IAD FY 2019 Quarter 3 Activity Report INTERNAL AUDIT VICE PRESIDENCY As of April 15, 2019 Contents Completed Engagements in FY19 Q3 3 FY19 Q3 Engagements Summarized 4 About IAD The Internal Audit Vice Presidency (IAD) provides independent and objective assurance to Senior Management and the Board of the World Bank Group (WBG) on the effectiveness and efficiency of governance, risk management and controls of the WBG operations. In addition, IAD monitors the implementation of management’s corrective actions, and also advises management in developing control solutions. IAD’s work is carried out in accordance with the Institute of Internal Auditors (IIA) International Professional Practices Framework. IAD’s Quarterly Activity Report summarizes IAD’s engagement results for the quarter. www.worldbank.org/internalaudit IAD FY19 Q3 ACTIVITY REPORT 2 Completed Engagements in FY19 Q3 IAD completed seven engagements comprising five assurance engagements and two advisory reviews. Details of each of these engagements are summarized in the following section. Refer Engagement Item Report Entity Engagement Name to Type No. Page WBG Institutions’ Framework to Support 1 WBG FY19-08 WBG Advisory the Implementation of the Efficiency 4 Agenda 2 WBG FY19-09 WBG Assurance WBG’s Staff Travel Safety Arrangements 4 Bank’s Management of Corporate Data 3 IBRD FY19-03 Bank Advisory 4 Used in Operations Implementation of IBRD’s Asset Liability 4 IBRD FY19-04 Bank Assurance 5 Management Framework 5 IBRD FY19-05 Bank Assurance Bank’s Grievance Redress Service 5 6 IFC FY19-01 IFC Assurance IFC’s Management of Operational Risks 5 MIGA’s Net Retention and Reinsurance 7 MIGA FY19-01 MIGA Assurance 6 Framework IAD FY19 Q3 ACTIVITY REPORT 3 FY19 Q3 Engagements Summarized 1. WBG Institutions’ Framework to Support the Implementation of the Efficiency Agenda The objective was to provide advisory input and recommendations to support management in its efforts to formulate a framework that will support the WBG Institutions’ Framework to Support the Implementation of the Efficiency Agenda. IAD’s review specifically focused on: (i) management’s process to identify, implement, integrate, monitor progress and report on efficiency measures for ongoing business operations; (ii) processes in place to evaluate business performance and the operational impact of efficiency initiatives and institutional measures; and (iii) collaboration and coordination arrangements on WBG-wide efficiency initiatives. The review highlighted opportunities for management to foster and monitor sustainable efficiencies. Specific recommendations included: (i) developing guiding principles of efficiency across the WBG institutions; (ii) promoting executive sponsorship and consistent senior management communication: (iii) establishing a nimble, agile and efficient approach to governance, leveraging the existing bodies or committees; (iv) increasing the use of incentives at the institutional level; and (v) revisiting metrics used to drive efficiency across the organization to make sure they are actionable and can create the foundation for informed decision making both at the institutional and business unit levels. 2. WBG’s Staff Travel Safety Arrangements The objective was to assess whether: (i) the overall framework for ensuring the safety of staff on official travel, including policies, procedures, guidance, safety standards, and roles and responsibilities, is defined, understood, coordinated and enforced within the WBG entities; and (ii) institutional controls to manage WBG staff travel safety risks are well designed and operating effectively. Such controls include training, outreach activities, and health-related planning to ensure staff awareness and preparedness; security risk assessments; country clearance to travel; travel alerts relating to region, health, airlines and hotels; and mechanisms to account for, monitor, track and communicate with staff during emergency situations. While concluding that the risks to the safety of staff on official travel are largely identified and managed, the audit identified the following issues: (i) travel safety standards to manage the safety and health risks faced by staff are not fully defined, e.g., when they travel by water, rail or in a chartered aircraft, and to health-risk locations; (ii) country office compliance with road safety requirements is not enforced; (iii) staff compliance with the requirements for Security Responsiveness training and obtaining country clearance before travel is not enforced; and (iv) non-critical incidents experienced by staff are not systematically reported and analyzed. 3. Bank’s Management of Corporate Data Used in Operations The objective was to perform a stocktaking of the state of corporate data in place at the Bank, focusing on data used for managing operations. IAD set out to identify gaps, assess root causes, and provide advice to Bank’s management on data management (DM) practices that can improve the integrity, quality and availability of corporate data, in consideration of ongoing DM initiatives. The review presented a series of recommendations to address gaps in the Bank’s management of corporate data. These recommendations related to the following four themes: executive sponsorship and governance; data definitions; data integration and data architecture; and quality and reliability of corporate data. IAD FY19 Q3 ACTIVITY REPORT 4 4. Implementation of IBRD’s Asset Liability Management Framework The objective was to assess the governance, risk management and controls over IBRD’s Asset Liability Management (ALM) processes. Specifically, the audit focused on: (i) risk management strategies, measures and limits; (ii) controls to address risks arising out of activities such as loan modifications, loan prepayments, debt maturities and debt allocation that trigger ALM mismatches; (iii) systems and controls to support the completeness, accuracy and validity of data; and (iv) controls over financial reporting and disclosures related to ALM activities. The audit concluded that IBRD’s ALM-related risks are adequately managed. WBG Finance and Accounting manages currency alignment between loans and borrowings and the Chief Risk Officer provides oversight to the ALM process by monitoring interest rate and currency risk. The audit also provided two forward-looking recommendations related to the potential impact of the LIBOR transition and the benefit of enhanced risk analytics. 5. Bank’s Grievance Redress Service (GRS) The objective was to evaluate whether the GRS implementation has been consistent with its initial design objectives, as defined in the GRS Interim Operating Procedure (December 2014) and the Bank Procedure on the Grievance Redress Service (March 2017). Specifically, the audit focused on whether the GRS has: (i) clearly defined processes to receive, evaluate, and process complaints from project-affected people and communities, and, as relevant, from other Bank units including the Inspection Panel, the Integrity Vice Presidency, and Bank staff; (ii) mechanisms to facilitate responses to grievances by project teams; (iii) defined processes to monitor the implementation of any actions established as part of the resolution of the grievances; (iv) mechanisms to maintain confidentiality and the identity protection of the complainants; (v) effective communication, outreach, and information dissemination arrangements to raise awareness of the GRS among project-affected people and relevant Bank staff; and (vi) criteria and mechanisms to measure its own effectiveness and efficiency. The audit concluded that (i) implementation of the GRS is not fully aligned with the design objectives, which has resulted in some complaints not being processed in a timely and efficient manner; and (ii) the GRS has not consistently protected the confidentiality of the complainant. Management recognized these implementation issues during the audit and has already initiated actions to strengthen the GRS. 6. IFC’s Management of Operational Risks The objective was to assess the design adequacy and operating effectiveness of controls over IFC’s Management of Operational Risks. Specifically, the audit focused on whether: (i) processes to develop and approve operational risk governance mechanisms, including setting the operational risk appetite, policies and procedures, risk taxonomies and appropriate lines of responsibility for managing operational risk, are adequately designed and operating effectively; (ii) operational risk management processes, including the identification, assessment, response and monitoring of operational risks, are effective in ensuring that the business is managed within the defined operational risk appetite; (iii) operational risk management program results are reported to stakeholders in a timely manner to enable informed decision making; (iv) IFC data and IT systems are adequate to support accurate, reliable and timely capturing, monitoring and reporting of operational risk information; and (v) appropriate training on operational risk is provided to relevant staff to contribute to the promotion of a strong risk management culture. In concluding that IFC’s operational risk is not adequately monitored, analyzed, or reported to the Board and Senior Management, the audit identified four root causes: (i) the current operational risk management (ORM) framework needs to be updated as it lacks several components; (ii) although IFC has a risk event reporting platform, it does not follow a systematic approach to collecting and analyzing operational risk data; (iii) ORM reports lack sufficient analysis of operational risk information and its impact on IFC’s business; and (iv) the resources allocated to the second line ORM function are insufficient. The audit noted that management had already acknowledged the issue and started to implement remedial actions. IAD FY19 Q3 ACTIVITY REPORT 5 7. MIGA’s Net Retention and Reinsurance Framework The objective was to evaluate the governance, risk management, design and operating effectiveness of controls over MIGA’s management of its net retention and reinsurance framework. Specifically, the audit assessed whether: (i) portfolio and project level decisions regarding the transfer and retention of risk are made consistently within the approved net retention and reinsurance framework and in line with MIGA's business strategy; (ii) processes are in place to monitor the compliance of the portfolio and individual projects within approved limits; (iii) systems and tools are adequate to manage reinsurance processes and net retention, including contract management; and (iv) senior management and the Board are periodically updated on the status and results of net retention and reinsurance decisions for effective oversight and decision making. The audit concluded that MIGA’s governance, risk management, design and operating effectiveness of controls over the management of its net retention and reinsurance framework are satisfactory. IAD FY19 Q3 ACTIVITY REPORT 6