72511 Internal Audit Vice Presidency (IADVP) FY12 Fourth Quarter Activity Report August 27, 2012 Table of Contents 1 Summary of Key Engagement Outcomes ……………………………………… 2 2 Budget Update …………………………………………………………………….. 7 3 Annex 1: List of Engagements in the FY12 Q4 Activity Report ……………… 8 The Internal Audit Vice Presidency (IAD) is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of the WBG organizations. It assists WBG in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes. The purpose of this report is to provide a high level overview of IAD activities in the quarter to Senior Management and the Audit Committee. This Quarterly Activity Report is also publicly disclosed, under the Bank’s Access to Information Policy. 1. Summary of Key Engagement Outcomes Fifteen engagements relating to the FY12 Work Program were finalized during FY12 Q4. In addition, two reports which were issued as draft in the previous quarter were also finalized. These included: three World Bank Group (WBG) audits, six International Bank for Reconstruction and Development/International Development Association (IBRD/IDA) audits, six International Financial Corporation (IFC) audits, one Multilateral Investment Guarantee Agency (MIGA) audit, and one review pertaining to the International Centre for Settlement of Investment Disputes (ICSID). 1. IAD’s audit of WBG Vendor Management covered the adequacy of risk management, control, and governance Management has self- processes of the management of WBG’s vendors to support identified key areas of service excellence, control costs, and mitigate risks improvement, and throughout the contract lifecycle. Following a recent change launched an initiative to in leadership, management has self-identified key areas of strengthen procurement enhancement and launched an initiative to strengthen procurement processes. Efforts underway include a “Vendor processes. Management Project” to clean up the vendor master file and to develop tools and processes in SAP for managing vendors through the procurement lifecycle. IAD recommended a more strategic approach to managing the overall vendor portfolio, to complement management’s focus on transactional controls. 2. The audit of WBG Pension Plan Administration covered the adequacy and effectiveness of the current governance structure for pension plan administration, related roles and responsibilities, controls of key transactional processes in the pension cycle, and support operations. The results indicated that controls are in place for all key pension processes including enrollments, contributions, benefit calculations and payments, terminations, retiree management, and support operations. 3. IAD’s audit of WBG External Web and Social Media Effective governance, covered key risks and controls across the WBG in the areas staffing, processes, and of external web governance, content management, and technologies contributed publishing, and the management of public social media to successful channels such as blogs, Facebook, Twitter, Flickr, and implementation of the YouTube. The audit results indicated that effective governance, staffing, processes, and technologies are external web and social contributing factors to the successful implementation of the media program. external web and social media program. IADVP FY12 Fourth Quarter Activity Report 2 1. Summary of Key Engagement Outcomes (contd.) 4. IAD’s audit of Bank's Server Virtualization reviewed the The Bank’s server process of managing, securing and configuring virtualized servers. The audit noted that the Bank’s server virtualization virtualization approach is approach is aligned with IMT’s strategy of capacity building aligned with IMT’s with a focus on the quality and efficiency of service delivery strategy of capacity through institutional standards to improve speed, flexibility, building. security and cost effectiveness. However, weaknesses exist in the areas of hypervisor security hardening and monitoring, and the server provisioning process. Management will develop the server hardening procedure in line with the WBG Virtualization Security Standards, implement risk based monitoring of the hypervisor layer, and has taken steps to rectify the server provisioning process. 5. IAD’s audit of the Quality Assurance Process for Investment Lending Operations in IBRD/IDA focused on IAD recommended that the effectiveness of the Bank’s processes (i) to provide management clearly project task teams timely feedback on quality throughout the define quality assurance, project lifecycle, and (ii) to produce timely and reliable as distinct from quality information on operational quality to report to senior management. The audit results indicated that the Bank has a controls, for Bank system to provide project task teams with timely feedback on Investment Lending the quality of Investment Lending projects, especially during operations. the preparation stage. However, it lacks (i) a clear definition of quality assurance, (ii) a clear process for involving the Networks in the management of quality, (iii) robust institutional guidelines for selecting peer reviewers for technical reviews, and (iv) consistent arrangements for checking the candor and realism of the task teams’ assessment of project implementation by clients. IAD recommended that management clearly define quality assurance, as distinct from quality controls and develop a corporate methodology for capturing and aggregating information on operational quality. 6. IAD's objective in performing a follow-up review of the Bank's Management has Regional Integration (RI) Projects in the Africa Region recognized the distinctive was to determine whether management has taken the necessary corrective actions to address control weaknesses operational challenges of identified in management's past reviews. The main areas RI projects and has analyzed included the strategic alignment of RI projects with developed an operations Country Assistance Strategies (CASs); accountability framework to meet the arrangements, fiduciary and safeguard risk management; and needs of RI projects. management information of RI projects. The audit results indicated that management recognized the distinctive operational challenges of RI projects and had developed an operations framework to meet the needs of RI projects. (contd.) IADVP FY12 Fourth Quarter Activity Report 3 1. Summary of Key Engagement Outcomes (contd.) The control improvements instituted included (i) better integration of RI projects into the CASs, (ii) definition of an accountability framework for managing these projects, (iii) better fiduciary arrangements, and (iv) closer monitoring of disbursements. 7. The audit of the Management of Procurement Risk for More consistent and Bank-Funded Projects focused on (i) assessment of complete usage of procurement risks and the development of related action plans at the project level, and (ii) reviews of the borrowers’ institutional control tools procurement performance through “prior” and “post” is needed in the procurement reviews and other supervision activities. The management of audit concluded that prior and post reviews of contracts for procurement risk for individual projects were carried out by properly accredited Bank-Funded projects. staff, according to project supervision plans, with close monitoring of delivery by the Regions. Issues identified in post reviews were also promptly followed up by project teams within a reasonable time frame. However, the implementation rate of the new institutional control tools, Procurement Risk Assessment and Management System (P- RAMS) and the Post Procurement Review System, has been low. Procurement-related information systems remained fragmented despite management’s plans to integrate them for better risk monitoring and decision making. Management has agreed to achieve full compliance with P-RAMS and deploy an integrated procurement dashboard as a pilot to provide project task teams with full procurement information. 8. IAD’s audit of World Bank Data Management covered key data management risks and controls of structured and There is a need for an unstructured data across the Bank. The audit noted that the enterprise-wide Bank has focused substantial effort on instituting policies and governance program to practices to manage documents and records (unstructured data). In contrast, the Bank does not have an enterprise-wide address the structured governance program to address the structured data needs data needs across Bank across VPUs. The Bank currently relies heavily on manual VPUs. processes to gather and consolidate data from disparate systems to meet business reporting needs. IAD recommended the development of an enterprise-wide governance program to address structured data needs across VPUs. IAD also recommended the formulation of a robust quality management program to drive data consistency and reliability as well as to monitor data integration and reporting activities. Management has initiated a Business Intelligence initiative to facilitate the integration of commonly used data elements that are required across all VPUs. IADVP FY12 Fourth Quarter Activity Report 4 1. Summary of Key Engagement Outcomes (contd.) 9. IAD’s audit of the Information Management and Technology Network (IMT) Strategy Implementation concluded that IMT efforts and investments are aligned with The implementation of the principles and objectives of the IMT Strategy, and the Federated Operating recognized the implementation of the Federated Operating Model is a significant Model, as one of its most significant accomplishments. achievement of the IMT Previously decentralized IT organizations within the Vice Strategy. Presidential Units (VPUs) have been consolidated into Line of Business Centers of Excellence to better realize opportunities of scale and efficiency. A new governance model has also been established to provide direct line-of business management accountability for IMT investment priorities. However, overarching milestones have not been developed to objectively measure progress and achievement of benefits of the operationalizing the Strategy. 10. IAD’s audit of the IFC’s Asset and Liability Management Framework covered the effectiveness, design and IFC follows a implementation of controls for asset and liability management conservative risk in IFC. The audit results indicated that IFC follows a conservative risk management approach protecting the management approach in Corporation against interest rate and currency risk. In its asset and liability addition, the Corporation monitored aggregated risk on a daily management. basis, instituted operational triggers for residual risk tolerance, and defined clear roles and responsibilities for asset and liability management. 11. IAD’s audit of IFC’s Treasury Valuation Process covered the design and implementation of controls within IFC’s treasury valuation process. While the audit noted no control gaps in the liquid assets portfolio, it recommended that key governance elements such as a valuation oversight committee, reporting processes and approved valuation directives be instituted in a formal manner. 12. IAD’s audit of the Fund Management Operations of IFC Asset Management Company (AMC), reviewed the AMC's The IFC AMC’s fund key controls related to governance and risk management practices, conflicts of interest management, client relations management operations and fund raising, the investment process and compliance with are aligned with leading fund investment criteria, monitoring of outsourced services, industry practices. and IT services and applications. The audit noted that controls are aligned with leading industry practices. The AMC has a sound governance and oversight structure, experienced staff and managers, and monitored investment criteria in accordance with established legal agreements. IADVP FY12 Fourth Quarter Activity Report 5 1. Summary of Key Engagement Outcomes (contd.) 13. IAD’s audit of IFC’s Server Virtualization reviewed the process of managing, securing and configuring virtualized IFC’s server virtualization servers. IFC’s server virtualization approach is aligned with approach is aligned with management’s mission to provide flexible, robust, and secure management’s mission to IT capabilities. The audit identified findings in the areas of (i) trust zones within the virtual data center environment, (ii) provide flexible, robust, sharing of the administrative account on the Hardware and secure IT Management Console, (iii) hypervisor security hardening and capabilities. monitoring, and (iv) the server provisioning process. Management has a network segmentation project in progress, and will add specific security hardening procedures to its policies and procedures repository, to address the issues identified. 14. IAD’s audit of IFC’s Profitability Measurement evaluated IFC’s profitability measurement framework and assessed the IFC’s profitability adequacy and effectiveness of the measurement methodology adopted by management, and the process used measurement framework for calculating and monitoring profitability. The audit is driven by a consistent concluded that the successful implementation of the measurement framework was driven by (i) a consistent profitability methodology. measurement methodology, (ii) reliability of data feeds, (iii) monitoring of data inputs, and (iv) central coordination at the corporate level to provide consistent guidance and resources to Industry Departments. The audit also noted that the improvement of profitability measurement is an evolutionary process, and there will be a need for greater accountability and ownership of the profitability measures as the framework is developed. 15. IAD’s audit of IFC’s Data Management covered key data management risks and controls of structured and unstructured data across IFC. The audit noted that though There is a need for IFC has made a significant effort to institute policies and greater coordination practices to manage structured data, there is a need for greater coordination between the business and IT on data between business and IT related initiatives. Management has agreed to create a in IFC’s governance of Memorandum of Understanding (MoU) to document structured data. governance and data management coordination activities. For unstructured data, IFC follows the policies and procedures defined by the Bank, and has implemented a document management repository to centrally store and manage the data. IAD recommended the development of an enterprise-wide governance and monitoring program to manage unstructured data. IADVP FY12 Fourth Quarter Activity Report 6 1. Summary of Key Engagement Outcomes (contd.) MIGA has continued to 16. IAD’s audit of MIGA’s Portfolio Risk Monitoring and Reinsurance Processes reviewed the effectiveness and enhance its risk implementation of the controls within MIGA’s portfolio risk management framework monitoring and reinsurance process. The audit noted that consistent with the MIGA continues to enhance its risk management framework dynamic nature of its consistent with the dynamic nature of its portfolio and portfolio. evolving market environment. The key elements of the control framework include management oversight, effective risk measurement, regular reporting and monitoring, and adequate segregation of roles and responsibilities. 17. IAD’s advisory review of ICSID's Case Management IAD’s advisory review of Process covered the design and management of the business process improvement project from a risk ICSID's case perspective, and the design of key controls in the new management process process of managing cases for arbitration. IAD focused on the design of recommended that management identify specific goals of its controls in managing business process improvement project, implement measures cases for arbitration. to improve controls of its case management process, and also recommended closer coordination between the business process improvement project and the implementation of the case management system. 2. Budget Update Total expenditures during FY12 Q4 were $3.8 million for a twelve month total of $11.7 million representing approximately 96% of the FY12 budget of $12.2 million. IADVP FY12 Fourth Quarter Activity Report 7 Annex 1: List of Engagements in the FY12 Q4* Activity Report WBG Engagements No. Entity Engagement Title Report No. Date Issued 1 WBG Audit of the Management of WBG Vendors WBG-FY12-07 11-Jul-12 2 WBG Audit of the WBG Pension Plan Administration WBG FY12-08 26-Jun-12 3 WBG Audit of WBG External Web and Social Media WBG FY12-09 13-Jul-12 IBRD/IDA Engagements No. Entity Engagement Title Report No. Date Issued 1 IBRD/IDA Audit of the Bank's Server Virtualization IBRD FY12-08 08-Jun-12 Audit of the Quality Assurance Process for Investment 2 IBRD/IDA IBRD FY12-09 02-Jul-12 Lending Operations in IBRD/IDA Follow-up Review of the Bank's Regional Integration 3 IBRD/IDA IBRD FY12-10 12-Jul-12 Projects in the Africa Region Audit of the Management of Procurement Risks for Bank- 4 IBRD/IDA IBRD FY12-11 16-Jul-12 Funded Projects 5 IBRD/IDA Audit of World Bank Data Management IBRD FY12-12 13-Jul-12 Audit of Information Management and Technology (IMT) 6 IBRD/IDA IBRD FY12-13 13-Jul-12 Strategy Implementation ------------------------------------- *As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY12 Fourth Quarter Activity Report 8 Annex 1: List of Engagements in the FY12 Q4* Activity Report IFC Engagements No. Entity Engagement Title Report No. Date Issued 1 IFC Audit of IFC’s Asset and Liability Management Framework IFC FY12-05 23-Apr-12 2 IFC Audit of IFC’s Treasury Valuation Process IFC FY12-06 30-Apr-12 Audit of the Fund Management Operations of IFC Asset 3 IFC Management Company, LLC IFC FY12-07 11-Jun-12 4 IFC Audit of IFC's Server Virtualization IFC FY12-08 25-Jun-12 5 IFC Audit of IFC's Profitability Measurement IFC FY12-09 11-Jul-12 6 IFC Audit of IFC Data Management IFC FY12-10 13-Jul-12 MIGA Engagements No. Entity Engagement Title Report No. Date Issued Audit of MIGA’s Portfolio Risk Monitoring and Reinsurance 1 MIGA MIGA FY12-02 11-Jul-12 Processes ICSID Engagements No. Entity Engagement Title Report No. Date Issued 1 IBRD/IDA Advisory Review of ICSID's Case Management Process IBRD FY12-07 19-Apr-12 ------------------------------------- *As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY12 Fourth Quarter Activity Report 9