68411 Internal Audit Vice Presidency (IADVP) FY12 Third Quarter Activity Report April 25, 2012 Table of Contents 1. Summary of Key Engagement Outcomes ................................................................. 3 2. Update on IAD’s Quality Assurance and Improvement Program .............................. 5 3. Budget Status ............................................................................................................ 5 Annex 1: List of Engagements in the FY12 Q3 Activity Report ...................................... 6 The Internal Audit Vice Presidency (IAD) is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of the WBG organizations. It assists WBG in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes. The purpose of this report is to provide a high level overview of IAD activities in the quarter to Senior Management and the Audit Committee. This Quarterly Activity Report is also publicly disclosed, under the Bank’s Access to Information Policy. IADVP FY12 Third Quarter Activity Report / 2 1. Summary of Key Engagement Outcomes Seven engagements relating to the FY12 Work Program were finalized during FY12 Q3. These included: two World Bank Group (WBG) audits, two International Bank for Reconstruction and Development/International Development Association (IBRD/IDA) projects, and three International Financial Corporation (IFC) audits. IAD recommended 1. IAD’s audit of the Bank’s Reserves Advisory and Management creating an oversight body Program (RAMP) covered the institutional governance structure, to strengthen fiduciary program-level key performance indicators to track developmental impact, oversight of the RAMP reporting to the Board, and the process for managing risks associated program. with development of proprietary software packages, for use by RAMP clients. Management implemented several changes, based on IAD’s audit recommendations which included organizational changes to better The review of the Portfolio manage the RAMP business; establishment of a committee for a stronger Analytics Tool (PAT II) quality assurance process; and an independent external review of RAMP’s proprietary Portfolio Analytics Tool (PAT). In addition, IAD covered the robustness of recommended creating an oversight body to strengthen fiduciary the control environment oversight of third-party client engagements; developing key performance and overall indicators to measure the development impact of RAMP; and submitting implementation approach a comprehensive Program-level review of RAMP. for the new version of the 2. IAD’s advisory review of the Bank’s Portfolio Analytics Tool: Version 2 tool. (PAT II) covered the robustness of the control environment and overall implementation approach for the new version of the Portfolio Analytics Tool (PAT II), one of the tools provided by Treasury to several of its clients to support reserve management activities. IAD recommended that Treasury undertake several actions prior to releasing PAT II including IFC management will improvements in peer review, documentation, data integrity and develop a corporate automation of controls. strategy for private equity 3. IAD’s audit of IFC's Investments in Private Equity Funds was designed investments and develop to verify whether IFC had adequate governance, risk management, and system solutions for controls in place to manage its investments in private equity funds. portfolio monitoring. Although the majority of individual investments in private equity funds were well managed, IAD recommended that IFC develop a corporate strategy for investing in private equity funds that encompassed all investment units, develop a system solution for the retrieval of IFC conducted due information on private equity fund investments, and further define the diligence to identify and content and extent of the Integrity Due Diligence. address potential credit 4. IAD’s audit of IFC’s Process for Credit Risk Management noted that risks, and also performed IFC conducted due diligence to identify and address potential credit risks, detailed ongoing and also performed detailed ongoing operational portfolio reviews. However, monitoring of credit risk for IFC's portfolio was fragmented operational portfolio across the individual regions, and it lacked a comprehensive credit risk reviews of country offices. directive that defined practices and procedures related to portfolio management of credit risks. IAD recommended that IFC leverage existing policies and procedures to create and implement a comprehensive credit risk management directive, and define roles and responsibilities for comprehensive credit risk monitoring, oversight and reporting at the portfolio level. IADVP FY12 Third Quarter Activity Report / 3 5. IAD’s audit of IFC's Structured Finance Operation noted that although individual projects were well managed, the operational framework for initiating, appraising, and supervising structured products was not well defined, largely due to the organic growth of the structured finance Comprehensive security portfolio. IAD recommended that IFC develop specific procedures which covered all standard structured finance products, and disseminate standards should be knowledge of these procedures through appropriate training developed for WBG courses/materials. network devices to strengthen security 6. IAD’s audit of WBG Network Perimeter Security covered the configuration and management of network security devices. monitoring. Management has implemented network perimeter security controls, such as network traffic filtering and network security monitoring, to prevent and detect threats and attacks from external parties. The audit results indicated the need for comprehensive security standards and enforcement of those standards for network devices. Management took corrective actions to address the majority of the identified issues, while Design and the audit was still underway, and presented a plan for addressing the implementation of remaining issues. controls over the management of the WBG 7. IAD’s audit of the WBG Pension Plan Investments indicated that the Pension Plan investments design and implementation of controls over the management of the WBG are effective. Pension Plan investments are effective. Well designed processes are in place covering key areas of portfolio management, performance measurement and benchmarking, cash management, risk management, and reporting. IADVP FY12 Third Quarter Activity Report / 4 2. Update on IAD’s Quality Assurance and Improvement Program The Professional Practices (PP) group within IAD completed a number of action steps to address issues raised in prior Quality Assurance and Improvement IAD will review and Program (QAIP) reviews. The action steps completed in the last six months, at incorporate relevant the activity level (VPU-wide quality initiatives) included: (i) issuance of guidance aspects of guidance issued on systematic distribution of IAD reports to stakeholders; (ii) completion of by the IIA in its recently training for all audit staff, on the application of risk-based audit report writing; and (iii) modification of the “Issues and Action Plan” template for consistent and risk- released “Practice Guide focused capturing of engagement issues. on Quality Assurance and Improvement Program” During Q4, IAD will undertake specific actions at the engagement level, which into its QAIP program. include: (i) designing an “engagement checklist” spanning the audit life cycle, covering key engagement milestones; and (ii) simplifying the Risk Control Matrix (RCM) template to improve consistency in work paper documentation of risks and controls. Activity Level Engagement Level Design of engagement checklist which will serve Guidance issued to promote systematic as a monitoring tool for covering key quality dissemination of engagement reports checkpoints VPU-wide training on risk-based audit report Simplification of the Risk Control Matrix writing template to improve consistency in documentation of risks and controls. Operationalization of lessons learned from report writing training – new Issues and Action Plan Template 3. Budget Status IAD's budget run rate as of FY12 Q3 was at 64%, equivalent to US$7.8 million in expenditures. IAD will stay within its authorized FY12 budget of US$12.2 million. IADVP FY12 Third Quarter Activity Report / 5 Annex 1: List of Engagements in the FY12 Q3 Activity Report 1 WBG Engagements No. Entity Engagement Title Report No. Date Issued 1 WBG Audit of the WBG Network Perimeter Security WBG FY12-05 11-Apr-12 2 WBG Audit of the WBG Pension Plan Investments WBG FY12-06 18-Apr-12 IBRD/IDA Engagements No. Entity Engagement Title Report No. Date Issued 3 IBRD/IDA Advisory Review of Portfolio Analytics Tool: Version 2 (PAT II) IBRD FY12-05 1-Feb-12 4 IBRD/IDA Audit of the Reserves Advisory and Management Program (RAMP) IBRD FY12-06 6-Feb-12 IFC Engagements No. Entity Engagement Title Report No. Date Issued 5 IFC Audit of IFC's Investments in Private Equity Funds IFC FY12-02 2-Feb-12 6 IFC Audit of IFC’s Process for Credit Risk Management IFC FY12-03 8-Mar-12 7 IFC Audit of IFC's Structured Finance Operation IFC FY12-04 14-Mar-12 1 As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY12 Third Quarter Activity Report / 6