Foreword 5 IAD at a Glance 6 Work Program Overview 8 Executive Commentary 12 Issue Follow-up 21 How We Deliver 23 Annex 1: Fiscal Year 2018 Engagement Summaries 33 Annex 2: IAD’s Coverage in Fiscal Years 2016-2018 44 Cover photo © World Bank / Sarah Farhat About Terminology The World Bank Group (WBG) comprises five institutions: the International Bank for Reconstruction and Development (IBRD), the International Development Association (IDA), the International Finance Corporation (IFC), the Multilateral Investment Guarantee Agency (MIGA), and the International Centre for Settlement of Investment Disputes (ICSID). In the context of this report, WBG institutions refers to IBRD, IDA, IFC, and MIGA. The Bank refers to IBRD and IDA. For More Information worldbank.org/internalaudit 3 Fiscal Year 2018 (FY18) saw continued focus by the and regulatory risks and data management risks, to World Bank Group (WBG) institutions on the management’s attention, while encouraging implementation of the strategy articulated in the management to continue to build on the progress “Forward Look,” which stands on four pillars: serving made in managing environmental and social risks. all clients, creating markets, leading on global issues, and improving the business model. In an increasingly On stakeholder engagement, IAD continued to complex global environment, with dynamically enhance its communication with the Audit Committee changing risks and the evolution of new models for and management at various levels to enable us to development, the WBG institutions continue to push anticipate and focus on emerging organizational and to become more nimble, innovative, and financially Board priorities. IAD also augmented its coordination sustainable. with other oversight functions to build complementarity and avoid overlaps, and continued its In this context, the relevance and need for the outreach and partnerships with business units. IAD independent and objective assurance and advisory also engaged with other development partner services of the Internal Audit Vice Presidency (IAD) organizations and the Institute of Internal Auditors, continues to grow. In FY18, positioning itself as a with a view to sharing knowledge and contributing to trusted advisor to the Board and management, IAD the growth of the internal audit profession. sought to cover the key priorities and challenges faced by the WBG through a range of engagements in areas In seeking to continually improve operations within of strategic importance and risk, with a focus on IAD, we further strengthened our structured learning providing forward-looking insights. program to sharpen business acumen and data analytics skills of staff, and introduced process This annual report presents the perspectives and improvements to both shorten our engagement insights gained by IAD during the delivery of its work review and decision cycle and increase our delivery program covering WBG’s governance, risk capacity. management, and controls. It also summarizes the work carried out in FY18, and provides updates on the Overall, I believe that IAD made strong contributions key features of IAD’s internal audit practices. to strengthen the governance and risk management of the WBG in FY18, and is well positioned to support the In FY18, IAD completed 25 assurance and advisory WBG’s efforts to operationalize the “Forward look” engagements that covered the status of risks and over the coming years. I would like to express our controls in the WBG institutions’ implementation of sincere appreciation to Hiroshi Naka, who left the corporate strategies, developmental operations, position of Vice President and Auditor General at the corporate and administrative activities, and beginning of FY19. The vision and direction of IAD information technology and data management. over the last few years, as well as the entire FY18 work program, was delivered under Hiroshi’s leadership, The key themes emerging from IAD’s work were and we truly appreciate his efforts in guiding IAD to efficiency, value for money, collaboration among the attain new heights of professionalism and quality in WBG institutions, and addressing emerging risks. IAD our work, and instilling in IAD a commitment to noted the need to continue building and strengthening continuous improvement. a culture of continuous improvement in WBG institutions to strengthen their ability to quickly respond to changing market and stakeholder needs. IAD also brought emerging risks, including legal Yuko Keicho Acting Vice President and Auditor General 5 Overview The Internal Audit Vice Presidency (IAD) is an independent and objective assurance function that aims to add value to the World Bank Group (WBG). The engagements undertaken by IAD assess whether there is reasonable assurance that: • Risks are appropriately identified and managed; • Governance issues impacting the WBG entities are recognized and addressed appropriately; • Significant financial, managerial, and operating information is accurate, reliable, and timely; • Institutional policies and procedures are complied with; • Resources are acquired economically and used efficiently; • Quality and continuous improvement are fostered; and • Institutional assets (physical and intellectual), records and data are safeguarded. IAD’s mandate includes raising awareness of risks and controls, providing advice to management and the Board in the development of control solutions, and monitoring the implementation of management’s actions to mitigate risks. IAD also plays a key role in fostering conversations with the Board and Senior Management on risk management, institutional risk appetite and controls. To articulate IAD’s value proposition, IAD developed its Vision and Strategy in FY15 (see graphic below). In FY18, IAD continued with its implementation of the five Strategic Pillars, which enable IAD to achieve its vision of providing risk-based assurance and insightful, proactive, and future-focused advice. Align internal Encourage Strengthen audit activity Provide management management's with upstream input Provide timely to take ability to institutional and advice on post- effective and manage and strategic emerging risks implementation timely action monitor risks priorities to and new feedback through IAD's and learn from address most initiatives follow-up experience significant risks process 6 Reporting and Oversight On an ongoing basis, but at least IAD reports to the President and is under the oversight of the Audit quarterly, IAD briefs and updates Committee. The Audit Committee reviews: the President and the Audit • The selection and removal of the Auditor General Committee on engagement outcomes and the progress of • IAD’s Terms of Reference (TOR), recommending it to the Board for management action plans to approval improve the operations of the WBG institutions. IAD also briefs • IAD’s Annual Risk Assessment and Work Program, recommending the Audit Committee on any it to the Board for approval changes to the work program • The results of IAD’s work covering operations and compliance with that may occur as a result of key provisions of IBRD/IDA, IFC and MIGA’s charters and policies emerging risks, significant changes to the business, or • The overall effectiveness of IAD requests from management for IAD advice. © World Bank / Sarah Farhat 7 Types of Engagements IAD performs two types of engagements in carrying out its work: assurance and advisory. The selection of the engagement type is based on the maturity of the process to be reviewed and on stakeholder needs. • Assurance: provide management and the Audit Committee with an independent assessment of existing risk management, control, and governance processes. IAD usually requires action plans for issues identified and monitors the implementation of those plans by management through to closure. In addition, verification of management actions that were committed to stakeholders, is also classified as an assurance engagement. • Advisory: offer advice to management without IAD assuming management responsibility. This is performed before or at the beginning of the roll-out of new initiatives to provide input on the design of controls to management. As advisory engagements are similar to consulting, IAD does not require action plans for such reviews. IAD’s FY18 work program was designed to focus on the most significant risks for the WBG institutions, consistent with the industry professional practice standards. It sought to provide coverage of core operational processes, corporate and administrative areas, and information technology. During FY18, IAD completed 25 assurance and advisory engagements, covering WBG, IBRD/IDA, IFC, and MIGA processes and activities. Details of each of IAD’s FY18 engagements are provided in Annex 1. A breakdown of these engagements by entity and type is presented below. Advisory, 24% IBRD/IDA, WBG, 44% 36% Assurance, 76% IFC, 16% MIGA, 4% 8 Alignment with Risk Domains IAD’s work program is aligned with the strategic priorities of the WBG institutions, with particular attention on the most significant risks. The work program is based on IAD’s risk assessment, which is based on discussions with the Audit Committee members, management and operational staff, consultation with other oversight units, and IAD’s independent and professional judgement derived from IAD’s past engagements. Details of IAD’s coverage in FY16– 18 are provided in Annex 2. To enable a clear view of the risk coverage of IAD’s work, IAD utilizes 14 risk domains to conduct its risk assessment. The table below presents the 14 risk domains and the number of engagements for each in FY16, FY17 and FY18. Number of Engagements Coverage Area Risk Domain FY18 FY17 FY16 Strategy Implementation and Change Strategic Planning 2 3 1 Management Management and Change Business Planning and Budgeting - 1 2 Delivery of Operational Products and Services 4 4 2 Development Operations World Bank Group Institutions Environmental and Social Risk 1 1 - Fiduciary Risk - 1 1 Integrity Risk 2 1 1 Management of External Funds - 1 1 Corporate and Administrative Stakeholder Engagement and Financial Reporting - 1 4 Financial Risk 3 1 1 Human Resource Management 1 1 3 Corporate and Administrative Areas 7 1 - Physical Disruptions and Business Disruptions - 1 3 Management IT and Data Information Technology and Information Security 4 7 4 Knowledge and Data Management 1 - 4 9 Alignment with WBG Priorities In September 2016, WBG introduced its vision 2030 called the Forward Look. The objective of the Forward Look is to shape a common view among shareholders on how the WBG can best support the development agenda for 2030, while staying focused on its own corporate goals of eradicating extreme poverty and ensuring shared prosperity in a sustainable manner (Twin Goals). The Forward Look describes how the WBG will deliver on the Twin Goals and its three priorities of sustainable and inclusive growth, investment in human capital, and strengthening resilience to global shocks and threats, while supporting the 2030 development agenda and the Sustainable Development Goals (SDGs). The Forward Look rests on four pillars (presented below): serving all clients; creating markets, maximizing finance for development, and expanding the use of private sector solutions; leading on global issues; and improving the business model. A better and stronger WBG One WBG… with Two goals: Four ways to get there: Serve Three priorities: Sustainable and Eradicate extreme all clients, maximize finance inclusive growth, human capital, for development, lead on poverty and build resilience shared prosperity global issues, and improve the business model Four Forward Look Pillars Improving Serving all Creating Leading on the business clients markets global issues model IAD’s work program is developed to align with the WBG’s strategic priorities and this is elaborated in the following pages. 10 Alignment with WBG Priorities IAD aligns its engagements with the WBG’s strategic priorities as well as the WBG’s efficiency and financial sustainability imperatives, and this is illustrated below for the FY18 work program. IAD FY18 engagements classified by priorities Relevance of IAD’s work on selected engagements Serving all clients/Creating markets IAD covered IFC’s framework for managing Blended Finance that has • IFC’s Use of Blended Finance in Operations been in place since 2011. This has • Bank’s Process for Managing Advisory Services and Analytics (ASA) relevance to the new innovative Activities products such as the IDA-PSW that are • Bank’s Implementation of the Uganda Transport Sector being rolled out to help create markets Development Project (Additional Financing): Lessons Learned and Agenda for Action IAD reviewed the status of the recently Leading on global issues implemented reforms that sought to enhance selectivity in ASA activities. • IAD covered climate in FY17 and will be covering gender and FCV in ASA serves to strengthen client and the coming years. The FY18 work program did not have any coverage market capacity under this theme. With the imperative for the WBG to Improving the business model become nimbler in responding to • Bank’s Implementation of the Agile Approach changing market needs, IAD provided forward looking advice to management • Implementation of SORT in Supporting Operational Decision-Making to help accelerate the adoption of the • WBG's Approach to Managing the Contingent Workforce Agile approach • Bank's Management of Legal Risks Related to Country Office Administration • WBG’s Corporate Procurement Processes • IFC's Management of Data Access and Protection As WBG’s need for operational • Bank’s Anti-Money Laundering and Countering the Financing of flexibility drives the increased use of a contingent workforce, IAD’s Terrorism Program engagement covered the recent • Use of Offshore Financial Centers in WBG Private Sector Operations reforms in this area Improving WBG efficiency/Ensuring adequate financial capacity IAD has covered the completion of the • WBG’s Completion of the Expenditure Review Initiative expenditure review to provide timely • IBRD and IFC’s Management of the Liquid Asset Portfolio assurance to address the increasing • IFC's Use of Derivatives in Managing Market Risks in the Debt expectations of efficiency from Portfolio shareholders • Creation of Fund Centers and Impact on Business Performance Reporting • Oversight of Administrative Expenses Managed by Bank’s Country Offices IAD provided advice based on industry practices to the WBG institutions to help • MIGA’s Management of Reinsurance Counterparty Risk foster a shared understanding of • Management of Shared Service Agreements (SSAs) expectations and obligations when among WBG Institutions operating shared services 11 The Executive Commentary provides IAD’s reflections on governance, risk management and internal controls of the World Bank Group (WBG) institutions with a focus on their progress in implementing the key priorities. The commentary is not exhaustive in content but rather selective, and draws on the results of IAD’s audits and advisory engagements, observations of corporate events, and continuous dialogue with Senior Management and the Audit Committee. The commentary is designed to be forward-looking and constructive with the intention of helping to accelerate the achievement of the WBG goals. © World Bank / Visitor Center Key Messages • Understand the ‘big picture’ through aggregate risk monitoring and reporting: Sharing risk information In FY18, the WBG institutions consolidated their between business units, across WBG institutions, and collective public and private sector capabilities to address with the Board to build alignment of expectations on development challenges under the Maximizing Finance new approaches of doing business; and for Development (MFD) agenda. Recognizing the need to build synergies among WBG institutions for creating • Understand emerging risks to better prepare for the markets, management accelerated the application of future: Anticipating and responding quickly to new financing approaches such as Blended Finance (BF) emerging risks such as legal and regulatory risks, and the IDA-Private Sector Window (PSW). The delivery cyber security risks and data management risks. of the Bank’s Advisory Services and Analytics (ASA) was strengthened, and processes for the collection and dissemination of development data were established. Looking forward, management needs to: • Deepen inter-institutional collaboration and Recognizing that the ability of the WBG institutions to continue to strengthen its product innovation to effectively address development challenges hinges on promote private sector participation in development the strength of its financial sustainability, the WBG financing and market creation; institutions successfully completed the Expenditure Review, significantly reducing the cost base of the • Invest in development data collection and organization and freeing up resources to be channeled to management, and share knowledge with clients to areas of strategic priority. Reforms in corporate support the achievement of the Sustainable procurement have advanced “value for money” as a key Development Goals; and principle; and a deep-dive analysis of shared service agreements among WBG institutions was undertaken to • Apply lessons from experience in project improve both the quality and efficiency of such services. implementation to improve the management of Capital investment governance processes have also been environmental and social (E&S) risk, particularly in enhanced to ensure resource alignment with corporate environments with Fragility, Conflict and Violence priorities. Looking forward, management needs to (FCV). prioritize the following: • Embed efficiency into all business processes; • Improve Value for Money / Strategic approach to capital investments; and The push for innovation in development, combined with rapid changes in the business environment, has • Use technology to maximize efficiency. necessitated the drive towards a more informed and holistic approach to risk management. The WBG institutions have progressively strengthened risk management oversight through active risk discussions at Senior Management fora, increased attention to establishing a risk appetite as a basis to inform risk management practices, and improved reporting to the For successful implementation of these actions, a strong Board, with a view to creating a shared understanding of organizational culture of continuous improvement is risks both between the institutions, and across all levels imperative. Management’s strong push for the “Agile” initiative is laying the foundation for creating such a of management. Looking forward, management needs to: culture. Going forward, building strong institution-wide feedback loops, measuring progress with indicators, and • Embed risk conversations in the organizational benchmarking with leading practices will support this culture: Defining a risk appetite, which entails both effort. Empowering staff to push for improvements will development and financial considerations, to promote help make continuous improvement a part of the informed decision making; organizational culture. 13 Development Agenda WBG has increased its commitment to Maximizing Finance for Development (MFD), which seeks to prioritize leveraging the private sector and optimizing the use of scarce public resources. This will require concerted action on a number of fronts including integrated product offerings, innovative financial and technical solutions, effective stakeholder management, and improved data management and dissemination. At the same time, WBG institutions need to continue learning from project experience to inform the safeguarding of environmental and social values in high-risk environments. Addressing client needs with integrated solutions Supporting the creation of markets To address the development challenges facing our One of the new financing approaches being deployed client countries, the WBG strategy focuses on to support the creation of markets is IFC’s Blended providing comprehensive integrated solutions, Finance (BF). BF combines concessional funding encompassing both public and private sector provided by development partners with commercial participation. As a key component of this strategy, funding provided by IFC and other investors. BF management of the Bank and IFC created two “Joint solutions seek to provide financial support to high- Global Practices” in July 2014, with a goal to integrate impact projects that would not attract funding on advisory services from both institutions. In FY17, IAD strictly commercial terms because the risks are reviewed the implementation of this joint operating considered too high and the returns are either model in its Audit of Management’s Processes for unproven or not commensurate with the level of risk. Integrating Select IFC/Bank Advisory Services, and highlighted both progress and obstacles. In its FY18 Audit of IFC’s Use of Blended Finance, IAD confirmed that IFC has a robust framework to manage In FY18, through our continued follow-up on investments using BF. To further improve implementation, we observed a management stakeholders’ comfort on this new approach, evolution from an organizational jointness model to a management should strengthen the periodic reports strategic collaboration model with sharper to stakeholders on the financial performance and accountability for funding and results. The development impact of the projects funded with BF. collaboration is built around the WBG Country Partnership Framework and the recently introduced IAD will continue to review the WBG’s operations for Country Private Sector Diagnostics. creating markets through its audit of the IDA-Private Sector Window (PSW) in FY19. Management has taken these steps based on the learning from the implementation of the original plan. Even as course correction is essential, the effectiveness of the new model will need to be closely monitored and adjusted to enable the desired collaboration. The experience of the Joint Global Practices can also serve as a valuable lesson to inform the ongoing efforts of collaboration across the WBG institutions. IAD will continue to review management efforts to foster collaboration in its FY19 review on the Cascade Approach. 14 Development Agenda Strengthening development data and knowledge Augmenting practices to protect environmental and social values The Addis Ababa Agenda for Financing for Development has emphasized the need for reliable Recent experiences from project implementation have data, as an essential input for smart and transparent highlighted the significant vulnerability of local decision making by countries and development communities to infrastructure projects, including the partners. In FY18, management set a financing increased risk of gender-based violence. In response framework for the ongoing funding of development to these events, management identified the key data activities and formalized the operational policy factors in the WBG project cycle that have contributed framework for data collection and production. This is a to project failures in the past. Based on this analysis, significant step in strengthening WBG’s capacity for management developed a detailed set of actions to the collection of development data and the production strengthen oversight of environmental and social of indices to report on the WBG’s development goals. (E&S) risk management of projects in high-risk environments. These actions were in response to IAD’s audit on this topic in FY16. This area should continue to receive To provide independent assessment of this effort, IAD management attention as an essential element reviewed the Bank’s Implementation of the Uganda towards the achievement of the Sustainable Transport Sector Development Project (Additional Development Goals (SDGs). Financing): Lessons Learned and Agenda for Action in FY18. The engagement confirmed that management On the Bank’s knowledge offerings to clients, IAD, in has substantially implemented the corporate-level the Audit of the Bank’s Process for Managing Advisory actions. As a reminder to management, the Services and Analytics (ASA) Activities, observed engagement also emphasized the importance of significant improvements in selectivity, planning and maintaining up-to-date relevant guidance and supervision of ASA projects following the previous providing timely training, to ensure that staff and audit in FY15. At the same time, continued efforts are clients have adequate capability to identify, assess, needed for early resolution of problems in the delivery and respond to E&S risks in projects. lifecycle and better programing of ASA activities through the Institutional Work Program Agreement As the Bank moves forward with the implementation Process. of the new Environmental and Social Framework (ESF), it will be important to continue to strengthen the feedback and learning from the ESF implementation across all projects, beyond just problem projects. This is particularly needed for operations in FCV environments that face more unknown factors than other environments. IAD views E&S risk as a vital area for its ongoing coverage and will review the Bank’s Grievance Redress Service in FY19. © World Bank / Heather Elliot 15 Risk Management The changing business landscape and the current WBG business model place greater emphasis on a more informed approach to risk management. It will therefore be important that risk management at the WBG is grounded on a framework that includes an intentional assumption of risk based on an institutional risk appetite, an aggregated view of enterprise risks, and anticipation of and preparation for emerging risks. Embedding risk conversations in the organizational financial activities such as development operations, culture especially given an evolving strategic context. Reviewing and reflecting on risk decisions made in the A noteworthy trend within the WBG in FY18 was the past, and the lessons learned, can provide valuable increased attention to risk in conversations at both insights to help inform the organization’s risk-taking Board and Senior Management levels. The Board preferences going forward. actively discussed the arrangements for its risk oversight. Senior Management considered overall Understanding the ‘big picture’ through aggregate enterprise risk management as well as the approaches risk monitoring and reporting to specific types of risks through discussions at multiple Senior Management fora. This dialogue is Complete, accurate, and timely recording and helping to build a shared understanding of significant aggregating of risks, and their reporting is a foundation risks across the WBG institutions. for effective risk management. A challenge in risk reporting arises when risks are managed in silos. This In order for the WBG institutions to take decisive, was highlighted in the Advisory Review of IFC's Use of concerted actions in a complex and evolving business Derivatives in Managing Market Risks in the Debt environment, it is important to be clear about risk Portfolio, where IAD noted opportunities for IFC appetite and acceptance, and the governance management to strengthen operational coordination, mechanisms to communicate such decisions across the information sharing, and integrated reporting, as well institutions. This is particularly important as the WBG as establish periodic reviews of the framework and institutions need to work together to implement key practices for using derivatives for portfolio risk strategic initiatives such as IDA-PSW and MFD. management. In IAD’s Audit of the Implementation of the Systematic Operational Risk-rating Tool (SORT) in Supporting Operational Decision-Making, IAD noted that SORT has become a useful tool in the Bank to capture risks, inform decisions on projects, and present an aggregated view of risks across the portfolio. Enhanced utilization of the tool at the project implementation stage as well as in management reporting to the Board will further IAD has been playing a key role in promoting risk strengthen the oversight of risks in operations. At the appetite conversations within the WBG institutions corporate level, the Board and management have through its ongoing dialogue with management and worked together to strengthen and synthesize the Board, and through specific engagements. In the management’s risk reporting to the Board, which is a Audit of IFC’s Management of the Liquid Asset positive development in strengthening the overall risk Portfolio, IAD urged management to conclude the management of the WBG institutions. ongoing discussion and adopt a risk appetite statement to guide effective decision making on liquid asset management. While defining risk appetite is relatively easy for financial activities, it is not straightforward for non- 16 Risk Management Understanding emerging risks to better prepare for Cyber security risks: With substantial reliance on the future Information Technology (IT) in the WBG, continual management attention and action is needed to The changing business dynamics surrounding address the evolving cyber threats targeting key IT multilateral organizations, coupled with the rapid infrastructure and critical organizational data. technological advancement, will present new and emerging risks that will require management The WBG has been implementing a leading practice anticipation and response. approach of multiple, overlapping, and mutually supportive defensive systems, commonly referred to Legal and regulatory risks: Even as the WBG as the WBG’s Defense-in-Depth Approach to institutions are protected by privileges and Information Security. This is assessed by IAD through a immunities, new regulations may indirectly affect WBG multi-year engagement schedule. operations by imposing restrictions on key third party partners. While this is a long-standing issue, such legal In FY18, IAD reviewed several areas critical to the and regulatory risks may be increasing in this inter- cyber defenses of the WBG including the primary connected world. The WBG institutions are access point to WBG IT systems and data, Enterprise implementing a comprehensive framework for Desktop, Wireless Security, Cloud Infrastructure as a protecting personal data used in every aspect of their Service, and the Information Security Strategy. activities. This effort is partly in response to the growing regulatory requirements on data privacy As management is currently refreshing its including the European Union’s General Data Cybersecurity Strategy, IAD highlighted the importance Protection Regulations (GDPR). It is vital for the WBG of developing a comprehensive, information security to support its business partners in their efforts to strategy in its Advisory Review of the Development of comply with these emerging regulations, which many the WBG Information Security Strategy. of them are subject to. Data management risks: With the emergence of Global standards on tax evasion are also evolving as disruptive technologies such as the Internet of Things, seen with the OECD's Base Erosion and Profit Shifting advanced robotics, Big Data, and Artificial Intelligence, (BEPS) action plan and the Addis Tax Initiative. IAD’s data management within organizations has become Audit of the Use of Offshore Financial Centers (OFC) in increasingly important as the foundation for the WBG Private Sector Operations in FY18 confirmed the successful adoption of advanced technologies. satisfactory implementation of the WBG’s existing OFC IAD has been increasing its focus on data management policy by IFC and MIGA while suggesting the need for risk. Following the advisory review of IFC’s the Bank to assess the relevance of the policy to its Management of Data Access and Protection in FY18, operations, given the growing involvement with where IAD recommended measures for better private sector entities. protection of sensitive data and more efficient sharing IAD noted the initial steps being taken by management of data across business units, IAD plans to review the to track emerging international developments on management of Bank’s Corporate Data in FY19. preventing tax evasion. It will be important for management to continue to upgrade institutional approaches to align with evolving global standards. IAD also pointed out, in the Audit of the Bank’s Management of Legal Risks related to Country Office Administration, the need for formalizing the institutional legal risk management process to identify, analyze, respond to and monitor legal risks at country offices. 17 Promoting Efficiency In addition to the focus on development and risk management to meet growing stakeholder expectations and demand from clients, the WBG institutions have adopted, since 2013, measures aimed at increasing revenues and shifting to a leaner cost base. The WBG institutions have also launched various initiatives to enhance operational flexibility and agility, with the aim of becoming “Better” while continuing to build support for a “Stronger” institution with adequate financial capacity. Embedding efficiency into business processes Improving Value for Money In FY15, management set out to reduce the annual The concept of Value for Money (VfM) has become a cost base of the WBG institutions by $400 million by central theme in the development community, as FY18, through various measures implemented across illustrated by the ongoing VfM discussion among all the business units of the WBG institutions. Multilateral Development Banks. In operations, the new Bank Procurement Framework launched in 2016 In FY18, IAD, through the Audit of the WBG’s lists VfM as a central guiding principle. The drive for Completion of the Expenditure Review Initiative, VfM is also observed in the corporate activities of WBG confirmed that management has successfully institutions. IAD, in its Audit of WBG’s Corporate implemented the measures to which it had committed, Procurement Processes, noted that management has cutting the cost base by over $400 million, and has embarked on the implementation of a corporate deployed part of the savings achieved to strategic procurement reform to rationalize the way it priority areas. This has laid the foundation for financial purchases goods and services, with a focus on sustainability going forward. While cost reduction is achieving VfM. IAD recommended that management important to the achievement of sustainable growth, a should continue its reform efforts to strengthen the careful balance is required to ensure that efforts alignment of corporate procurement practices with towards cost efficiencies do not compromise the business needs and thus increase efficiency. effectiveness of business processes that support client service delivery. Going forward, it is important for In addition, IAD, in the Advisory Review of the management to institute mechanisms to identify Management of Shared Service Agreements (SSAs) opportunities to optimize costs, measure business among WBG Institutions, analyzed how various performance, and report to stakeholders on the services are shared among the WBG institutions, and balance between efficiency initiatives and the advised on measures to enhance the quality and effectiveness of business processes. efficiency of such arrangements. IAD highlighted the importance of using performance measurement to IAD will continue to focus on efficiency in business assess the effectiveness of shared services and ensure processes and will be conducting an Advisory Review that resources deployed to such services derive the of WBG Institutions’ Framework to Support the greatest benefit for the WBG institutions. Further, IAD Implementation of the Efficiency Agenda as part of its pointed out, in its Advisory Review for the Creation of FY19 work program. Fund Centers and Impact on Business Performance Reporting, that frequent changes to the organization’s “Fund Center” hierarchy, which broadly mirrors the organizational hierarchy, can result in unplanned administrative costs and pose challenges in producing accurate and timely business performance reports. 18 Promoting Efficiency Strategic approach to capital investments Using technology to maximize efficiency In FY18, the WBG institutions made improvements in Technology is advancing at a staggering pace and is the governance of capital investments by disrupting almost every business and industry. Smart strengthening the alignment of such investments to use of new technology can help maximize efficiency corporate priorities. Following IAD’s FY17 Audit of the and transform how WBG does its business. Bank’s Capital Budget Process, which highlighted the need for clear prioritization criteria and a robust A number of innovations using new technologies are framework for measuring the value of capital being introduced through the Administrative Process investments, management made significant strides by Simplification initiative. For example, the WBG has elevating discussions on the annual investment plan to started developing Robotics Process Automation (RPA) the Board, and establishing a council to steer the cases to automate routine tasks and unlock business WBG’s real estate investment strategy. These efficiencies, contributing to meaningful improvements measures will ensure that capital investments support in the speed of support services delivery. the institutions’ long-term strategic goals. Continuing Going forward, it is important that such initiatives are its coverage of this key area, IAD plans to review IFC’s scaled up in a sustainable manner to ensure rapid Capital Budget Process in FY19. transformation of business processes. IAD’s future engagements that will help provide assurance on the impact of such initiatives include the Integration of Disruptive Technologies in WBG Operations (FY20) and WBG’s Implementation of Robotic Process Automation (RPA) (FY21). © World Bank / Tom Perry 19 Continuous Improvement In an age where constant change is the norm, an organization’s success depends on its ability to continually find better ways of doing business; a culture of continuous improvement is therefore of paramount importance. IAD has incorporated considerations of continuous improvement into its various audits and advisory reviews, and identified the following key continuous improvement enablers. Embedding strong feedback loops into business Benchmarking against standards and best practice processes Assessing the WBG’s own activities against global For the WBG to beneficially extract learning from standards and industry leading practices is useful to actual experience to improve the overall system, it identify gaps in existing practices and set the must consciously embed feedback loops and organization’s own standards. The Audit of the Bank’s information sharing practices into business Anti-Money Laundering and Countering the Financing arrangements. of Terrorism Program observed that management closely monitors changes to global standards, In the Audit of Oversight of Administrative Expenses specifically the Financial Action Task Force Managed by Bank’s Country Offices, IAD observed that Recommendations of the Organization for Economic the lessons learned by various Bank units through their Co-operation and Development (OECD), and suitably oversight of country offices were not actively shared updates the Bank’s own policy and procedures. amongst each other. This could lead to lost opportunities to improve business practices, as well as Benchmarking is particularly valuable in IT. In the Audit inefficiency due to fragmentation of oversight of WBG’s Wireless Network Management and Security, activities. IAD concluded that WBG’s own standards are not only satisfactorily implemented but are also current and In the Advisory Review of the Management of Shared consistent with industry leading practices. Service Agreements (SSAs) among WBG Institutions, IAD also drew management attention to the absence Empowering staff for increased ownership of a robust dialogue mechanism about the quality and costs of services, between the parties involved. This Continuous improvement becomes part of the resulted in concerns not being systematically organizational culture when individual staff feel addressed to enable improvements in the shared empowered to suggest improvements, and when this service arrangements. is matched with an organizational capacity to implement these improvements, and manage the Measuring performance with relevant metrics change. Through the establishment of key performance In the Advisory Review of the Implementation of the indicators, measurable goals can be set and used to Agile Approach, IAD recommended that management assess actual performance. continue to empower staff to proactively propose improvements in existing policies, processes, In the review of SSAs, IAD advised that performance procedures and practices, and give recognition and metrics be adopted to enable a shared understanding rewards when such efforts result in improvements. between the service providing partner and the service receiving partner about the expected quality of the At a time when the WBG is expected to continually service being provided. adapt, respond and reinvent itself, the continuous improvement culture will be even more important. IAD will continue to identify good practices aimed at fostering continuous improvement and advocate the spread of a continuous improvement culture across the organization. 20 Monitoring Outstanding Actions In response to IAD’s assurance role, management develops specific and time-bound action plans to address any issues identified in our audits. IAD accepts the action plans after reviewing their suitability to address identified issues and the reasonableness of the timeline for implementation. IAD’s continuous dialogue with management during the implementation of actions encourages timely completion of the plans. Once management indicates that an action is implemented, IAD validates the same by reviewing evidence provided by management. In cases where the implementation of the plan is delayed, IAD flags the overdue action plans for Senior Management and Audit Committee attention, and continues to monitor the revised implementation timelines. Besides flagging specific issues, IAD periodically performs a root cause analysis of overdue actions. IAD’s follow-up process is depicted below. Management Management IAD validates IAD reports IAD follows up develops action implements action plan overdue actions on action plans plans action plans completion (if any) In FY18, IAD raised 53 new issues requiring management attention. At the end of FY18, there were 74 open issues including those from previous years, of which 11 had overdue actions. The quarterly breakdown of open and overdue issues for the past two years is shown below. 80 72 74 70 64 Open issues have 63 11 61 15 outstanding actions 60 5 54 by management 11 50 16 that are not yet 50 47 8 15 due, while overdue 40 issues have 16 outstanding actions 30 63 that management 58 57 50 48 did not complete 20 42 39 before the agreed 31 due date. 10 0 FY17-Q1 FY17-Q2 FY17-Q3 FY17-Q4 FY18-Q1 FY18-Q2 FY18-Q3 FY18-Q4 Open but not Overdue Issues Overdue Issues 21 Realizing Improvements Examples of Issues Resolved in FY18 IAD closes issues after validating that management has satisfactorily implemented the actions, and has effected improvements in the operational controls with positive impact. In FY18, IAD closed 43 issues raised in completed audits and some of the areas that were positively impacted from IAD’s work and the resultant changes made by management, are highlighted below. IAD’s FY17 special review on Management’s Processes for Integrating Select IFC/Bank Advisory Services, helped management recognize gaps in the integration efforts. Management has since made changes to the operating model that IAD reviewed for these Enhancing joint practices, and this area will need continued monitoring and adjustments to support the Operational “One World Bank Group approach”. Results Steps taken by management following IAD’s FY16 Audit on the Process for the Collection of Data and Production of Indices to Report on the Twin Goals address key aspects of establishing a financing model and the operational policy framework for the collection of Poverty data. This area will continue to be vital for WBG’s work going forward. IAD’s FY17 special review of the Formulation of the New WBG Global Security Management Strategy has led to management establishing a consolidated decision-making model, as part of the new Security Risk Management Framework, which will be important as Fostering Risk the WBG scales up FCV operations. Management The FY15 audit of WBG Mobile Application Development and Security has led to management strengthening the formal governance structure and supporting processes to manage external mobile applications. This area is important given the rapid increase in the use of mobile devices and platforms to enhance operational efficiency and access. The FY16 audit of IBRD’s Capital Budget Process highlighted the need for systems and Promoting platforms supporting Capital Budget activities and Board reporting. Management has taken Efficiency steps to improve updates to the Board, has automated previously-manual processes and is in the process of upgrading the capital budget management system. The FY16 audit of IBRD Business Continuity highlighted issues that impeded the effective Strengthening implementation of the Bank’s Business Continuity Management (BCM) Program. organizational Management has since updated and implemented its Crisis Management and Business resilience Continuity Strategy and associated directive to strengthen the institutions ability to deal with operational disruptions. 22 IAD has implemented various measures to consolidate and upgrade its internal audit practices. It has achieved this through the following key steps: 1. Risk Assessment and Work Program Development 2. Stakeholder Engagement 3. Collaboration with Oversight Units 4. Continuous Improvement of Internal Audit Practices 5. Data Analytics 6. Staff Learning and 7. Partnerships and Knowledge Sharing These are detailed further in the following pages. 23 Work Program Development The objective of IAD’s risk assessment and work program is to identify and prioritize audit areas that pose the most significant risks to the WBG institutions and could prevent them from achieving their goals. IAD’s Work Program is developed based on IAD’s regular assessment of risks in the operations of the WBG institutions. IAD forms its view on the institutions’ risks using both top-down and bottom-up approaches. The top- down approach includes participation in Senior Management meetings and key Board meetings to understand institutional priorities and their views on risk. The bottom-up approach includes IAD’s regular structured discussions with the Chief Risk Officer, Controller, External Auditors, and key business units, as well as the results of IAD’s prior engagements. IAD also collaborates with other oversight units to exchange views on institutional opportunities and risks. Combining such information with its own knowledge of risks and controls, IAD identifies high-risk processes. They are prioritized and sequenced for review in consideration of urgency and resource availability. 24 Stakeholder Engagement IAD places a high priority on ensuring that its stakeholders across the WBG institutions are familiar with IAD’s mandate and have confidence in IAD's value proposition. Robust relations with the Audit Committee and management is essential for IAD’s effectiveness as it helps IAD deepen its business knowledge, and enables IAD to promptly identify and respond to stakeholder concerns and emerging risks. The Audit Committee Management IAD has a structured formal schedule of IAD has continued dialogue with management communication with the Audit Committee that entails members in key business units to update IAD’s four formal meetings per year. The meetings cover knowledge of business and confirm the continued discussions and decisions on IAD’s three-year rolling alignment of IAD’s work with the institutions’ strategy work program, quarterly activities, and the results for and risks. These interactions happen across different each completed year. The quarterly activities levels: The Vice President and Auditor General discussion includes the results of individual assurance periodically meets with the President, and also attends engagements, delivery status of the work program, Senior Management fora covering institutional and status of management actions in response to IAD strategy and budget discussions. IAD management identified issues. IAD’s terms of reference, IAD’s members regularly observe or attend key corporate independence, IAD’s conformance to IIA’s codes and meetings and committees. At the operational level, standards and the resource adequacy are reviewed IAD has focal points for key functional areas, who and confirmed with the Audit Committee annually. periodically meet with their counterparts to stay abreast of developments and discuss emerging risks. In between the formal meetings, IAD has established informal communication with the Audit Committee, to Considering that WBG institutions interface with enable IAD to receive ongoing input on the work clients mostly in the field through country offices, it is program and share IAD’s perspectives on various important for IAD to engage with country offices. With strategic matters on a timely basis. this view, in FY17, IAD started visiting country offices outside of specific engagements for knowledge sharing and information collection. In FY18, the second year of this initiative, IAD visited offices in Brussels and Cairo. 25 Collaboration The World Bank Chief Risk Officer’s (CRO) Risk IAD collaborates with other institutional oversight and accountability functions to deliver timely and value-added Forum in May 2018, gathered together a services to the organization and avoid gaps in coverage. diverse range of professionals across the WBG for a full While complementary in some areas, the work of IAD and other oversight and day of presentations, accountability panel units is distinct in discussions, and a networking lunch focus, objectives and approach. IAD assesses internal processes and controls that are key to the achievementsponsoredof by IAD. the WBG’s objectives and believes this collaboration, accompanied with clear communication with stakeholders on the roles of each of oversight and accountability functions, is critical. As a panelist during the "What Keeps You Awake at Night?" discussion IAD's Vice President and Auditor General, Mr. Hiroshi The highlights of collaboration with the other oversight functions in FY18 Naka, are as follows: stressed the importance of risk appetite as a basis for fostering risk conversations Independent Evaluation Group (IEG): IEG evaluates Inspection (IPN)/ Office Panel management between Compliance of the Board, and while development effectiveness of the WBG. IAD’s reviews acknowledging (CAO): Advisor/Ombudsman IPN is an the challenges independent related to its of business processes of the WBG institutions provides mechanism to receive articulation. Director ofpertaining complaints, IAD's Strategy andto useful input to IEG’s evaluation of results of WBG environmental and social Operations, issues, Ms. Yuko from Keicho individuals a lively and hosted activities, and IAD “What provided Keeps inputs You Awake to IEG’s at Night” evaluations panel communities discussion at the who where discussion Directors about have concerns their being from different parts CROoperational of the Bank Risk Forum ©model leveraging IAD Photo Archiveknowledge adverselyofaffected by World the organization Bank-funded shared projects. their experiences onThe from recent engagements. IAD and IEG also CAO is the independent change management.recourse mechanism for IFC collaborate closely in developing our respective work and MIGA, addressing complaints from people programs to ensure that IAD engagements and IEG affected by IFC/MIGA projects and enhancing the evaluations are logically sequenced and social and environmental accountability of both complementary, and this collaboration process was institutions. As environment and social risk is a key risk formalized in FY18. area for the WBG, IAD has ongoing discussions with both IPN and the CAO. These discussions cover Integrity Vice Presidency (INT): INT investigates and potential contributing factors to the problem projects pursues sanctions related to allegations of fraud and and emerging trends to inform IAD’s understanding of corruption in World Bank Group-financed projects. IAD this key area and IAD’s work program. receives all of INT’s investigation reports and analyzes the information to identify systemic control issues. The analysis provides insights into the control weaknesses that fail in preventing fraud and corruption in projects. The information also provides valuable input to IAD’s ongoing risk assessment of the WBG institutions. IAD, along with Bank management, presented on operational risk management at the International Audit and Integrity Group meeting organized together with INT. The presentation helped the participants, who represented audit and integrity functions of various bilateral and multi-lateral development organizations, understand the oversight roles IAD and INT play to support the WBG. 26 Continuous Improvement IAD self-assesses the efficiency and effectiveness of the internal audit activities and identifies opportunities for improvement on an ongoing basis. In FY18, IAD made major improvement in the following areas: Expanding stakeholder consultation for work engagements: To sharpen the focus of individual program development: IAD started work program engagements on areas that matter the most to development for FY19-FY21 early in the year to have stakeholders, IAD strengthened internal discussions of sufficient time to discuss the program with business strategic implications of the topic at the beginning of units, Senior Management, and the Audit Committee. the engagement lifecycle. Further, more time was Following informal consultation at the various levels of spent in FY18 to find the most effective way of framing the organization, IAD formally engaged Senior issues for the understanding by the Audit Committee Management committees to discuss the work and Senior Management members once control program’s alignment with the strategic priorities of the discrepancies were identified. In this way, IAD institutions and focus on areas of high risk before increased the relevance of individual engagements and presenting it to the Audit Committee and the Board for delivered results more effectively for increased discussion and approval. impact. Introducing Assurance Engagements without an Shortening the cycle time: In order to deliver results in Overall Rating: Based on the feedback from clients, time for meeting stakeholders’ needs, IAD enhanced IAD has moved away from the ad-hoc use of “Special the monitoring of the delivery by introducing a new Review” as a product type. IAD’s retrospective analysis dashboard and taking actions quickly to address of its Special Reviews indicated that most Special bottlenecks. New performance indicators to capture Reviews provided assurance without an overall rating, the speed of delivery were also set with performance as processes being audited were typically in the early targets. stages of implementation. To gain flexibility in providing assurance to stakeholders under various Increasing the application of data analytics (DA): IAD business situations, IAD introduced Assurance increased the application of DA to distill further Engagements without an Overall Rating. insights from business data. Refer to Page 28 for more information. Strengthening the strategic focus of individual Quality Assurance and Improvement Program IAD’s Quality Assurance and Improvement Program (QAIP) ensures sustainable conformance with the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors, the global standard setter of internal audit and continuous improvement of IAD’s activities. It consists of i) routine quality control within the engagement lifecycle, ii) internal monitoring and assessment, and iii) external assessment of IAD’s internal audit activities. Following the last external assessment in FY16 and the internal stakeholder survey in FY17, IAD reached out to key clients to discuss IAD’s performance improvement and received further feedback on areas such as communication, product offering, and use of external firms. 27 Data Analytics IAD is increasingly integrating data analytics and technology in its activities, enabling engagement teams to develop stronger evidence in support of engagements, and supporting the monitoring of delivery of IAD’s work program. Application of Data Analytics in Engagements. In Strengthening In-House Data Analytics Capabilities. FY18, data analytics (DA) techniques were utilized in Aligned with a key objective of IAD’s DA strategy, IAD more than half of all IAD engagements. This included continued to roll-out various training programs to data profiling to help IAD teams better understand the enhance IAD’s in-house DA capabilities. This included scope and coverage of business processes being customized targeted training to IAD staff who reviewed and testing the effectiveness of key controls. executed DA activities to build proficiency in the use of These activities generated increased assurance in DA. In addition, an internally developed DA training some audit areas, supported audit findings and yielded program was conducted for all IAD staff to strengthen business insights for consideration by management. their ability to incorporate and perform DA in engagements. Staff identified as core DA specialists in Data Analytics Methodology. Also during FY18, IAD IAD, also attended DA summits to keep abreast with finalized its DA methodology, taking into consideration leading innovation techniques such as artificial lessons learned and challenges encountered since the intelligence, machine learning, etc. inception of IAD’s DA Strategy two years ago. The methodology outlines the key activities for integrating Engagement with Business Unit DA functions and IT DA into IAD’s assurance and advisory engagements, departments in the WBG. IAD continued to engage from the planning phase through reporting, centered key WBG internal stakeholders in data analytics; the around an agreed set of DA principles. collaboration yielded access to more institutional systems and data, and a better understanding of recent and upcoming changes, tools and technologies for managing WBG data. Percentage of all IAD Engagements in which In FY18, IAD increased its Data Analytics was used to support results commitment to using Data Analytics and ensured that all its engagements 55% actively considered the use of DA 40% while planning the engagement. IAD also used DA for its internal portfolio 20% monitoring and dashboards to better monitor its overall delivery. FY16 FY17 FY18 28 Staff Learning Over the years, IAD has refined its approach to staff learning and sought to integrate learning as part of its daily business activities. IAD has adopted a ‘T-model’ for learning that requires staff to develop broad competencies in IAD's learning program promotes the combination of broad business acumen, while developing one or two knowledge of WBG business and subject matter expertise. areas of deeper expertise. The broad competencies enable staff to "connect the dots" and see the "big picture" as they go through multiple layers of information and data, while the deep expertise fosters staff development and reduced reliance on external expertise. This model is incorporated into a core curriculum that is the foundation for the staff learning program. In FY18 IAD introduced many enhancements to its program for staff learning. IAD’s Core Curriculum was enhanced and aligned to WBG’s strategic focus. IAD instituted workshops to provide small group interactive platforms for the sharing of insights to refine staff core audit skills. In line with IAD’s commitment to staff learning, IAD has Beyond the enhancements, IAD continued to drive established the role of Learning Lead to coordinate staff learning through mandatory quarterly learning and innovate on staff learning. days to expose staff to developments in the industry and within the WBG. Recent topics included coverage of blockchain, robotics and artificial intelligence in the auditing profession. Staff continue to be encouraged to keep a close watch on global developments and trends in areas of relevance, to enable IAD to stay informed on leading practices. Enhanced Core Curriculum Workshops Monthly Quarterly to refine Brown Bag Learning audit skills Lunches Days 29 Partnerships/Knowledge Sharing IAD participates in internal and external partnerships for collaboration and knowledge sharing. Internal Collaboration IAD contributed to two knowledge sharing events with clients, organized by WBG institutions’ business units. Internal Audit Workshop for Bank Treasury Clients: In December 2017, two IAD staff were invited to present on internal audit practices to financial institutions in a workshop in Costa Rica organized by the Bank Treasury as part of its Reserves Advisory and Management Program (RAMP). Internal Audit Workshop for IFC Clients: In November 2017, an IAD Manager was invited to IAD presentation to the Internal Audit representatives present leading internal audit practices at an from South American central banks for TRE RAMP internal audit workshop delivered for the Postal program in Costa Rica © IAD Photo Archive Savings Bank of China (PSBC) by the Corporate Governance team under IFC’s Environment, Social IAD at the CRO Risk Forum: The World Bank Chief Risk and Governance (ESG) practice. This was a key part Officer’s (CRO) Risk Forum in May 2018, gathered a of their advisory service for PSBC, aimed at diverse range of professionals across the WBG for a improving its corporate governance structure and full day of presentations, panel discussions, and a procedures, and adding value to its stewardship, risk networking lunch sponsored by IAD. governance and control practices. As a panelist during the "What Keeps You Awake at Night?" discussion IAD's Vice President and Auditor General stressed the importance of risk appetite as a basis for fostering risk conversations between management and the Board, while acknowledging the challenges related to its articulation. IAD's Director of Strategy and Operations hosted a lively discussion where Directors from different parts of the organization shared their experiences on Change Management. “What Keeps You Awake at Night” panel discussion at the CRO Risk Forum © IAD Photo Archive 30 Partnerships/Knowledge Sharing External Collaboration Contributing to the Profession IAD collaborates with internal auditors of other As a leading internal audit function of multilateral and multilateral organizations and development development agencies, IAD provides The Institute of institutions to absorb new ideas, share knowledge, and Internal Auditors (IIA), an international professional network with fellow practitioners. In FY18, IAD body of internal auditors, with ongoing feedback on continued its active sharing of internal audit standard setting and global advocacy of the profession. knowledge gained from our unique experience with the WBG institutions. A wide range of organizations IAD staff serve at the IIA in multiple volunteer including United Nations agencies, multilateral and capacities at global and local levels. IAD staff are bilateral development agencies, donors, and client represented in Global Advocacy, Standards Board, government audit functions, interacted with IAD and Global guidance development, Learning solutions and discussed new trends and common challenges. Public sector guidance. UN-Representatives of Internal Audit Services (RIAS): IAD staff have been contributing to the IIA’s research IAD’s VP and Auditor General attended the 2017 UN- on the state of the internal audit profession in African RIAS and plenary RIAS, hosted by the Organization for countries in coordination with the Bank’s operational the Prohibition of Chemical Weapons in The Hague, staff. The research is being done in two phases. The Netherlands. He was joined by the Manager for first phase report, which covered the state of the Information Technology and Data Analytics, and an Internal Audit profession in Africa covering English Audit Supervisor as presenters on data analytics speaking countries, was authored by IAD’s Audit strategy and enterprise architecture, respectively. Supervisor; this has been completed and published by the IIA. The second phase research covering French The European Court of Auditors (ECA) and the Internal speaking countries in Africa, is underway. Audit Service (IAS) Conference: In October 2017, Manager for Development Operations and an Audit Supervisor visited Brussels to continue on-going dialogue with the ECA. The IAD team also participated in the IAS Conference. The theme of this year’s conference was “Innovation and Creativity in Internal Audit: Myth or Reality?” Multilateral Development Banks: In March, WBG Vice President and Auditor General attended the Multilateral Financial Institutions—Chief Audit Executive Group 2018 Meeting in Abidjan, Côte d'Ivoire. The meeting provided a platform to openly share and discuss ideas, challenges, achievements, and lessons learned in the field of internal auditing. In addition, IAD is an active member of the Multilateral Financial Institutions–Chief Audit Executive (CAE) Group. IT Experts’ meetings are traditionally organized during the CAE meetings, and IAD staff have played a significant role in driving the IT agenda. 31 IAD Staff IAD staff are a diverse team of 34 professionals from more than 21 countries and 5 continents. IAD staff have diverse professional qualifications to enable IAD to fulfill its role, including Certified Internal Auditor (56% of staff), Certified Public Accountant, Chartered Accountant or similar (44 %), Certified Information Systems Auditor (29 %), and Certified Fraud Examiner (18 %). IAD staff with the Former Vice President and Auditor General, Mr. Hiroshi Naka (third from left in the front row.) 32 WBG’s Completion of Assurance The objective was to provide independent validation of the status of the Expenditure management’s implementation of the ER initiative. IAD validated the Review (ER) Initiative following key aspects of the ER program: • Management has embedded $415M of savings (inclusive of reinvestments) in the budget, exceeding the $400M savings target. Management has completed implementation of the ER Program and the institutional cost base (i.e. budget) has been altered as intended. • Savings targeted for reinvestment have been redeployed by the WBG institutions to strategic priority areas. • Management has implemented almost all of the measures committed to in the savings packages (representing 98% of the total estimated savings). While the targeted savings have been embedded in the institutional budget trajectories, sustaining efficiency in business processes will require ongoing efforts to identify and implement improvements based on measurement of efficiency indicators. Bank’s Advisory The objective was to assess the adequacy of management’s plan to Implementation of the implement the Bank’s Agile approach. IAD noted that the Bank has taken Agile Approach key steps to establish the foundations of an agile Bank through a pilot phase. These steps include creating an authorizing environment, training an initial cohort of Agile fellows and champions, and encouraging select staff to experiment on the Agile pilots. However, the Bank needs to move beyond the limited pilot phase and consider a Bank-wide Agile approach, to realize the full transformative potential of the Agile approach. IAD’s key recommendations include: • Clear communication by Senior Management of the importance of staff involvement at all levels to establish Bank-wide ownership and accountability. • Empowering of staff to proactively propose improvements, and development of a training plan to increase staff’s understanding of Agile. • Formalization of a program management unit and clear articulation of the benefits. 33 Implementation of Assurance The objective was to assess whether the Systematic Operations Risk- rating SORT in Supporting Tool (SORT) has been implemented as planned and is being used according Operational Decision- to the objectives envisioned in the Bank’s Framework for Management of Making Risk in Operations. IAD concluded that SORT is well established as a risk recording tool within the broader framework for management of risks in Bank operations. SORT risk ratings are embedded in all mandatory project documents and the recording of risk is fully implemented for all active operations. It is used as an input for framing the risk conversation among stakeholders during project preparation, and the risk ratings help determine the project approval track. There are opportunities for improvement in the use of risk information in SORT during project supervision, portfolio monitoring and management, for strengthening the reporting to the Board and to strengthen the strategic positioning SORT within the context of managing risk in operations. Bank’s Process for Assurance The objective was to assess the effectiveness of controls introduced by Managing Advisory recent reforms to address the earlier identified weaknesses over the Services and Analytics delivery of Advisory Services and Analytics (ASA) activities. IAD noted Activities several significant improvements including the embedding of the ASA Accountability and Decision-Making (ADM) framework into the ASA workflow in the Operations Portal; the development of ASA portfolio indicators; and the periodic reporting to the Board and Senior Management on the delivery of ASA activities and ASA expenditures. Areas for improvement included: (i) timely resolution of issues in some ASA projects; (ii) strengthening the analysis to explain dropped activities; (iii) more complete inclusion of trust funded ASA activities in the Institutional Work Program Agreement Process; and (iv) strengthening the ASA peer reviews. IFC’s Use of Blended Assurance The objective was to assess whether IFC has adopted and implemented Finance in Operations appropriate processes for the use of Blended Finance in its operations. IAD concluded that IFC has well established processes and a robust framework for Blended Finance. IFC has also established a management committee that reviews and deliberates on proposals for the use of Blended Finance against Board-endorsed criteria. However, some gaps were noted in the areas of periodic review and reporting of Blended Finance operations to stakeholders, information sharing protocols during supervision of Blended Finance projects, and a mechanism for the allocation of deals to different facilities. 34 Bank’s Implementation Assurance The objective was to provide independent validation of the of the Uganda implementation of management’s action plans committed to in the Transport Sector November 2016 report on the Uganda Transport Development Sector Development Project Project (Additional Financing): Lessons Learned and Agenda for Action. IAD (Additional Financing): validated that management has completed the implementation of 30 of 39 Lessons Learned and actions; 2 are on-going as they relate to the implementation of the Agenda for Action Environmental and Social Framework (ESF) that is being rolled out; 5 were deemed partially completed; and 2 were out of the scope of the engagement. Key accomplishments included (i) improved processes for oversight and monitoring of high- risk projects; (ii) development of relevant guidance notes, and extensive communication with staff; and (iii) staff training on risk assessment and other key areas. IAD drew management attention to focus on key cross-cutting themes going forward, including: (i) monitoring the staff guidance and instruction developed; (ii) ensuring that training has fully reached the intended audience; and (iii) improving staff access to the relevant procedures, policies, and guidance. Bank’s Anti-Money Assurance The objective was to evaluate the controls for managing the risks in Laundering and meeting the objectives of the AML/CFT Program pertaining to money Countering the laundering and financing of terrorism. IAD concluded that the governance, Financing of Terrorism risk management and control activities over the establishment, (AML/CFT) Program operationalization, and monitoring of the Bank’s new AML/CFT Program are satisfactory. The Bank has assessed the applicability of the Financial Action Task Force recommendations, and identified and adopted the relevant recommendations to ensure continued compatibility of the Program with international standards. Improvements from the previous program include the Bank’s enhanced screening process; enhanced due diligence process workflows; implementation of a quality assurance program; monitoring of the Program by the AML/CFT team through weekly and monthly reports; provision of semi-annual reports to Senior Management; and establishment of an escalation mechanism. 35 Use of Offshore Assurance The objective was to provide assurance on the implementation of the Financial Centers in Offshore Financial Center (OFC) Policy to manage tax evasion and related WBG Private Sector reputational risks. The audit concluded that IFC and MIGA, which are most Operations exposed to reputational risk due to their private sector-oriented operations, have implemented the provisions of the current OFC Policy, and project teams conduct transactional due diligence to identify beneficial owners and understand the rationale for a transaction’s ownership structure. IAD noted an area for improvement, which is that the Bank has not yet reviewed the applicability and consequent adoption of the OFC Policy for its Private Sector Operations, including its guarantee operations. Although the Bank’s exposure to the risk may have been small due to its public-sector orientation, this could pose a reputational risk going forward, given the expected increase in future exposure to intermediate jurisdictions in its Private Sector Operations. IFC’s Use of Advisory The objective was to review and advise IFC management on the use of Derivatives in derivatives to manage market risk in the debt portfolio. IAD recommended Managing Market that IFC management consider various steps to strengthen current Risks in the Debt practices, including – improving operational coordination between Portfolio derivative management and portfolio management; developing mechanisms to strengthen information sharing necessary for integrated management reporting among the units concerned; reviewing the current formulas to calculate profitability measures; and establishing periodic reviews of the framework and practices for using derivatives for portfolio risk management. 36 IBRD’s Management of Assurance The objective was to assess the adequacy and effectiveness of the Liquid Asset Portfolio management of IBRD’s liquid asset portfolio. In concluding that the risks related to management of IBRD’s liquid asset portfolio are adequately managed, IAD noted strong governance over the portfolio management process, including: (i) clear authorization for investments; (ii) existence of appropriate policies and guidelines; (iii) execution of trading activities within explicit risk limits that are regularly monitored; and (iv) periodic reporting of investment performance to Senior Management and the Board. No significant gaps were noted in the effectiveness of controls. IFC’s Management of Assurance The objective was to assess the adequacy and effectiveness of the the Liquid Asset management of IFC’s liquid asset portfolio. IAD identified several good Portfolio practices, including: (i) compliance with established risk limits is monitored and managed by teams in both the Treasury and Risk management functions; (ii) key information on the liquid asset portfolio is provided to the Board through quarterly and annual reports; and (iii) as of March 2018, the overall liquidity ratio remained significantly above the policy floor of 45% set by the Board. IAD also identified gaps for management attention, including: (i) the absence of an approved risk appetite statement; (ii) ambiguity in certain requirements stated in the Liquid Asset Investment Directive (LAM Directive); (iii) inadequate monitoring of portfolio risks; and (iv) inadequate controls governing changes to certain data in the trade capture system. MIGA’s Management Assurance The objective was to evaluate the effectiveness of controls over MIGA’s of Reinsurance reinsurance counterparty risk management process. IAD concluded that Counterparty Risk the current system of internal controls within MIGA provides reasonable assurance that reinsurance counterparty risks are adequately managed. Fundamental controls are in place to ensure that new and existing reinsurers are within minimum credit rating requirements and MIGA’s reinsurance exposures follow Board-approved limits. Moreover, reinsurance counterparty risks are periodically reported to Senior Management and the Board. 37 WBG’s Approach to Assurance The objective was to evaluate the measures taken to manage the Managing the contingent workforce. IAD noted the following improvements made since Contingent Workforce its last review of this area: (i) enhanced hiring and fee setting practices; (ii) development of training programs for managers, task team leaders and short-term consultants/temporaries (STs); (iii) establishment of clear guidelines for the use of the contingent workforce and provision of relevant reports to guide decision making by business units; and (iv) more streamlined reporting to management and the Board. Further enhancement opportunities include: (i) capturing and analyzing the purposes for which STs are hired; (ii) explicitly documenting the approach for using the contingent workforce (areas, seasons etc.); and (iii) developing measures to ensure that STs clearly understand their employment conditions and rights before starting assignments. These measures will be effective when accompanied by clear communication by senior management of the importance of proper management of the contingent workforce. Bank's Management of Assurance The objective was to evaluate the adequacy and effectiveness of the Legal Risks Related to Bank’s processes to identify, monitor, and mitigate legal risks arising from Country Office (CO) Country Office (CO) administration. The audit noted that (i) the Legal Administration Institutional Administration unit (LEGIA) responds to all legal needs in CO administration and ensures that the Bank’s immunities and privileges are preserved; and (ii) the Bank’s interests in CO administration are safeguarded through contractual terms and conditions. However, existing processes need to be further strengthened to enable the Bank to effectively and proactively identify top and emerging legal risks. Improvements include: (i) the establishment of a well-defined institutional legal risk management process to identify, analyze, respond to, and monitor legal risks; (ii) the involvement of the Legal department in CO corporate procurement transactions; and (iii) a consistent process to seek legal input early in the decision-making phase of executing real estate transactions. 38 WBG’s Corporate Assurance The objective was to assess the governance, risk management, and control Procurement Processes framework in place to ensure that WBG procurement activities achieve value-for-money. The audit concluded that the foundation has been successfully laid for a sound governance, risk management and control framework to ensure that WBG procurement activities achieve value-for- money. However, opportunities for further improvement exist in several areas to ensure that these measures are embedded into existing business processes and implemented in a sustainable manner. These areas include (i) category management and demand aggregation; (ii) vendor performance management; and (iii) post-award contract reviews. Oversight of Assurance The objective of the audit was to review the oversight frameworks in place Administrative for managing administrative expenses related to Country Offices (COs). Expenses Managed by The audit concluded that there are functioning frameworks that cover Bank’s Country Offices monitoring and reporting on compliance with policies, whistleblowing channels, and mechanisms to investigate and take corrective action. IAD noted areas for further strengthening of the oversight processes including conducting reviews to identify and address root causes of issues to prevent recurrence, establishing a comprehensive, integrated institutional risk assessment and having a clearer mapping of roles and responsibilities. 39 Administrative Assurance The objective was to assess the adequacy of existing controls and Expense Transactions institutional oversight arrangements for the use of administrative Managed by expenses by World Bank Group (WBG) Executives. IAD concluded that the Executives' Front control framework provides reasonable assurance that expenses are Offices in the WBG incurred for business reasons. No instances of misuse of funds or non- Institutions compliance with institutional policies were found. Key factors contributing to this assurance were (i) clearly defined policies and guidelines on what constitute valid business expenses; (ii) an expense approval and review process that enhances the likelihood that travel expenses are incurred for valid business reasons; and (iii) quality assurance reviews involving sample testing of expense transactions. WBG Administrative Assurance The objective was to assess the adequacy of existing controls and Expense Transactions institutional oversight arrangements related to the utilization of of Executive Directors’ administrative expense transactions incurred by Executive Directors. IAD Offices concluded that the control framework provides reasonable assurance that expenses are incurred for business reasons. No instances of misuse of funds or non-compliance with institutional policies were found. Key factors contributing to this conclusion were: (i) the expense policies and guidelines provide clarity on what expenses are appropriate; (ii) the expense review and approval processes ensure compliance with applicable policies and guidelines; and (iii) monitoring and reporting practices enable EDs’ offices to review and monitor their expenses. Creation of Fund Advisory The objectives were to review the existing decision-making process for Centers and Impact on creating fund centers (FCs), analyze the impact on business performance Business Performance reporting, and suggest appropriate measures aimed at improving the Reporting governance over the creation of FCs. IAD made the following recommendations to strengthen the governance over the FC creation process and report production: • Promote consistency in the FC creation process by introducing relevant guidelines, clear criteria, and standards in a mandatory Policy and Procedures document; • Define the accountability and decision-making framework for FC creation and reorganization requests, and introduce an upstream due diligence review function; and • Implement system enhancements to enable the historical data associated with FC structures to be captured, stored, and automatically applied to historical period reporting each time an FC is changed. 40 Management of Advisory The objective was to identify opportunities for improvement in the Shared Service management of SSAs among WBG institutions. The key recommendations Agreements (SSAs) included: (i) development of a typological approach to classify services; (ii) among WBG formulation of a directive to harmonize the essential elements for Institutions establishing and monitoring SSAs; (iii) alignment of SSA processes with the budget process to make business planning more effective; (iv) introduction of the structured management of SSAs by outlining the mechanisms that will be followed for each SSA; (v) provision of guidance on how service recipients or providers can withdraw from services; (vi) development of a better costing approach based on service type; and (vii) improvement of performance monitoring through the development of mutually agreed performance management practices. 41 WBG’s Wireless Assurance The objective was to evaluate the adequacy and effectiveness of the Network Management WBG’s wireless network security. The audit concluded that the system of and Security internal controls over the WBG wireless network, which encompasses governance processes, architectural design, technical configuration, and security management and monitoring capabilities, provides reasonable assurance that the WBG wireless network is appropriately managed and secured. Effective practices were also noted around the support, maintenance, and management of the wireless network environment, based on established standards and procedures. Opportunities for further strengthening by management were identified in the areas of intrusion detection and prevention, vulnerability management, and policy and guidance, in order to maintain a satisfactory control environment for the wireless network. WBG’s Assurance The objective was to evaluate the WBG’s implementation of IaaS in the Implementation of cloud to determine whether the confidentiality, integrity, and availability Cloud Infrastructure as of systems and data maintained off-premise (in the cloud) are a Service (IaaS) safeguarded. The audit noted several good practices, including clearly defined roles and responsibilities, well-established cloud risk assessment and intake processes, and consistent monitoring and evaluation of cloud service providers (vendors). However, (i) the Cloud Strategy Roadmap lacked key elements, such as quantifiable objective-oriented goals and criteria to measure the success of the cloud strategy; and (ii) deviations from accredited or approved IaaS implementation plans were not consistently reviewed. 42 WBG’s Enterprise Assurance The objective was to assess the governance, risk management, and control Desktop Management activities over the design and deployment of WBG’s Enterprise Desktop and Security (ED). The audit noted that the ED security posture has been augmented by more advanced controls in Windows 10 compared to Windows 7. Moreover, ED end-user support, training, and awareness activities were effective. In addition, measures were in place to ensure the availability of the ED environment. However, IAD identified: (i) a lack of adherence to established ITS risk management processes during ED10 security implementation resulting in some configuration settings not being aligned with WBG or industry standards; and (ii) the need for data protection technical controls within the ED environment to prevent and detect the transmission of sensitive information outside the ED environment. Development of the Advisory The objective was to review the approach adopted by the WBG in WBG Information developing an updated version of the WBG Information Security Strategy. Security Strategy Recommendations to management included: (i) conducting a comprehensive assessment of the existing WBG Information Security Program using an industry-recognized information security framework to identify major weaknesses; and (ii) defining a clear and measurable target state and developing a risk-based roadmap that defines a specific path for achieving the Program’s vision and objectives. IFC’s Management of Advisory The objective was to take stock of the current approach to data access and Data Access and protection within IFC, and to provide management with advice on the Protection current state of governance, process, and technology practices. IAD’s review identified opportunities to strengthen IFC’s design and implementation of data access and protection controls, and developed recommendations to improve the current state of governance, process, and technology practices, grouped under three main thematic areas: establish a holistic data access and protection approach to better address the needs of IFC which would enable consistent access management and protection across projects and IT systems; improve the governance over access management to facilitate the effective operationalization of the Data Access and Protection Framework; and evaluate the adequacy of existing technology solutions to support the framework and improve control over sensitive data. 43 Strategy Setting, • The World Bank Group’s • Management’s Processes for • WBG’s Completion of the Implementation, Expenditure Review (ER) Integrating Select IFC/Bank Expenditure Review initiative and Change Initiative Advisory Services • Bank’s Implementation of Management • Bank’s Management of the Agile Approach Climate Change Operations – Key Business Enablers • IFC’s and MIGA’s Management of Climate Business Operations – Key Business Enablers Business • IBRD's Capital Budget • Bank’s Country Engagement Planning and Process Budget Allocation under the Budgeting • Financial Aspects of IDA17 New Operating Model Concessional Loans Delivery of • IFC’s Managed Co-Lending • IFC’s Project Risk • Implementation of SORT in Operational Portfolio Program Management Using Supporting Operational Products and • MIGA's Administrative Cost Conditions of Disbursement Decision-Making Services Allocation Process for Pricing • IFC’s Oversight and Working • Bank’s Process for Managing Arrangements with the IFC Advisory Services and Asset Management Company Analytics Activities (AMC) • IFC’s Use of Blended Finance • IFC Equity Investments in Operations • MIGA’s Management of • IFC's Use of Derivatives in Credit Enhancement Managing Market Risks in Products the Debt Portfolio Environmental • Bank’s Action Plan to • Bank’s Implementation of and Social Risk Improve the Management of the Uganda Transport Sector Safeguard and Resettlement Development Project Practices (Additional Financing): Lessons Learned and Agenda for Action Fiduciary Risk • Risk-Based Procurement Post • Bank’s Fiduciary Risk Reviews (PPRs) Management Framework in Investment Project Financing Projects Integrity Risk • Management of Actual and • WBG’s Sanctions Process • Bank’s Anti-Money Perceived Conflict of Interest Laundering and Countering in WBG’s Operating Model the Financing of Terrorism Program • Use of Offshore Financial Centers in WBG Private Sector Operations 44 Management of • Bank’s Trust Fund Change • Bank’s Risk Management in External Funds Management Considerations Recipient Executed Trust Funds Stakeholder • Donor Reporting on Trust • WBG's Strategic Engagement and Fund Operations of the WBG Management of Civil Society Financial • Implementation of the Organizations Relationships Reporting Bank’s Access to Information Policy • Implementation of IFC’s Access to Information Policy • Implementation of MIGA’s Access to Information Policy Financial Risk • IBRD’s Equity Management • World Bank Group’s Pension • IBRD’s Management of Framework Plan Investments Liquid Asset Portfolio • IFC’s Management of the Liquid Asset Portfolio • MIGA’s Management of Reinsurance Counterparty Risk Human Resource • WBG’s Medical Insurance • Bank’s Workforce Planning • WBG's Approach to Management Plan Managing the Contingent • WBG Human Resource Workforce Shared Services • Use of Data Analytics in HR Corporate and • World Bank Group’s Pension • Bank's Management of Legal Administrative Plan Administration Risks Related to Country Areas Office (CO) Administration • WBG’s Corporate Procurement Processes • Management of Shared Service Agreements (SSAs) among WBG Institutions • Creation of Fund Centers and Impact on Business Performance Reporting • Oversight of Administrative Expenses Managed by Bank’s Country Offices • Special Review of the Administrative Expense Transactions Managed by Executives’ Front Offices in the WBG Institutions • Special Review of the Administrative Expense Transactions of Executive Directors’ Offices 45 Physical • WBG IT Service Continuity • Formulation of the New Disruptions and Management WBG Global Security Business • Bank’s Business Continuity Management Strategy Disruptions Management • IFC’s Business Continuity Management Information • WBG Integrated • WBG IT Hardware Asset • WBG’s Wireless Network Technology and Communications Platform Management Management and Security Information (ICP) • WBG’s Business Solutions • WBG’s Implementation of Security • Box Post-Implementation Delivery & Project Cloud Infrastructure as a • Office 365 Post- Governance (Operations & Service (IaaS) Implementation Corporate Lines of Business) • WBG’s Enterprise Desktop • Security Architecture, • WBG’s Software Asset Management and Security Certification and Management • Development of the WBG Accreditation Process • World Bank’s Enterprise Information Security Strategy Architecture • WBG Network Security (Internal & External) • WBG’s Remote Access Services • Post-Implementation Review of IFC’s Advanced Commercial Banking System (ACBS) Knowledge and • Process for the Collection of • IFC's Management of Data Data Data and Production of Access and Protection Management Indices to Report on the Twin Goals • IFC’s Processes for Generating Information Supporting Portfolio Oversight • IFC Staff Learning • IFC’s Management of Client and Partner Hierarchies 46