94158 Internal Audit Vice Presidency (IADVP) FY15 Second Quarter Activity Report February 4, 2015 Table of Contents 1 Summary of Key Engagement Outcomes ……………………………………… 2 2 Budget Update …………………………………………………………………….. 4 3 Annex 1: List of Engagements in the FY15 Q2 Activity Report ……………… 4 The Internal Audit Vice Presidency (IAD) is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of the WBG organizations. It assists WBG in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes. The purpose of this report is to provide a high level overview of IAD activities in the quarter to Senior Management and the Audit Committee. This Quarterly Activity Report is also publicly disclosed, under the Bank’s Access to Information Policy. IADVP FY15 Second Quarter Activity Report 1. Summary of Key Engagement Outcomes Four engagements were finalized during the quarter. These included: two World Bank Group (WBG) audits, one WBG advisory review, and one International Bank for Reconstruction and Development/International Development Association (IBRD/IDA) advisory review. 1. The objective of the audit of WBG Data Privacy was to assess the adequacy and effectiveness of: (i) the data While certain WBG privacy governance structure including organizational roles, business units have responsibilities, and management oversight of the WBG’s implemented some current data privacy practices; and (ii) the policies and practices to manage and procedures for the collection, storage, use, transfer, and protect staff data destruction of personal information and the existing practices implemented to ensure the privacy of the data. The audit governance, risk highlighted that governance, risk management and control management and control processes over WBG data privacy practices need processes over WBG improvement. There are existing WBG policies such as data privacy practices Principles of Staff Employment, select Staff Rules and can be improved Information Security policies that address staff privacy rights and obligations to some degree. These policies and rules provide guidance on protecting personal data related specifically to WBG staff, which is a significant portion of the personal data that WBG collects. However, these policies and principles do not address privacy rights or personal data handling practices for data collected on other individuals (e.g., vendors, client/country officials, and private individuals included in studies or surveys). The audit also highlighted that while certain business units have implemented some practices to manage and protect staff data, governance over privacy remains fragmented across the institution. 2. The objective of the audit of WBG HR Processes Change Roles and responsibilities Management was to assess the robustness of HR change of the HR Leadership management processes to enable broader institutional Team, Centers of change including: (i) accountability structure and roles and Expertise (COEs), responsibilities for change implementation and oversight; (ii) Business Partners (BPs), implementation planning; and (iii) implementation processes, including management of changes related to policies, and the Shared Services procedures, IT systems and tools. Roles and responsibilities unit in the new operating of the HR Leadership Team, Centers of Expertise (COEs), model have been clearly Business Partners (BPs), and the Shared Services unit in the defined to manage the new operating model have been clearly defined to manage ongoing HR work the ongoing HR work program and the change management initiatives. Reporting mechanisms have been established program and the change whereby HR leadership, Senior Management, and the Board management initiatives are periodically updated on the progress of the change management initiatives. However, given the critical role of IADVP FY15 Second Quarter Activity Report 2 1. Summary of Key Engagement Outcomes the HR function as an “enabler” and as a “foundational pillar” of the broader institutional change agenda, the robustness and effectiveness of HR change management processes need improvement in the areas of: (i) the Accountability and Decision-Making Framework (ADM) for Change Management; (ii) Holistic program management of HR change initiatives; and (iii) Communication and stakeholder engagement. While project level oversight exists for individual change initiatives, there is need for a holistic program management capability that explicitly recognizes and manages the interdependencies across multiple HR change work streams and functional areas (both within and outside HR). HRDVP has agreed to establish and implement an HR governance operating model, by June 30, 2016, to improve accountability and decision-making effectiveness. 3. The objectives of the WBG IT Compliance Advisory Review were to: (i) evaluate the current state of the IT Compliance program and strategy; (ii) determine whether IT Compliance program activities are in line with leading practices; and (iii) assist ITSSR in developing a strategic and risk-based approach to continue enhancing the IT Compliance program and its maturity level. The review provided a holistic view of The review provided a the organization’s risk and compliance activities and showcased the intended responsibilities of the IT Compliance holistic view of the function. Directional feedback and assistance was also organization’s risk and provided to the IT Governance Risk Compliance (GRC) compliance activities and teams in documenting Responsibility Assignment Matrix and showcased the intended process flows to support the IT GRC activities going forward. responsibilities of the IT The review documented a complete view of the ‘as-is’ state of the IT Compliance function, assessed it against leading Compliance function practices and provided recommendations for the intended future state. Key recommendations were categorized as foundational, further enhancements and on-going requirements, and emphasized development of: (i) strong executive sponsorship and governance for the IT GRC functions, (ii) common understanding and clear definition of IT GRC objectives, (iii) clear definition of roles and responsibilities, (iv) prioritization of IT Compliance activities on risk basis; and (v) a framework to monitor and assess the impact of rule changes to the business and the IT risk environment. IADVP FY15 Second Quarter Activity Report 3 1. Summary of Key Engagement Outcomes 4. The advisory review of the Country Management Unit (CMU) Norming was initiated at the request of Management, Clear communication of with the objective of providing an independent “fact-base” of the intended objectives qualitative and quantitative inputs to inform management’s and any boarder deliberation and decision-making on CMU norming. The institutional efforts to scope of the engagement included four key components: (i) norm the CMU budget is the diversity of the CMU landscape; (ii) regional context; (iii) institutional factors and broader qualitative considerations; essential to facilitate and (iv) the overlay of relevant operational work program common understanding metrics. The review results underscored the importance of: of the intended benefits (i) clear communication of the intended objectives of any of such an exercise broader institutional effort to norm the CMU budget; and (ii) the “fit” between the overall objective being pursued and the implementation approach for effective operationalization and for securing the “buy-in” of stakeholders. A key take-away from the review was that moving towards normative staffing approaches through ‘CMU-based” norms was unlikely to be a viable option given the diversity and heterogeneity of the CMU landscape. IAD recommended that the creativity and insights of Country Directors (CDs) and Country Managers (CMs) be fully leveraged to design and achieve ER cost savings that are “sustainable and durable”. IAD also recommended a greater focus on medium-term budget discipline by providing flexibility in CMU staffing decisions to RVPs and CDs and by fostering selectivity and work program prioritization through informed budget allocation decisions. 2. Budget Update Total expenditures for YTD FY15 Q2 was $3.4 million representing approximately 33.4% of the FY15 budget of $10.1 million. IADVP FY15 Second Quarter Activity Report 4 Annex 1: List of Reports issued in FY15 Q2* WBG Engagements No. Entity Engagement Title Report No. Date Issued 1 WBG Audit of WBG Data Privacy WBG FY15-01 Dec. 3, 2014 2 WBG Audit of WBG HR Processes Change Management WBG FY15-03 Jan 28, 2015 3 WBG Advisory Review of the Jointness Models WBG FY14-08 Sep 25, 2014 4 IBRD/IDA Advisory Review of Country Management Norming IBRD FY15-01 Nov 25, 2014 ------------------------------------- *As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be pub licly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY15 Second Quarter Activity Report 5