Group Internal Audit FY19 Annual Report The World Bank Group comprises five institutions: the International Bank for Reconstruction and Development (IBRD), the International Development Association (IDA), the International Finance Corporation (IFC), the Multilateral Investment Guarantee Agency (MIGA), and the International Centre for Settlement of Investment Disputes (ICSID). In the context of this report, “World Bank Group institutions” refers to IBRD, IDA, IFC, MIGA, and ICSID. “The Bank” refers to IBRD and IDA. The World Bank Group has two goals: To end extreme poverty and promote shared prosperity in a sustainable way. Cover Photo © World Bank / Stephan Gladieu 2 Group Internal Audit FY19 Annual Report CONTENTS FOREWORD BY THE AUDITOR GENERAL....................................................4 WORK PROGRAM OVERVIEW.............................................................................6 OUR PRODUCTS...........................................................................................................6 OUR WORK PROGRAM.................................................................................................7 EXECUTIVE COMMENTARY..................................................................................8 WHO WE ARE................................................................................................................22 OUR MANDATE.............................................................................................................22 OUR REPORTING LINES...............................................................................................22 OUR VISION, MISSION, AND STRATEGIC PRIORITIES..............................................23 .....................................................................................................................24 OUR TEAM. HOW WE DELIVER......................................................................................................26 ...................................................................................27 STAKEHOLDER ENGAGEMENT. DYNAMIC RISK ASSESSMENT AND WORK PROGRAM DEVELOPMENT.................28 COORDINATION AND COLLABORATION WITH ........................................29 OTHER WORLD BANK GROUP OVERSIGHT FUNCTIONS. LEARNING, INNOVATION, AND KNOWLEDGE SHARING...........................................31 DELIVERING RESULTS TO INFLUENCE POSITIVE CHANGE....................................34 APPENDIX: GIA’S COVERAGE IN FY19..........................................................37 Contents 3 FOREWORD BY THE AUDITOR GENERAL FY19 marked an exciting and significant transition period for Group Internal Audit (GIA), formerly known as the Internal Audit Vice Presidency (IAD). Within a rapidly changing external and internal environment, as the Bank Group implements commitments made in 2016 in the ‘Forward Look’1, GIA plays a key role in helping the institution be as effective as possible at reducing poverty and promoting shared prosperity across the world. In this dynamic environment, October 2019 marked the completion of my first year as GIA’s Vice President and Auditor General at the World Bank Group, as well as the publication of this GIA GIA provides an independent Annual Report. view on whether the risk To ensure GIA is best positioned to fulfill our management, control, and mandate and protect and enhance the value of governance processes of Bank the Bank Group we have reviewed our strategy Group entities are adequately and how we operate. While GIA’s core mandate designed by management and has not changed, there is a need to enhance functioning effectively. GIA’s impact, performance, and flexibility to support the Bank Group in achieving its strategic objectives. As part of our review we refreshed our vision and mission to fully align GIA’s activities with the Bank Group’s goals and priorities. In addition, we launched a number of internal initiatives to take GIA to the next level, by • Further developing our relationship with management and the Board of the Bank Group by being more proactive; • Strengthening our risk assessment process and dialogue, in particular with other risk functions and colleagues across the Bank Group; • Increasing efficiencies in our engagement planning and monitoring process; and • Revising our audit methodology and communications material, and rebranding the Internal Audit function to clarify our role and value to the Bank Group. 1 “Forward Look – A Vision for the World Bank Group in 2030 – Progress and Challenges” – Development Committee (Joint Ministerial Committee of the Boards of Governors of the Bank and the International Monetary Fund on the Transfer of Real Resources to Developing Countries). 4 Group Internal Audit FY19 Annual Report These initiatives will help position GIA to effectively meet the heightened assurance and flexibility expectations from Senior Management and the Board. Internal and external demands on the Bank Group are increasing regarding efficiency, transparency, and alignment with regulations. In addition, the Bank Group is scaling up investment, knowledge, and advisory services for fragile and conflict-affected countries. Hence, a clear, accurate, and comprehensive picture of the most significant risks to the organization is critically important. Various functions within the Bank Group perform different risk management, compliance, and assurance activities independently of one another. Efforts are under way to develop more effective and systematic coordination and reporting between these groups so that risk management and assurance work is not duplicated, or key risks missed or misjudged, which could lead to unnecessary costs and exposure. GIA is in a privileged position as one of the few functions with a mandate that spans across the World Bank Group, giving us the ability to compare and contrast practices among the Bank Group institutions. We can therefore offer a holistic view of its risk management, controls, and governance, and are able to promote good control practices. Hence one of my ongoing focus areas will be on closer collaboration with the risk management functions, to improve real-time risk visibility, develop an assurance map across the entire organization, and provide strategic insights that deliver high value. In addition to sharpening the risk focus, I am putting emphasis on the following: • Developing talent. Continually developing skills within GIA to meet the needs of the future. • Building and sustaining partnerships across the Bank Group. Strengthening GIA’s role in providing advice and anticipating issues, by working together. • Embracing new technologies and ways of working. Leveraging new tools to perform better analysis, update processes, improve communications, and provide insights. • Viewing reporting through a new lens. Shifting reporting from a retrospective focus to a forward-looking view. • Communicating about GIA. Raising awareness of the value of GIA’s role and mandate, to increase effectiveness of its services and work. This Annual Report describes GIA’s activities, engagement outcomes, and thematic observations for FY19. It highlights areas where we have made the most impact in terms of our activities and engagement with our stakeholders. I would like to extend my sincere appreciation to the World Bank Group’s President and the Audit Committee for their continued guidance and support of GIA. I also thank management and staff for collaborating closely with our team during engagements, and GIA staff for their efforts in and commitment to delivering our mandate and serving our stakeholders. Anke D’Angelo Foreword By The Foreword by Auditor General the Auditor General 5 WORK PROGRAM OVERVIEW OUR PRODUCTS GIA provides two services (assurance and advisory) and delivers three engagement products (audits, assurance reviews, and advisory reviews). The selection of product for each engagement is primarily determined by the maturity of the process to be reviewed and the needs of the client. Assurance Advisory These provide the Audit Committee and Typically for processes in design or early management with independent assurance implementation, GIA provides management on the risk management, control, and non-binding advice relating to risk governance processes of the organization: management, control, and governance processes. Advisory reviews provide • Audit: Provides an overall report rating management with recommendations (rather and individual ratings on all issues, than issues), and only a summary is reported and are for mature processes. Issues to the Audit Committee. identified require management action plans that are monitored by GIA through 20% 20% to implementation, and their progress reported to the Audit Committee. • Assurance Review: Provides assurance on early implementation of new processes, and input for course Engagement corrections before processes are fully established. While no overall report Products rating is provided, identified issues are rated and require management action plans that are monitored by GIA and reported to the Audit Committee. 60% Audit Assurance Review Advisory 6 Group Internal Audit FY19 Annual Report OUR WORK PROGRAM GIA’s FY19 work program delivered 25 Given the maturity of business processes assurance and advisory engagements, across the institution, the GIA FY19 work which focused on the most significant program provided an adequate mix of audits risks for the Bank Group institutions. The (60%), assurance reviews (20%), and work program covered core development advisory reviews (20%) that balance GIA’s operations, corporate and administrative primary role as a provider of assurance with areas, and information technology. The list the delivery of additional consulting services. of engagements is provided in the appendix A breakdown of these engagements by entity “GIA’s Coverage in FY19”. and risk category is presented below. 20% Entity Breakdown 12% 12% 11 8 Risk Categories 5 1 56% Operational Risk Strategic Risk MIGA IFC IBRD/ WBG Financial Risk Development IDA Outcome Risk/ Business Risk Work Program Overview 7 EXECUTIVE COMMENTARY © World Bank / Mohamad Al-Arief This section provides key observations and trends in the Bank Group’s overall risk management, control, and governance environment. These are based on GIA’s work in FY19 through assurance and advisory engagements of business processes and initiatives, monitoring of risks to the Bank Group, and ongoing dialogue with management and the Board. 1. Effective risk management manage. Additionally, growth in the Bank is critical to the Bank Group’s Group’s operations in low-income and ability to achieve its strategic fragile states that have difficult operating objectives environments has increased operational risks, such as threats to staff safety in the The global risk landscape is continuously field as well as risks to achieving intended changing due to rapid technological development outcomes. Managing these risks innovation, geopolitical tensions, natural requires the Bank Group to be well prepared disasters, and evolving global standards with the right frameworks and procedures in and norms. In this environment, exposure to place, and able to adapt rapidly to changes. cyber security risk, business disruption, and regulatory and legal risks, among others, are becoming more difficult to identify and 8 Group Internal Audit FY19 Annual Report Central to effective risk opportunities remain to further align, management is the aggregate, and analyze risk information at the establishment of a systematic organization level to provide reasonable risk information framework assurance regarding the achievement of the that facilitates reporting on Bank Group’s objectives within an acceptable risk appetite. established risk appetites and tolerances, and better flow and sharing of risk information. Efforts should continue to further align and improve the management of risk at the Risk Management Frameworks: Informed organization level, including determining how risk-taking in an increasingly complex and different risks interact with each other and unpredictable global environment calls for evaluating their cumulative impact on the robust frameworks that enable the Bank Group. identification, measurement, prioritization, mitigation, monitoring, and reporting of existing Managing Operational Risks2: Through and emerging risks. Having systematic audits of the Bank’s Management of frameworks to identify, assess, monitor, and Operational Risks and IFC’s Management respond to potential threats to the Bank Group of Operational Risks, GIA confirmed that is important to understand their potential the World Bank3 has a well-developed impact on the organization. Equally important framework to effectively manage operational is to aggregate and analyze risks to identify risks. However, the International Finance trends and the cross-cutting impact of these Corporation (IFC) needs clearer delineation risks to the organization. These approaches of roles and responsibilities and a systematic will help management make informed approach to capture, analyze, and report on decisions by determining the desired level of organization-wide operational risk information. risk and mitigating identified risks to an acceptable level. Given the harm that these risks can cause, should they materialize, GIA World Bank Group institutions should undertook a number of assurance and continue strengthening their operational advisory engagements across the Bank risk management frameworks by Group’s risk landscape. While risk frameworks embedding approved risk appetites into for managing individual risk categories for the business activities and improving the various institutions exist, including operational, quality of reporting residual risks to Senior financial, and development outcome risks, Management and the Board. 2 The World Bank’s Operational Risk Management Directive defines operational risk as risks resulting from inadequate or failed internal processes, as well as risks from people and systems, or from external events that may result in financial loss or damage to the Bank’s reputation. 3 World Bank refers to the International Bank for Reconstruction and Development (IBRD), and the International Development Association (IDA). Executive Commentary 9 Managing Financial Risks: Effective Managing Development Outcome Risk: financial risk management is critical to the As a development organization, the Bank ability of the World Bank Group institutions Group needs to pay special attention to to preserve their credit quality and long- managing risks that could affect development term financial viability. GIA’s audits of the outcomes in projects implemented by Implementation of IBRD’s Asset Liability client countries and private sector entities. Management (ALM) Framework and IFC’s Establishing a framework for this, referred Asset Liability Management Framework to as Development Outcome Risk (DOR), confirmed that ALM risks are managed is complex as these risks are not easily conservatively in line with existing policies quantifiable. It requires identifying risk of both institutions. However, IFC’s policies indicators that can be meaningfully should be updated to reflect current industry aggregated, are suitable for capturing the best practices in currency and interest rate complex and diverse nature of development risk management. operations, and can be embedded in operational processes. The push to scale Sound management of financial risks is a key up the Bank’s operations in countries element of innovations that have financial experiencing fragility, conflict, or violence implications. The International Development (FCV countries) has led to a recognition that Association (IDA) made a significant management should invest more attention change to its financing model by blending and resources to mitigating risks in FCV its traditional sources of funding with capital countries and to differentiate associated market-funded debt. While this transformation risk appetites across the portfolio to meet significantly expands IDA’s ability to achieve varying development needs of clients. This development outcomes in poor countries, has increased institutional efforts to effectively it also increases the financial risks that IDA capture and report on DOR to enable the faces in the execution of its operations. In its review of risk information not only for each Audit of IDA’s Financial Risk Management project but also at the portfolio level. The Framework, GIA concluded that management portfolio-level view provides the overall view has established an effective governance of the institution’s activities, considering risk, and operational framework to support the development impact, performance, and other implementation of IDA’s new financing model. parameters, as distinct from the individual project-level view of the same parameters. As the World Bank Group institutions Following GIA’s FY18 Audit of the Bank’s continue introducing innovations to Implementation of Systematic Operations strengthen their financial capability and Risk-Rating Tool (SORT) in Supporting sustainability, new financial risks associated Operational Decision-Making, management with such innovations should be assessed in has made significant progress in reporting advance and continuously monitored. 10 Group Internal Audit FY19 Annual Report DOR to the Board. Management has also map the performance of projects in IFC’s started producing a dedicated chapter in portfolio, considering both risk-adjusted the Quarterly Business and Risk Report return and development outcomes. This (QBRR) on risk, which provides an overview mapping is intended to facilitate more of key risk drivers and various approaches intentional portfolio decision-making, being adopted to address and manage these which differentiates the performance of the risks. The analyses in this QBRR chapter portfolio across geographies, sectors, and provide additional insights to improve the products. This approach requires a more application of risk mitigation tools, quality harmonized assessment of the development enhancement, and resource allocation. In outcomes and risks across IFC’s portfolio. addition, responding to the Board’s request, In its Advisory Review of IFC’s Portfolio management has been working to define risk Approach, GIA confirmed that IFC’s appetite and risk tolerance for DOR for Bank proposed portfolio approach methodologies operations. GIA supported this initiative by are aligned with emerging practices in the participating in the sponsoring and steering development community, including Multilateral committees of the Development Outcome Development Banks and investors who focus Risk initiative. Management is expected on making a positive impact on society and to start the implementation of the new risk the environment beyond financial returns. appetite framework in FY20. GIA recommended that IFC’s management further clarify and communicate the purpose Similarly, IFC is enhancing its approach to and application of the Portfolio Approach and portfolio decision-making by methodically establish a clear roadmap for implementation, applying analytics to its portfolio risk data. with strong governance. IFC’s ‘Portfolio Approach’ uses project risk data and development impact indicators to © World Bank / Vincent Tremeau Executive Commentary 11 In the Audit of IFC’s Monitoring of With the growing expectation of increased Environmental and Social (E&S) Conditions informed risk-taking for greater development during Project Supervision and the Audit impact, the World Bank Group institutions of the Bank’s Management of Financial need an aggregated portfolio view of risks Management Risk in Investment Project that is combined with development impact Financing (IPF) Projects in Countries indicators. This will be valuable in deciding Experiencing Fragility, Conflict or Violence on trade-offs among different options to (FCV), GIA observed that staff were support clients to maximize the results of closely monitoring project implementation. operations. However, key controls could be better integrated into the formal system workflow in IFC, and in the World Bank the risk Fiduciary, Environmental, and Social ratings of projects could be updated more Risk Management4: The Bank Group’s consistently during project implementation. push to do more in FCV countries These enhancements would facilitate better requires increased attention to fiduciary, portfolio-level risk monitoring and risk-based environmental, and social risks in resource allocation. implementing projects in these countries. Limited client and market capacity for managing these risks adds to the challenge. Management should pay close attention Hence, strengthening the implementation to effective risk management during capacity of clients, deploying adequate project implementation, especially in supporting IT systems, and an enhanced FCV countries, to drive effectiveness and focus on risks during project implementation transparency in the use of project resources will be necessary. GIA conducted three as well as successful development engagements in FY19 focusing on these outcomes. risks. In its Audit of the Bank’s Grievance Redress Service (GRS), which is designed to facilitate the Bank’s response to environmental and social grievances under Bank projects, GIA identified that the implementation of the GRS had not been fully consistent with its intended purpose. In response to this conclusion, management is improving the process as a high priority. 4 Fiduciary risks relate to the risk of the Bank Group and donor funds not being used for the intended purposes. Environmental and Social (E&S) risks relate to the risk of environmental and social externalities associated with development projects. 12 Group Internal Audit FY19 Annual Report © World Bank / Sarah Farhat 2. Efficiency demands call for Identifying efficiency gains: To effectively cost-benefit analysis for all contain the cost of doing business while major initiatives supporting a significant scale-up in lending, the Bank Group has further strengthened its With the endorsement of the capital package5 efficiency agenda. As agreed in the capital in 2018, the World Bank Group intensified package, management has committed to efforts to build a “better and stronger”6 the implementation of additional efficiency institution that is more agile, effective, and measures over the period FY19-30. In responsive. This resulted in the introduction its Advisory Review of WBG Institutions’ of a range of new efficiency measures aimed Framework to Support the Implementation of at managing salary and workforce growth, the Efficiency Agenda, GIA recommended that and achieving savings from corporate management increase the use of incentives to procurement and real estate, as well as support the successful implementation of the from administrative simplification through efficiency agenda, and continue developing technology and other approaches. mechanisms to monitor and measure the Developing Bank Group-wide efficiency gains from the implementation of measures committed to as part of the capital guiding principles on efficiency, package. These would help sustain efficiency establishing a nimble approach gains that the institution has achieved so to operations, and adopting far through implementing various initiatives the latest technology are key aimed at enhancing its financial sustainability. to becoming a “better and stronger World Bank Group.” 5 The Capital Package for IBRD and IFC is a management commitment to the shareholders to implement internal reforms and policy measures to support a capital increase of US$13.5 billion. 6 “Forward Look – A Vision for the World Bank Group in 2030 – Progress and Challenges” – Development Committee (Joint Ministerial Committee of the Boards of Governors of the Bank and the International Monetary Fund on the Transfer of Real Resources to Developing Countries) Executive Commentary 13 Efficiency is also pursued in the context Group is the Rapid Application Development of expanding the Multilateral Investment (RAD) function. Through agile techniques that Guarantee Agency’s (MIGA) business provide faster turnaround times, RAD offers capacity. By increasing the reinsurance limit, small and medium-sized IT business solutions MIGA generated additional capacity to provide to business requirements not addressed by political insurance and credit enhancement enterprise solutions. While recognizing the to promote cross-border investment in value of RAD, GIA’s Audit of the World Bank developing economies. GIA’s Audit of MIGA’s Group’s Rapid Application Development Net Retention and Reinsurance Framework highlighted that the RAD function could concluded that the risks in reinsurance be more proactive in identifying IT-related practices are being adequately managed. business needs that can be easily addressed through RAD. Further, Bank management has implemented an ongoing program of business reviews to The effective automation of manual evaluate spending in each business unit and processes is essential to gain greater identify opportunities for greater efficiencies efficiency. In the Audit of the Implementation and closer strategic alignment. Under the of IBRD’s Asset Liability Management umbrella of the ‘Administrative Process (ALM) Framework, GIA stressed that the Simplification’, the Bank is pursuing a range development of an integrated ALM central of efficiency initiatives aimed at simplifying system will enable more robust analytics to approval processes, implementing a shared support key management decisions. In its services strategy, streamlining administration Assurance Review of the Use of the Bank’s of external funds, and leveraging technology Corporate Scorecard, GIA highlighted that (such as robotic process automation) to the scorecard indicators can be produced foster process efficiencies. The Audit of the more efficiently through an automated data Bank’s Implementation of the Cost Recovery entry, approval, and aggregation process. Framework for Trust Funds confirmed that the Similarly, in the Advisory Review of the Bank effectively implemented the framework World Bank Group’s IT Change and Release to increase recovery of the costs of activities Management Process, which enables funded by trust funds. the planning, modification, and rollout of technology solutions in response to business In keeping with the Bank Group’s objectives needs, GIA highlighted that simplification and of agility and efficiency, the Information and standardization of such core processes can Technology Solutions (ITS) strategy focuses improve the effectiveness of controls as well on delivering IT solutions better, faster, as overall efficiency. and more efficiently. An important business solutions delivery mechanism for the Bank 14 Group Internal Audit FY19 Annual Report To measure the delivery of cost savings commitments made in the capital package, management should develop a framework to measure, monitor, and report on the progress of efficiency savings. Management should also continue to identify time-consuming manual tasks that can be automated, to increase productivity and free up staff time for more value-added activities. Assessing Cost-Benefit: In the Assurance Review of the Bank’s Core Capital Markets Systems Renewal (CCMSR) Program, GIA reviewed a large system implementation project supporting the capital markets platform, market standard valuation models, and liquidity management solutions. GIA stressed the importance of continuously measuring the realized benefits of the program, and recognized the need to enhance the capital budgeting process for © World Bank / Graham Crouch large system implementation or business transformational projects. Likewise, in its Audit of IFC’s Capital Budget Process, GIA emphasized that capital investment decisions Management should perform cost-benefit should be underpinned by robust upfront cost- assessments for major capital investments, benefit analyses and post-completion benefits and assess the realization of benefits to help reviews to ensure that capital resources are ensure that resources are used wisely. channeled toward investments that yield the highest value to the Bank Group. Executive Commentary 15 © World Bank / Franz Mahr 3. Strengthening the Improving the Business Processes: business model is Continually refining and improving the imperative to delivering business processes of the World Bank Group development results institutions is vital to enable better and faster responses to rapidly changing client needs. Given limited public resources and increasing development needs, the World Bank Group The Bank initiated an ‘Agile Bank Program’ institutions must continually improve their as an institutional initiative in 2016 to business models, while also forging effective apply a bottom-up, staff-driven approach external partnerships. to improve the ways in which the Bank carries out its operations. Following GIA’s Continually refining and advisory review on the initial implementation updating their business models in FY18, the Bank has since adopted GIA’s to adapt to the changing recommendations that the Agile Bank environment and client Program be expanded beyond the pilot phase expectations is key to the and has rolled it out across the Bank. success of the World Bank The Bank Group is working on various Group institutions in driving new innovative approaches to improve internal effectiveness and operational effectiveness and efficiency. fostering external partnerships These new approaches, which are currently to achieve development goals. being tested, are a key focus area for GIA. For example, the ‘smart fiduciary’ initiative, which aims to build simplified and efficient 16 Group Internal Audit FY19 Annual Report processes in fiduciary risk management confirmed that the assigned roles and in the Bank’s operations, was covered in responsibilities across business units, as the Audit of the Bank’s Management of well as the project selection criteria, have Financial Management Risk in Investment consistently been followed as designed. Project Financing (IPF) Projects in Countries However, GIA identified further opportunities Experiencing Fragility, Conflict or Violence for Bank-IFC collaboration during the project (FCV). The Bank’s Grievance Redress preparation. Different organizational cultures Service (GRS) is another mechanism to and project lifecycle timelines across the enhance the Bank’s ability to swiftly address World Bank Group institutions can make environmental and social concerns from collaboration challenging. Therefore, communities affected by Bank-funded management will need to further encourage projects. and incentivize accordingly to achieve the desired collaboration between the different institutions. Strengthening collaboration in Management should continue to innovate developing country and sector strategies, and develop new approaches to meet Bank identifying and influencing policy changes, Group commitments and future demands. and preparing collaborative projects will be important to fully realize the synergies World Bank Group Inter-Institutional of the World Bank Group institutions. This Collaboration: The Bank Group’s strategy review was conducted in the midway of the has prioritized the role of the private sector implementation of the Private Sector Window in development, through the Group-wide to provide stakeholders early input. “Maximizing Finance for Development” (MfD) and “Cascade” initiatives. Success of The World Bank Group institutions should these initiatives is predicated on significant revise incentives and clarify roles and improvement in operational collaboration responsibilities to foster closer collaboration between the World Bank Group institutions, for the successful implementation of the particularly on activities that support creating Group’s strategic priorities related to capital markets for private sector development. mobilization and private sector involvement Through the Assurance Review of the in development. Management of IDA18 IFC-MIGA Private Sector Window (PSW)7, which is a new financing model for development, GIA 7 As part of the IDA18 replenishment US$2.5 billion (SDR 1.8 billion) was designated for mobilizing private sector investments, with a particular focus on IDA-eligible FCV-affected countries. The PSW makes strategic use of IDA’s financial resources to catalyze private investments in challenging markets, by leveraging IFC’s and MIGA’s business models and client relationships. Executive Commentary 17 Management of External Funds: The external funds managed by the Bank Group, including trust funds and Financial Intermediary Funds (FIFs), are key pillars of the Bank Group’s development finance as they facilitate responses to emerging global needs and provide flexible and customized solutions to help clients achieve their development goals. Considering the growing importance of external funds in the implementation of the Bank Group’s development agenda, management has embarked on a series of reform initiatives aimed at strengthening the alignment of trust funds with institutional strategic priorities. © World Bank / Flickr The Bank Group has developed an updated FIF Management Framework, building on earlier initiatives and experience. This new framework aims to enhance the Bank Group’s Management should continue to look for role in the selection, design, and oversight of opportunities to strengthen its oversight FIFs for closer alignment with its strategies of external funds and achieve closer and operations, as well as better risk alignment with the Bank Group’s strategic management and consolidation of externally- priorities. funded operations. GIA reviewed this framework through its Assurance Review of Management’s Reform Activities for Financial Intermediary Funds and concluded that the updated Framework provides a solid basis for more effective and efficient management of FIFs. However, timely and consistent implementation across the FIF portfolio will be critical to achieve sustainable improvements. 18 Group Internal Audit FY19 Annual Report 4. People and data are key Staff Safety: The safety of Bank Group staff Bank Group assets is a priority for management. An evolving global risk profile, as well as an increasing In view of the continued decentralization number of security incidents in previously of the World Bank Group institutions, low-risk countries, has accentuated the need operational risks have increased as staff for implementation of a global security are more distributed across the globe, strategy that proactively delivers effective with increased reliance on diverse ways to security services to staff across the globe. effectively connect, communicate, and access Following GIA’s review of the initial design of information. Staff exposure has increased global security in FY17, GIA continued its to security risks such as natural disasters, coverage of this important area with WBG’s medical emergencies, political unrest, disease Staff Travel Safety Arrangements in FY19 and outbreaks, and crime. Meanwhile, threats validated that risks to the safety of staff on to confidentiality, integrity, and availability official travel are largely identified and of critical data continue to grow in the face managed. However, GIA stressed the of risks posed by cyber threat groups. As importance of setting even higher travel safety the IT service delivery model evolves with and health standards, enforcing management an increasing reliance on third parties, the and staff compliance with essential travel strategic importance of IT solutions and safety measures, and reporting and analyzing services must remain a primary focus. travel safety and health events to further reduce occurrence of safety and security The expansion of Bank related incidents. Group operations into FCV environments, and changing To maintain workforce safety and geopolitical conditions have security, management should continue to increased risks to staff safety implement strong security oversight, clear and security around the globe. accountability, and defined security incident escalation mechanisms. Confidentiality, integrity, and availability of critical data, and the quality of supporting IT Cybersecurity and IT Controls: With solutions and services continue increasing importance of data and interconnectivity for the Bank Group, its ability to be of strategic importance. to withstand the disruptive consequences of a large-scale cyberattack becomes more crucial. Cyber threats with a broad range of attacks and social engineering evolve Executive Commentary 19 threat assessments. Applying a multiyear audit program approach, GIA validates different aspects of IT and cybersecurity every year. Several positive cybersecurity practices exist in the Bank Group’s IT environment. For example, access to highly valuable privileged accounts (such as system and database administrators) is adequately restricted, secured, and monitored. Similarly, GIA confirmed through the Audit of the World Bank Group’s Global IT Network that the Bank Group’s global IT network security risks are well managed, and the network objectives © World Bank / Peter Kapuscinski of availability and cost effectiveness are being met. Nonetheless, the Audit of the rapidly as attackers become more inventive. World Bank Group’s Privileged Identity and Protecting the data and integrity of computing Access Management (PIAM) highlighted assets connecting to networks necessitates that the overall management of all privileged a strategic approach to information security. accounts would benefit from comprehensive In FY19, management finalized the refresh governance, improved security monitoring, of its cybersecurity or information security and consistent authentication mechanisms. strategy, which defines how the information Because privileged accounts are powerful security program will protect and secure the system accounts that provide elevated, often Bank Group’s critical data, counter new and unrestricted access to systems and data, evolving threats, and support the integration these are often targeted in cyberattacks. of cybersecurity in everyday business Hence, it is critical that all such accounts operations. are known, comprehensively secured, and consistently monitored. Facing a dynamic cyber-risk environment, management needs to remain focused on With evolving and more sophisticated cyber areas such as cybersecurity threats (not only threats, the Bank Group needs to constantly from outside, but also from insider threats develop new capabilities to defend itself and – people within the organization), security respond adequately when breaches occur. awareness and training, and vulnerability and 20 Group Internal Audit FY19 Annual Report Prioritization of Data Management: The sound management and monitoring of Senior Management should signal the the Bank Group’s operations depends on prioritization of data through clear sponsorship reliable and high-quality data. Data is also and ownership of the corporate data agenda, critical to track and accurately report the the establishment of enabling mechanisms, Bank’s business results, as well as progress and a focus on data quality and reliability. toward achieving key commitments made to constituents and stakeholders in areas Management is already working on addressing such as FCV operations, climate change, the areas for improvement identified by GIA. In and gender. To provide strategic direction to support of this, GIA will maintain a focus on the the institution’s data agenda, management themes discussed above – Risk Management, established the Corporate Data Council and Efficiency, the Business Model, and People and the Development Data Council to govern Data. Through timely and relevant assurance the Bank’s two distinct pillars of data (that is, and advisory engagements, GIA is committed to Corporate Data and Development Data). helping management and the Board identify and The Advisory Review of the Bank’s manage the risks to achieving the Bank Group’s Management of Corporate Data Used goals, and to strengthening the institutions’ in Operations highlighted improvement development outcomes. opportunities in four dimensions of data management: Data Governance, Data Integration and Interoperability, Data Definitions, and Data Quality. The identified improvements in the Bank’s data management capabilities can enhance the ability of Bank staff to analyze or respond to management requests for information, resulting in increased efficiencies, improved agility and scalability, and greater data reliability. Given its increasing importance, organizations need to continuously invest in data and the underlying technologies. At the Bank Group, increasing senior management support would help to make such investment a priority. Executive Commentary 21 WHO WE ARE OUR MANDATE GIA is an independent and objective assurance and advisory function that adds value to and improves the operations of the World Bank Group. The objective of GIA’s work is to assess whether the risk management, control, and governance processes of Bank Group entities are adequately designed by management and functioning effectively. Specifically, GIA applies a systematic and disciplined approach to its assessments to provide reasonable assurance that: • Risks are appropriately identified and • Resources are acquired economically managed and used efficiently • Governance issues impacting the Bank • Quality and continuous improvement are Group are recognized and addressed fostered appropriately • Institutional assets (physical and • Significant financial, managerial, and intellectual), records, and data are operating information is accurate, safeguarded reliable, and timely • Institutional policies and procedures are complied with OUR REPORTING LINES BOARD OF GOVERNORS The Auditor General reports to the President of the World Bank Group, and is under the oversight of the Audit Committee. EXECUTIVE DIRECTORS WBG PRESIDENT VICE AUDIT PRESIDENT COMMITTEE & AUDITOR GENERAL 22 Group Internal Audit FY19 Annual Report OUR VISION, MISSION, AND STRATEGIC PRIORITIES Our vision is to be the agent of positive change to help the World Bank Group achieve its goals. Our mission is to protect and enhance the value of the World Bank Group by providing independent, objective, and insightful risk-based assurance and advice. To support the achievement of our vision and mission, GIA has identified five strategic priorities that will allow us to focus our resources on the critical success factors. These are: Insight, Flexibility, Staff Excellence, Technology, and Impactful Reporting. GIA plans to implement these strategic priorities by better use of technology and analytics, combined with a dynamic risk assessment approach supported by a robust people model. Our vision is to be the agent of positive change to help the WBG achieve its goals Insight Flexibility Staff Technology Impactful Excellence Reporting INSIGHT • 1.Real-time • Dynamic & • Robust • Enhanced • Concise, risk visibility flexible risk people model productivity crisp, and • Real-time risk assessment by leveraging impactful • Coordinated visibility • Competency technology reports • assurance Coordinated • Adaptable and skills and data Assurance audit framework analytics • Dynamic • • Proactive Proactive approach real-time stakeholder Stakeholder • Clear career • Embracing outputs engagement engagement • Expanded development innovation risk focus and automation Our mission is to protect and enhance the value of the WBG by providing independent, objective, and insightful risk-based assurance and advice Who We Are 23 “ OUR TEAM Diversity Diversity: the art of thinking GIA delivers its mandate and work program by independently together. drawing on the rich and diverse expertise of its staff. We strive to embed diversity and inclusion - Malcolm Forbes in everything GIA does. GIA respects and values the uniqueness that each of our team member brings, and is committed to empowering each staff member to fully participate in our mission. 24 Group Internal Audit FY19 Annual Report We are a small and diverse team: 36 STAFF SPEAKING A WITH 57% 58% TOTAL OF FEMALE 35 25 43% DIFFERENT SPEAKING COUNTRIES LANGUAGES 3 OR MORE MALE GIA staff home countries IBRD 44663 | SEPTEMBER 2019 Qualifications GIA staff are highly skilled, combining internal audit experience, knowledge of the Bank Group, and experience from external organizations to deliver value to clients and stakeholders. As essential partners to our clients, GIA staff bring a passion for learning, technical expertise in critical processes, and a commitment to the Bank Group’s mission. GIA staff have a range of professional qualifications to enable GIA to fulfill its role, including Certified Internal Auditor (62% of staff); Certified Public Accountant, Chartered Accountant, or similar (50%); Certified Information Systems Auditor (24%); and Certified Fraud Examiner (18%). “ A significant portion of GIA staff (71%) have worked in other parts of the Bank Group, and almost all staff worked in the private sector before joining the organization. Skill and confidence are To complement the strength of the GIA team, we also engage an unconquered army. subject matter experts from our co-sourcing partners that - George Herbert currently come from the Big-Four8 consulting firms, as and when needed. 8 The Big-Four refers to the four largest accounting firms in the world. Who We Are 25 HOW WE DELIVER GIA’s work is focused on the most significant risks facing the Bank Group, with continuous reviews to align with the Group’s strategic priorities. Our engagements are carried out in accordance with the ‘International Professional Practices Framework’ of the Institute of Internal Auditors (IIA). © World Bank / Flickr GIA delivers on its mandate as an independent function by providing objective, reasonable assurance that key controls over the business activities of the Bank Group organizations are well designed 1 Stakeholder Engagement and operating effectively. GIA also leverages its group-wide remit and broad institutional exposure to provide advice and business insights that add 2 Dynamic Risk Assessment and Work Program Development value to and support the achievement 3 of the Bank Group’s strategic priorities. Coordination and GIA’s position in the organization Collaboration with Other enables it to connect the dots in a Oversight Functions unique way and provide insights to management and the Audit Committee. We strive to continuously enhance our 4 Learning, Innovation, and Knowledge Sharing value proposition through systematic engagement with stakeholders, as well as continuous risk assessment and work program updates to cater to the 5 Delivering Results to Influence Positive Change changing needs of the organization. We also aim for excellence through agility, innovation, learning, and knowledge sharing. 26 Group Internal Audit FY19 Annual Report STAKEHOLDER ENGAGEMENT GIA places a high priority on ensuring that its stakeholders across the World Bank Group institutions are familiar with GIA’s mandate and have confidence in GIA’s value proposition. Robust relations with the Audit Committee and management are essential for GIA’s effectiveness as this helps GIA deepen its understanding of institutional strategies and knowledge of the business, and enables GIA to promptly identify and respond to stakeholder concerns and emerging risks. As part of our initiative to strengthen stakeholder engagement, GIA is developing a Stakeholder Engagement Framework to adopt a more systematic approach to client relationship management. Our new Client Relationship Management (CRM) database helps record, track, analyze, and manage stakeholder interactions. As Bank Group operations are in the field, GIA proactively engages with staff in our country offices. In the past two years, GIA increased its visits to country offices to support our outreach efforts and gain valuable inputs and insight from colleagues for our risk assessment and work program development. In FY19 GIA staff visited six country offices, and plan to continue these useful dialogues with management and staff in the field. GIA Visit to Chennai Office – April 2019 How We Deliver 27 DYNAMIC RISK ASSESSMENT AND WORK PROGRAM DEVELOPMENT GIA’s work program is developed based on a dynamic risk assessment process throughout the year, which also considers the institution’s strategic priorities and emerging risks. GIA has improved its use of data analytics and automation to support its risk-based work program development. The GIA CRM database, along with a newly developed risk assessment tool, enables GIA staff to capture key risk information and trends obtained during the year and visualize results to better select engagements for GIA’s three-year work program. Considering the nature and data needs of GIA’s FY19 engagements, 42% of these engagements were supported by data analytics. GIA Staff Retreat – December 2018 28 Group Internal Audit FY19 Annual Report COORDINATION AND COLLABORATION WITH OTHER WORLD BANK GROUP OVERSIGHT FUNCTIONS GIA collaborates with other institutional oversight and accountability functions to deliver timely and value-added services to the organization. This collaboration, which is accompanied by clear communication with stakeholders on the roles of each function, is critical to avoid gaps in coverage and prevent duplication of work. While complementary in some areas, the work of GIA and these other functions is distinct in focus, objectives, and approach, with GIA assessing internal processes and controls that are key to the achievement of the Bank Group’s objectives. In FY19 GIA strengthened collaboration with various risk management functions by introducing quarterly exchange meetings with colleagues. In the context of the three lines of defense model,9 GIA has closely aligned its work program with the Bank Group’s second line of defense and other independent oversight and accountability functions such as the Independent Evaluation Group (IEG) and the Integrity Vice Presidency (INT). GIA engages the Bank Group Chief Risk Officer (CRO) throughout the year to discuss emerging risks and exchange views on issues identified at the engagement level. The ongoing collaboration with the CRO is a key component of GIA’s overall risk monitoring. GIA also discusses its work program with the Inspection Panel and the Compliance Advisor Ombudsman and obtains engagement level inputs that help in scoping the engagements. GIA and IEG closely collaborated throughout the year at the work program level and in individual projects in the area of development operations. For the FY20 work program preparation in FY19, GIA and IEG held a joint consultation with management. The work program presentation for each function at the Board made cross-references to each other’s programs, to help the stakeholders understand the synergies and complementarity of services each function provides to the World Bank Group. 9 The Three Lines of Defense model distinguishes among three groups (or lines) involved in effective risk management: 1) Functions that own and manage risks; 2) Functions that oversee risks; and 3) Functions that provide independent assurance. – The Institute of Internal Auditors How We Deliver 29 Members of GIA’s management team participated as panelists in the 2019 World Bank Chief Risk Officer (CRO) Risk Forum. The forum covered various topics ranging from “The Outlook for Risk in 2019 and Beyond” to how risk management is changing, and what’s new on the operational risk front. GIA Participation in World Bank CRO Risk Forum – May 2019 “ The work of GIA and the World Bank Group CRO complement each other to strengthen the WBG’s risk governance and to ultimately enhance the WBG’s capacity to pursue its mission. - Lakshmi Shyam-Sunder – Vice President and World Bank Group Chief Risk Officer 30 Group Internal Audit FY19 Annual Report LEARNING, INNOVATION, AND KNOWLEDGE SHARING GIA’s learning program aims to broaden our knowledge of the organization’s business and enhance our subject matter expertise, contributing both to the quality of GIA’s services and to the professional development of staff. The program includes internal and external training, to keep up to date with industry changes and best practices as well as developments within the Bank Group. Since GIA increasingly integrates data analytics and technology in its activities to enhance engagement delivery, this has become an essential element of staff training. Not only does this enable our staff to develop stronger evidence in support of engagements, but it also facilitates the monitoring and adjustment of work program delivery as necessary. In the spirit of learning, GIA contributes to knowledge-sharing events with clients and other development partner organizations. We also network with internal auditors of other multilateral development organizations and international financial institutions to benchmark against, evaluate, and absorb fresh perspectives, and to adopt innovative ideas as well as share our knowledge and experience. Data analytics training for GIA staff has steadily increased, resulting in improved proficiencies with data analytics platforms such as Tableau, and increased use of intelligent tools for analysis. A data literacy assessment is underway to develop individual training plans to further improve the data analytics capabilities of GIA staff. In FY19, GIA was actively involved in the first global internal audit workshop hosted by the Bank Group’s Treasury for its Reserves Advisory and Management Program (RAMP) clients. The five-day workshop was attended by the internal audit and risk and control functions of 38 central banks. At the workshop, GIA’s Vice President and Auditor General delivered the keynote address on “The Changing Role of Internal Audit”, and three GIA Audit Supervisors presented and led participant discussions on specific topics on internal audit, including “Assessing and Auditing: Cybersecurity and Business Continuity Risks”, “The Role of Internal Audit in Enterprise-Wide and Operational Risk Management”, and “Strategic and Risk-Based Auditing”. How We Deliver 31 GIA participated in a number of international conferences, discussing with peer organizations the common challenges facing internal audit functions, and sharing experiences and insights on audit practices and collaboration with other assurance providers. • GIA co-hosted the Annual Meeting of the International Audit and Integrity Group (IAIG) with the World Bank Group’s Integrity Vice Presidency (INT) and the German Kreditanstalt für Wiederaufbau (KfW) in Frankfurt. IAIG is a forum comprising of the investigation and internal audit functions of selected bilateral aid agencies and United Nations organizations. GIA delivered the keynote speech on “Coordinated Assurance” and led the discussion on collaboration across development organizations to maximize assurance on use of funds in projects. • GIA took an active role in the Annual Meeting of the Representatives to Internal Audit Services (RIAS) in Addis Ababa, Ethiopia, where GIA led three discussions on client engagement, auditing cultural elements, and risk assessment. RIAS is a forum to promote the development and exchange of internal audit and oversight-related practices and experience among UN organizations and multilateral financial institutions and other associated intergovernmental organizations. • GIA took part of organizing the Annual Meeting of the Multilateral Financial Institutions (MFI) Chief Executive Auditor Group in Washington DC, which was hosted by the International Monetary Fund. During the meeting GIA presented on the topics of “Building Influence & Presence: How Can Internal Audit Functions Enhance Their Brand?” and “Internal Audit Products: Expanding Our Reporting Tool-Kit”. • GIA participated in the second Annual Auditors Alliance meeting hosted by the Organization for Economic Co-operation and Development (OECD) in Paris, after which GIA visited the European Bank for Reconstruction and Development’s (EBRD) Internal Audit Department to exchange knowledge and experience. 32 Group Internal Audit FY19 Annual Report “ Anyone who stops learning is old, whether at twenty or eighty. Anyone who keeps learning stays young. The greatest thing in life is to keep your mind young. - Henry Ford The International Audit and Integrity Group (IAIG) Meeting – May 2019 How We Deliver 33 DELIVERING RESULTS TO INFLUENCE POSITIVE CHANGE Engagement Impact: GIA helps the Bank Group achieve its objectives by applying a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The value of GIA’s assurance and advisory engagements is reflected in improvements in management of key risks that the Bank Group faces, and the development and maintenance of related key internal controls, which reduce those risks to acceptable levels. In FY19 GIA was recognized for its positive impact by receiving the ‘President’s Award for Excellence’. GIA carried out an Advisory Review of the Management of Shared Service Agreements among the World Bank Group Institutions in FY18 to support efforts to foster better services and cost efficiencies in the administration of Shared Service Agreements across the Group. The team developed a model solution that management used to launch a revamp of existing processes around the delivery and management of shared services. GIA’s review helped promote a culture of continuous improvement and efficiency, and enhance the quality of services provided by one Bank Group entity to another. President’s Award Recipients – March 2019 34 Group Internal Audit FY19 Annual Report Follow-up on Management Action Plans: As part of GIA’s assurance engagements (audits and assurance reviews), management develops specific and time-bound action plans to address identified issues. GIA works with management to review the robustness of action plans and appropriateness of the timeline for implementation, and engages in continuous dialogue and follow-up with management until implementation of the actions. Once an action plan has been implemented, GIA validates the implementation by reviewing evidence provided by management. When implementation is delayed, GIA flags – in its quarterly reports – overdue action plans for Senior Management and Audit Committee attention. GIA performs a root cause analysis of overdue actions on a regular basis. In FY19, GIA closed 58 issues raised in its audits, compared to 43 issues in FY18. A few examples of the issues closed by GIA, based on the actions taken by management and the resultant impact on the risk management, controls, and governance, are highlighted below. INCREASED In FY16, GIA audited IBRD’s Capital Budget Process and EFFICIENCY identified several processes that could be automated to make the process more efficient. The Budget, Performance Review, and Strategic Planning function has now completed a system revamp that resulted in the automation of many capital budget management processes in FY19. ENHANCED In FY18, GIA’s audit of IBRD’s Management of Liquid DATA Asset Portfolio highlighted the need to establish processes MANAGEMENT to finalize data ownership, agree on common business terms and definitions, and capture and maintain technical metadata and data lineage to ensure improved data quality, data re-use, and effective change management. During the last two years, the Bank Group’s Treasury developed a data governance framework and implemented a Treasury Data Governance Center – an online platform comprised of a Business Glossary, Technical Data Dictionary, and Reports Catalog, using the leading data governance practices. How We Deliver 35 IMPROVED In an FY18 audit of the IFC’s Use of Blended Finance in GOVERNANCE Operations, GIA noted the absence of a systematic feedback loop to key stakeholders on the strategic direction of the Blended Finance program. Management has now established an annual mechanism to prepare and share with the Board the development impact and financial performance of blended finance investments. Similarly, GIA’s FY18 review of the Bank’s Process for Managing Advisory Services and Analytics Activities (ASA), noted the absence of a monitoring and reporting mechanism to enable better governance. Addressing this issue, management launched a standard report analyzing dropped ASA activities, which is available to all Bank staff as part of an ASA dashboard. BETTER RISK The FY18 audit of IFC’s Management of Liquid Asset MANAGEMENT Portfolio highlighted the need for an approved risk appetite statement that also clarified the expected reasonable return from the liquid asset portfolio. In FY19, the Corporate Risk Committee reviewed and approved a risk appetite statement for treasury activities, with a requirement to monitor implementation, periodic reporting, and annual reviews. Also, in FY18, GIA’s audit of MIGA’s Management of Reinsurance Counterparty Risk indicated that, while MIGA has Integrity Review Procedures that cover Integrity Due Diligence risks in MIGA projects, they do not specifically cover reinsurance counterparties. In FY19, MIGA established a methodology to ensure proper analysis and monitoring of reinsurers. In addition, a Reinsurer Credit Risk committee was created for periodic review and decision-making. 36 Group Internal Audit FY19 Annual Report APPENDIX: GIA’S COVERAGE IN FY19 FY19 Work Program Type Strategic Risk 1. World Bank Group Institutions’ Framework to Support the Implementation of the Advisory Efficiency Agenda 2. IFC’s Portfolio Approach Advisory 3. Use of the Bank’s Corporate Scorecard Assurance Review 4. Review of the Management of IDA18 IFC-MIGA Private Sector Window Assurance Review 5. Review of Management’s Reform Activities for Financial Intermediary Assurance Review Funds (FIFs) Development Outcome Risk/Business Risk 6. IFC’s Monitoring of the Environmental and Social (E&S) Conditions During Audit Project Supervision 7. World Bank’s Internal Processes for Disaster Risk Management in Operations Audit 8. World Bank’s Management of Financial Management Risk in Investment Project Audit Financing Operational Risk 9. World Bank Group’s Rapid Application Development (RAD) Audit 10. World Bank Group’s Global IT Network Audit 11. World Bank Group’s Staff Travel Safety Arrangements Audit 12. IFC’s Capital Budget Process Audit 13. World Bank’s Implementation of the Cost Recovery Framework for Audit Trust Funds 14. World Bank’s Grievance Redress Service (GRS) Audit 15. MIGA’s Net Retention and Reinsurance Framework Audit 16. IFC’s Management of Operational Risks Audit 17. World Bank’s Management of Operational Risks Audit 18. World Bank’s Management of Corporate Data Used in Operations Advisory 19. World Bank Group’s IT Change and Release Management Process Advisory 20. World Bank Group’s Process to Manage United Nations Laissez-Passer (UNLPs) Advisory 21. World Bank Group’s Privileged Identity and Access Management Audit 22. World Bank’s Core Capital Markets Systems Replacement (CCMSR) Program Assurance Review Financial Risk 23. IFC’s Asset and Liability Management Framework Audit 24. IDA’s Financial Risk Management Framework Assurance Review 25. Implementation of IBRD’s Asset Liability Management Framework Audit The summary of individual audits and reviews is available in GIA’s Quarterly Activity Reports on the GIA website. Appendix: Gia’s Appendix: Coverage GIA’s In Fy19 Coverage in FY19 37 CONTACT US +1 (202) 458-7258 www.worldbank.org/internalaudit Group Internal Audit The World Bank Group 1818 H Street NW Room G 4-401 Washington, DC 20433 United States