and monitoring, and the server provisioning process. IADVP FY12 Annual Report I 19 Summary of Audit Results (continued) IFC Audits IAD’s audit of IFC's Investments in Private Equity IAD’s audit of IFC’s Asset and Liability Management Funds found that the majority of individual Framework indicated that IFC follows a conservative investments in private equity funds were well risk management approach to protect the Corporation managed. IAD recommended that IFC develop a against interest rate and currency risk. The corporate strategy for investing in private equity funds Corporation monitors aggregated risk on a daily basis, that encompasses all investment units, develop a has instituted operational triggers for residual risk system solution for the retrieval of information on tolerance, and has defined clear roles and private equity fund investments, and further define responsibilities for asset and liability management. the content and extent of Integrity Due Diligence procedures. IAD’s audit of IFC’s Server Virtualization reviewed the process of managing, securing and configuring IAD’s audit of IFC’s Process for Credit Risk virtualized servers. IFC’s server virtualization Management noted that IFC conducted due diligence approach is aligned with management’s mission to to identify and address potential credit risks, and also provide flexible, robust, and secure IT capabilities. The performed detailed ongoing operational portfolio audit identified findings in the areas of: (i) trust zones reviews. However, monitoring of credit risk for IFC's within the virtual data center environment; (ii) portfolio was fragmented across the individual management of the administrative account on the regions, and lacked a comprehensive credit risk Hardware Management Console; (iii) hypervisor directive that defined practices and procedures for security hardening and monitoring; and, (iv) the server portfolio management of credit risks. IAD provisioning process. Management has a network recommended that IFC leverage existing policies and segmentation project in progress, and will add specific procedures to create and implement a comprehensive security hardening procedures to its policies and credit risk management directive, and define roles and procedures repository. responsibilities for comprehensive credit risk monitoring, oversight and reporting at the portfolio IAD’s audit of IFC’s Data Management noted that level. though IFC has made a significant effort to institute policies and practices to manage structured data, IAD’s audit of IFC's Structured Finance Operation there is a need for greater coordination between the noted that although individual projects were well business and IT on data related initiatives. For managed, the operational framework for initiating, unstructured data, IFC follows the policies and appraising, and supervising structured products was procedures defined by the Bank, and has implemented not well defined, largely due to the organic growth of a document management repository to centrally store the structured finance portfolio. IAD recommended and manage the data. IAD recommended the that IFC develop specific procedures which cover all development of an enterprise-wide governance and standard structured finance products, and disseminate monitoring program to manage unstructured data. knowledge of these procedures through appropriate training courses/materials. IADVP FY12 Annual Report I 20 Summary of Audit Results (continued) IFC Audits (contd.) IAD’s audit of the Fund Management Operations of IAD’s audit of IFC’s Profitability Measurement IFC Asset Management Company (AMC), reviewed assessed the adequacy and effectiveness of the the AMC's key controls related to governance and risk measurement methodology adopted by management, management practices, conflicts of interest and the process used for calculating and monitoring management, client relations and fund raising, the profitability. The audit found that the successful investment process and compliance with fund implementation of the framework was driven by a investment criteria, monitoring of outsourced consistent profitability measurement methodology, services, and IT services and applications. The audit reliability of data inputs and central coordination at noted that controls are aligned with leading industry the corporate level to provide consistent guidance to practices. The AMC has sound governance and Industry Departments. The audit also noted that the oversight structure, experienced staff and managers, improvement of profitability measurement is an and monitors investment criteria in accordance with evolutionary process, and there will be a need for established legal agreements. greater accountability and ownership of the profitability measures as the framework is developed. IAD’s audit of IFC’s Treasury Valuation Process noted that IFC had mature processes for liquid asset pricing and valuation. IAD recommended that important governance elements such as a valuation oversight committee, reporting processes and approved valuation directives be instituted formally. IADVP FY12 Annual Report I 21 Summary of Audit Results (continued) MIGA Audits IAD’s Post-Implementation Review of the MIGA IAD’s audit of MIGA’s Portfolio Risk Monitoring and Guarantee System (MGS) covered important aspects Reinsurance Processes reviewed the effectiveness and of the implementation and roll-out of MGS including: implementation of the controls within MIGA’s (i) the alignment of MGS with the business needs; (ii) portfolio risk monitoring and reinsurance process. The application level access controls; (iii) application- audit noted that MIGA continues to enhance its risk specific controls over inputs, processing, and outputs; management framework consistent with the dynamic (iv) end-user guidelines and reference materials for nature of its portfolio and evolving market roll-out; (v) support and maintenance; and, (vi) system environment. The main elements of the control remediation processes. IAD made specific framework include management oversight, effective recommendations relating to incorporation of risk measurement, regular reporting and monitoring, business process changes in system design, project and adequate segregation of roles and responsibilities. management, data reliability, and resolution of system issues. Controls Testing - ICFR IAD tested key Internal Controls Over Financial In FY12, IFC and MIGA management took over testing Reporting (ICFR) for the Bank. This testing is to assist for ICFR. IBRD/IDA management will take over the management in its assertions as to the reliability of ICFR testing in FY13. financial reporting. Management determined that none of the issues identified in IAD’s review constituted a material weakness. IAD provided several Going forward, IAD will incorporate ICFR in its universe recommendations to management designed to of business processes subject to annual risk maintain the stability of the IT control environment in assessment. the midst of significant operational changes, to enhance the delineation of roles and responsibilities in the execution of controls, and to implement more focused and risk based approaches for key controls. IADVP FY12 Annual Report I 22 Summary of Advisory Work Advisory Reviews In March 2010, the Board approved a new knowledge IAD’s advisory review of IFC’s Risk Management strategy, articulated in Transforming the Bank's Process for Decentralized Investment Operations was Knowledge Agenda - A Framework for Action. One of conducted at a time of change when IFC was in the the pillars of the new knowledge strategy was to process of operationalizing its client-centric vision in manage IBRD/IDA's knowledge products as a portfolio its first Operations Center (OC) in Istanbul. Despite to ensure greater impact by considering the synergies the changing environment, the risk management and trade-offs between different knowledge products. functions had made significant progress in reassigning IAD performed an advisory review of the Bank’s and relocating resources from HQ to the field and had Knowledge Portfolio Management and been successful in mitigating significant risks at the recommended that management focus in the areas of project level, consistent with the IFC Operational clear authoritative leadership, development of Procedures. As IFC further developed its OC model, detailed implementation plans, and clear definition of IAD recommended the establishment of an integrated roles and responsibilities for the respective parties, approach to risk management which would provide would better enable translation of the strategy into opportunities for better leverage of risk and control action. activities across functional boundaries (i.e., risk disciplines). IAD’s advisory review of the SAP Upgrade Project found that the extensive SAP and project IAD’s advisory review of ICSID's Case Management implementation experience of the system testers from Process covered the design and management of the both IMT and the business units, repetition of test business process improvement project from a risk scripts during the two user testing cycles, and the daily perspective, and the design of key controls in the new meetings that were held for defects escalation and process of managing cases for arbitration. IAD resolution, were contributing factors towards the recommended that management identify specific system going live as planned at the end of November goals of its business process improvement project, 2011. implement measures to improve controls of its case management process, and also recommended closer IAD’s advisory review of the Bank’s Portfolio Analytics coordination between the business process Tool covered the robustness of the control improvement project and the implementation of the environment and overall implementation approach, case management system. including adequacy of testing approach and user training. IAD provided specific recommendations to enhance the robustness of the tool, including developing comprehensive documentation of user requirements and automation of manual controls. IADVP FY12 Annual Report I 23 Methodology and Professional Practices IAD’s Risk Assessment Principles management process and consider the most The Institute of Internal Auditors’ International significant risks of the organization in determining Standards for the Professional Practice of Internal priorities for allocating internal audit resources. (IIA Auditing (“the Standards”) emphasize top-down, risk- Practice Advisory 2010). based planning consistent with the organization’s goals, taking into consideration the input of Senior IAD’s risk assessment process is consistent with IIA Management and the Board. Internal audit planning standards. Figure 5 describes the principles on which needs to make use of the organizational risk IAD bases its annual risk assessment. Figure 5: Principles for IAD’s Risk Assessment In accordance with IIA Standards, IAD establishes risk-based plans taking into account the World Bank Group’s risk management framework. Institutional Management’s view Priorities of risks Top-down approach Principles of Risk Assessment Principles of Risk Assessment 1. Risk assessment is aligned to WBG 4. In addition to engaging with key strategy. The objective of the process is stakeholders, risk coverage is to identify and prioritize potential audit coordinated with other oversight units. areas that pose the greatest risk to the IAD has ongoing collaboration and WBG and could prevent it from achieving IAD’s information sharing with INT and IEG. its goals and objectives. Annual Work 5. Risk assessment is a continuous 2. IAD’s focus is on high-rated risks. The Program activity. When changes occur and risks approach undertaken recognizes that shift, IAD adjusts its Work Program to audit resources are limited, which stay aligned. prohibits 100% coverage of all areas each year. The limiting factor is inherent in the 6. Professional judgment is an concept of utilizing a risk assessment important component of the risk model to help prioritize audits. assessment process. The quantitative and qualitative factors used to evaluate 3. IAD must evaluate the effectiveness, and prioritize risks are periodically and contribute to the improvement, of evaluated in order to ensure relevance WBG’s risk management processes. in the risk assessment process. Bottom-up approach Results of IAD’s IAD’s knowledge of Ongoing consultation prior audits risks & controls with management IADVP FY12 Annual Report I 24 Methodology and Professional Practices (continued) Institutional Risk Management Processes IAD participates in an ongoing dialogue with its Control issues identified during IAD’s audits are stakeholders to understand emerging risk areas and mapped to relevant IRMR risk areas and clusters, to areas of priority. IAD also engages closely with the enable aggregation and analysis of control themes at institutional risk management, oversight units, and the institutional level. The linkage of the audit results the External Auditors (KPMG) throughout the year, to the underlying risk dimensions is reflected in IAD’s both at a strategic level, and during the course of Quarterly Results Reports. planning and execution of its Work Program. This ongoing collaboration is a significant component of Figure 6 provides a snapshot of the distribution of IAD’s overall risk assessment approach, and helps IAD IAD’s FY11 and FY12 control observations by the WBG contribute to the improvement of WBG’s risk IRMR risk areas and clusters. management processes. Figure 6: Distribution of IAD’s FY11 and FY12 Control Observations by WBG Risk Taxonomy PERCENTAGE OF IAD’S WBG RISK FY11 and FY12 AUDIT TAXONOMIES OBSERVATIONS IADVP FY12 Annual Report I 25 Methodology and Professional Practices (continued) IAD’s Follow-Up Process During FY12, IAD has continued to strengthen its follow-up process, with the support of the Audit Committee and Senior Management. Specifically, IAD has helped contribute to a culture of accountability, by:  independently validating the robustness of the action plans formulated by management to address the issues identified in IAD’s reviews;  vetting the reasonableness of the implementation timeline established by management for resolution of audit issues;  providing more granular information to Management and Audit Committee on overdue issues. For e.g., presenting information on overdue issues, broken out by WBG entity, to better reflect the responsiveness of individual WBG entities in addressing outstanding issues; and  flagging specific issues for Senior Management and Audit Committee attention, where enough progress has not been made with respect to implementation of agreed actions. IAD’s follow-up process is described in Figure 7 below. Figure 7: IAD’s Follow-Up Process 1 Develop action plans 2 Implement action plan 3 Follow-up on action plans 4 Validate action plan completion Report 5 5 overdue actions  Management is  Management  IAD engages  IAD validates the  IAD regularly reports responsible for the implements the closely with completed actions by the status of all development of agreed actions with a management to reviewing the overdue actions, by specific and time- view to achieving follow-up on all evidence provided by WBG entity, to bound action plans timely closure of the the issues as management and by Management and the to address the issues. and when the undertaking Audit Committee. issues identified by implementation additional testing, IAD. of the agreed where necessary, to actions, falls form an independent  IAD works closely due. view on the with management effectiveness of the to validate the completed actions. robustness of the action plans, and the reasonableness of the timeline for implementation. IADVP FY12 Annual Report I 26 Methodology and Professional Practices (continued) Coordination with WBG Oversight Units Throughout the year, IAD participates in a dialogue IIA Standard 2050– with the other oversight units to understand areas of Coordination concern as well as to discuss results of work performed; and uses this information as an input to its The Chief Audit Executive should share information risk assessment. and coordinate activities with other internal and external providers of assurance and consulting During FY12, a Working Group comprising senior staff services to ensure proper coverage and minimize of IAD, INT, and IEG, was established with the duplication of efforts.​ objective of increasing collaboration and coordination. The principals of IAD, INT and IEG signed the ‘Terms of  IAD considered IEG’s work during the planning Reference’ for the Working Group, which is and scoping of the Follow-up Review of the responsible for jointly: (i) identifying scoping/Work Regional Integration Projects in the Africa Program enhancements; (ii) sharing insights gained on Region. emerging institutional risks; (iii) enhancing breadth and depth of collective oversight coverage; and, (iv)  IAD referenced IEG’s report on the “Matrix discussing lessons learned and leading practices. System at Work”, in which IEG evaluated the linkage between the Bank's matrix structure and IAD engages with IEG to identify key risk themes its operational quality, and exchanged emanating from ongoing IEG reviews as well as preliminary findings, in the audit of the Quality opportunities for scoping/Work Program Assurance Process for Investment Lending improvements. IAD also systematically engages with Operations in IBRD/IDA. INT to exchange information on operational and fiduciary processes. Examples of such coordination  IAD engaged with INT during the planning and during the execution of the FY12 Work Program execution of its audit of the Institutional Control include: Framework for Financial Activities of Country Offices, taking into consideration the internal  IAD engaged with both INT and IEG during all control weaknesses identified. stages of the audit of the Management of Procurement Risk for Bank-funded Projects. Benchmarking and Sharing Best Practices IAD routinely benchmarks its processes and methodologies with leading practices, and shares best practices with other MDBs and peer groups. IAD participates in a number of global internal audit best practice studies, including those conducted by the Institute of Internal Auditors (IIA) - the Chief Audit Executive (CAE) Roundtable Survey and the Global Audit Information Network (GAIN) benchmarking study. IAD also participates in peer group discussions with the Audit Director Roundtable (ADR) of the Corporate Executive Board (CEB) and the Representatives of the Internal Audit Services of the United Nations Organizations and Multilateral Financial Institutions (UN RIAS). IADVP FY12 Annual Report I 27 Methodology and Professional Practices (continued) Organizational Independence IIA Standards on Organizational Independence (Standard IIA Standard 1110 – 1110) requires that the Chief Audit Executive must Organizational confirm to the Board, at least annually, the Independence organizational independence of the internal audit The Chief Audit Executive must report to a level activity. within the organization that allows the internal audit activity to fulfill its responsibilities. The Chief Audit IAD reports to the President and is under the oversight Executive must confirm to the Board, at least of the Audit Committee, acting on behalf of the Board. annually, the organizational independence of the The Audit Committee is responsible for the review of internal audit activity. IAD’s Terms of Reference, Annual Work Program and the results of IAD’s work. In addition, the Vice President and Auditor General has free and unrestricted access to the This reporting relationship has permitted appropriate Board through the Audit Committee. organizational independence for IAD to fulfill its professional responsibilities. Staffing and Budget IAD’s total (full time equivalent) staffing remains relatively unchanged from prior years. In FY12, IAD had a budget of $12.2 million, and total expenditures of $11.7 million, representing 96% of the budget. IADVP FY12 Annual Report I 28 Appendix A: IAD Reports issued in FY12 FY12 WBG Engagements (covering processes across IBRD/IDA, IFC & MIGA) No. Entity Engagement Title Report No. Date Issued Audit of World Bank Group (WBG) Business Continuity 1-Sep-11 1 WBG WBG FY12-01 Management Audit of the Management of World Bank Group (WBG) 2 WBG WBG FY12-02 20-Dec-11 Offshored Corporate and Back Office Functions Audit of World Bank Group (WBG) Management of Two-Factor 3 WBG WBG FY12-03 21-Dec-11 Authentication Audit of World Bank Group (WBG) Framework for Policies and 4 WBG WBG FY12-04 20-Jan-12 Procedures 5 WBG Audit of World Bank Group (WBG) Network Perimeter Security WBG FY12-05 18-Apr-12 Audit of the World Bank Group (WBG) Pension Plan 6 WBG WBG FY12-06 11-Apr-12 Investments Audit of the Management of World Bank Group (WBG) 7 WBG WBG-FY12-07 11-Jul-12 Vendors Audit of the World Bank Group (WBG) Pension Plan 8 WBG WBG FY12-08 26-Jun-12 Administration Audit of World Bank Group (WBG) External Web and Social 9 WBG WBG FY12-09 13-Jul-12 Media IADVP FY12 Annual Report I 29 Appendix A: IAD Reports issued in FY12 (continued) FY12 IBRD/IDA Engagements No. Entity Engagement Title Report No. Date Issued FY11 Testing of Bank's Disclosure Controls and Procedures over 1 IBRD/IDA Controls Testing 1-Aug-11 External Financial Reporting FY11 Testing of Bank's Internal Controls over External Financial 2 IBRD/IDA Controls Testing 1-Aug-11 Reporting 3 IBRD/IDA Advisory Review of Bank Knowledge Portfolio Management IBRD FY12-01 24-Oct-11 Audit of the Institutional Control Framework for Financial 4 IBRD/IDA IBRD FY12-02 22-Dec-11 Activities of Country Offices 5 IBRD/IDA Advisory Review of the SAP Upgrade Project IBRD FY12-03 4-Jan-12 6 IBRD/IDA Audit of IBRD’s Market Risk Management Process IBRD FY12-04 23-Jan-12 7 IBRD/IDA Advisory Review of Portfolio Analytics Tool: Version 2 (PAT II) IBRD FY12-05 1-Feb-12 Audit of the Reserves Advisory and Management Program 8 IBRD/IDA IBRD FY12-06 6-Feb-12 (RAMP) 9 IBRD/IDA Audit of the Bank's Server Virtualization IBRD FY12-08 08-Jun-12 Audit of the Quality Assurance Process for Investment Lending 10 IBRD/IDA IBRD FY12-09 02-Jul-12 Operations in IBRD/IDA Follow-up Review of the Regional Integration Projects in the 11 IBRD/IDA IBRD FY12-10 12-Jul-12 Africa Region Audit of the Management of Procurement Risk for Bank- 12 IBRD/IDA IBRD FY12-11 16-Jul-12 Funded Projects 13 IBRD/IDA Audit of World Bank Data Management IBRD FY12-12 13-Jul-12 Audit of Information Management and Technology (IMT) 14 IBRD/IDA IBRD-FY12-13 13-Jul-12 Strategy Implementation FY12 ICSID Engagements No. Entity Engagement Title Report No. Date Issued 1 IBRD/IDA Advisory Review of ICSID's Case Management Process IBRD FY12-07 19-Apr-12 IADVP FY12 Annual Report I 30 Appendix A: IAD Reports issued in FY12 (continued) FY12 IFC Engagements No. Entity Engagement Title Report No. Date Issued FY11 Testing of IFC's Internal Controls over External Financial 1 IFC Controls Testing 9-Aug-11 Reporting Advisory Review of IFC’s Risk Management Process for 2 IFC IFC FY12-01 12-Dec-11 Decentralized Investment Operations 3 IFC Audit of IFC's Investments in Private Equity Funds IFC FY12-02 2-Feb-12 4 IFC Audit of IFC’s Process for Credit Risk Management IFC FY12-03 8-Mar-12 5 IFC Audit of IFC's Structured Finance Operation IFC FY12-04 14-Mar-12 6 IFC Audit of IFC’s Asset and Liability Management Framework IFC FY12-05 23-Apr-12 7 IFC Audit of IFC’s Treasury Valuation Process IFC FY12-06 30-Apr-12 Audit of the Fund Management Operations of IFC Asset 8 IFC IFC FY12-07 11-Jun-12 Management Company (AMC), LLC 9 IFC Audit of IFC's Server Virtualization IFC FY12-08 25-Jun-12 10 IFC Audit of IFC's Profitability Measurement IFC FY12-09 11-Jul-12 11 IFC Audit of IFC Data Management IFC FY12-10 13-Jul-12 FY12 MIGA Engagements No. Entity Engagement Title Report No. Date Issued FY11 Testing of MIGA's Internal Controls over External Financial 1 MIGA Controls Testing 12-Aug-11 Reporting 2 MIGA Post-Implementation Review of the MIGA Guarantee System MIGA FY12-01 19-Jan-12 Audit of MIGA’s Portfolio Risk Monitoring and Reinsurance 3 MIGA MIGA FY12-02 11-Jul-12 Processes IADVP FY12 Annual Report I 31