GIA FY2019 Quarter 4 Activity Report Group Internal Audit (GIA) Vice Presidency June 30, 2019 Contents 1. Completed Engagements in FY19 Q4 ................................................................................. 2 2. FY19 Q4 Engagements Summarized .................................................................................. 3 2.1 International Bank for Reconstruction and Development (IBRD) .................................. 3 2.2 International Development Agency (IDA) ..................................................................... 5 2.3 International Finance Corporation (IFC) ....................................................................... 5 About GIA The Internal Audit Department (IAD) was officially changed to Group Internal Audit (GIA) Vice Presidency effective July 1, 2019. The change of name clarifies the scope of our mandate to cover all the World Bank Group institutions. The GIA Vice Presidency provides independent and objective assurance to Senior Management and the Board of the World Bank Group (WBG) on the effectiveness and efficiency of governance, risk management and controls of the WBG’s operations. In addition, GIA monitors the implementation of management’s corrective actions, and also advises management in developing control solutions. GIA’s work is carried out in accordance with the Institute of Internal Auditors (IIA) International Professional Practices Framework. GIA’s Quarterly Activity Report summarizes GIA’s engagement results for the quarter. www.worldbank.org/internalaudit GIA FY19 Q4 Completed Engagements 1. Completed Engagements in FY19 Q4 GIA completed 9 engagements, comprising 8 assurance reviews and 1 advisory review. The objectives and results of these engagements are summarized on pp. 3 to 7. Item Engagement Refer to Report Engagement Name No. Type Page IBRD Management’s Reform Activities for Financial IBRD FY19-06 1 Assurance 3 Intermediary Funds (FIFs) Bank’s Core Capital Markets Systems Replacement IBRD FY19-07 2 Assurance 3 (CCMSR) Program IBRD FY19-08 3 Use of the Bank’s Corporate Scorecard Assurance 4 Bank’s Implementation of the Cost Recovery IBRD FY19-09 4 Assurance 4 Framework for Trust Funds IDA IDA FY19-01 5 IDA’s Financial Risk Management Framework Assurance 5 IFC IFC FY19-02 6 IFC’s Capital Budget Process Assurance 5 IFC FY19-03 7 IFC’s Asset Liability Management Framework Assurance 6 IFC’s Monitoring of the Environmental and Social (E&S) IFC FY19-04 8 Assurance 6 Conditions During Project Supervision IFC FY19-05 9 IFC’s Portfolio Approach Advisory 7 GIA FY2019 Quarter 4 Activity Report 2 GIA FY19 Q4 Completed Engagements 2. FY19 Q4 Engagements Summarized 2.1 International Bank for Reconstruction and Development (IBRD) 1. Management’s Reform Activities for Financial Intermediary Funds (FIFs) The objective of the assurance review was to support management’s reform efforts for FIFs and identify areas for management’s further attention as part of their ongoing initiatives. The review started in 2018, and, in December, GIA issued an interim memo with its observations of key issues and risk areas. In June 2019, management concluded its development of the 2019 Management Framework Update for FIFs, and GIA subsequently reviewed the Framework along with the associated draft policies and procedures in relation to the observations captured in the interim memo. The review concluded that the 2019 Framework addresses all the issues raised in the interim memo and includes management’s commitment to (i) streamline and strengthen the processes and controls related to the establishment, risk assessment and lifecycle management of FIFs, and (ii) clarify the roles, responsibilities and accountabilities of the various stakeholders involved in managing FIFs. The 2019 Framework also provides for an expanded role of the Board in the oversight of the FIF portfolio and for more frequent and substantive reporting of FIF lifecycle events to the Board and Senior Management. 2. Bank’s Core Capital Markets Systems Replacement (CCMSR) Program The objective of the assurance review was to evaluate the CCMSR program’s governance and management processes and controls, and provide assurance on the effectiveness of: (i) project governance working practices aimed at delivering strategic outcomes and business benefits; (ii) project management processes and monitoring activities to enable the delivery of systems on time, within budget, and as per business requirements; and (iii) organizational change management processes to enable adequate identification, impact analysis, and communication of changes to maximize business readiness. The review concluded that the CCMSR program exhibits a number of good practices in the areas of program governance structure, scope definition, and communication and collaboration. However, the CCMSR program could be strengthened through development of a comprehensive resource plan, a well-defined program plan and a benefits realization plan. In addition, improvements could be made to the management of program risks, the methodology for program delivery and the reporting of program status. GIA FY2019 Quarter 4 Activity Report 3 GIA FY19 Q4 Completed Engagements 3. Use of the Bank’s Corporate Scorecard The objective of the assurance review was to assess whether: (i) the Scorecard indicators reflect the Bank’s strategy and priorities; (ii) the Scorecard is fully consistent with the indicators that management uses to measure and monitor operational performance, and these indicators are captured in the Vice-Presidential Units’ operational performance and results metrics; (iii) management is verifying the accuracy, completeness, consistency and timeliness of the information contained in the Scorecard; and (iv) management periodically reviews and takes measures to improve the efficiency and effectiveness of the Scorecard process. The review concluded that the design of the Scorecard is broadly aligned with the Bank’s strategy and the processes to produce, quality assure and publish the Scorecard are operating satisfactorily. In addition, management periodically reviews the content of the Scorecard as well as the process to produce the Scorecard to improve its efficiency and effectiveness. The review further concluded that the performance indicators within the Scorecard are generally consistent with the indicators that management uses to measure and monitor operational performance. 4. Bank’s Implementation of the Cost Recovery Framework for Trust Funds The objectives of the audit were to assess whether: (i) the current Cost Recovery Framework for Trust Funds (TFs) is consistently applied across all TFs, and waivers to the framework, if any, are appropriately approved and monitored; (ii) the implementation of the framework is supported by adequate communications to donors and training to Bank staff; (iii) the data required to perform cost recovery computations are complete, accurate and timely; and (iv) progress towards full cost recovery and management’s assessment of the current cost recovery shortfall are reported to the Board and Senior Management periodically to ensure timely course correction where necessary. The audit concluded that the Cost Recovery Framework has made a significant move towards increased cost recovery, and management has projected that this will continue. In addition, the framework is consistently applied, with the few waivers that were granted being approved by the relevant Vice President in accordance with existing policy. The implementation of the framework was also supported by extensive communication and engagement with donors and relevant task team leaders. The cost recovery computation is automated with limited manual intervention, and the status of cost recovery is reported to the Board and Senior Management through the annual Budget Paper. GIA FY2019 Quarter 4 Activity Report 4 GIA FY19 Q4 Completed Engagements 2.2 International Development Association (IDA) 5. IDA’s Financial Risk Management Framework The objective of the assurance review was to evaluate whether the governance, decision-making framework and control activities have been adequately designed to support the effective implementation of IDA’s Financial Risk Management (FRM) framework. Specifically, the review sought to provide assurance that: (i) governance mechanisms are in place; (ii) risk management approaches have been designed; (iii) processes to evaluate new products and offerings exist; and (iv) systems and models are adequate to support IDA’s new hybrid financial model, under which traditional sources of financing are blended with debt in the form of borrowings from capital markets. The review concluded that management has established an effective governance and operational framework to support the implementation of IDA’s FRM framework. Specifically, governance mechanisms are in place; the framework has been appropriately designed to manage the principal financial risks that IDA takes in its activities; and a process is in place to identify, review, and monitor the financial risks associated with new products and service offerings. 2.3 International Finance Corporation (IFC) 6. IFC’s Capital Budget Process The objective of the audit was to evaluate the governance, risk management, design and operating effectiveness of controls over IFC’s capital budget process. Specifically, the audit assessed whether: (i) the process to develop annual investment plans that are aligned with strategic priorities is adequate; (ii) governance arrangements are in place to prioritize business demands, assess tradeoffs and approve funding requests for capital projects; (iii) post-completion reviews are performed to assess benefits realization and use of resources in capital projects; and (iv) systems and tools are adequate to support tracking and reporting on the capital asset portfolio, including to Senior Management and the Board. The audit concluded that most risks relating to the capital budget cycle are identified and adequately managed. However, the process for managing the budget cycle for corporate real estate capital investments was not fully reflected in the procedure documents. In addition, post-completion assessments of the actual performance of capital investment projects against expectations were not being conducted for corporate real estate projects. GIA FY2019 Quarter 4 Activity Report 5 GIA FY19 Q4 Completed Engagements 7. IFC’s Asset Liability Management Framework The objective of the audit was to evaluate whether governance, risk management and control processes have been adequately designed and operate effectively to mitigate foreign currency and interest rate risks arising out of asset-liability mismatches. Specifically, the audit assessed whether: (i) governance mechanisms such as policies and procedures, roles and responsibilities, management oversight and reporting are in place to guide and oversee ALM activities; (ii) risk management strategies, measures and limits support effective monitoring, timely management and ex-post evaluation of ALM risks; (iii) adequate processes are in place to address risks arising out of activities that trigger asset and liability mismatches, including activities such as loan modifications, loan prepayments and debt maturities; (iv) systems and controls are in place to support the completeness, accuracy, timeliness and validity of data used for ALM processes; and (v) controls are in place to support the accuracy of financial statement disclosures related to ALM activities. The audit concluded that ALM risks are managed conservatively in accordance with IFC’s ‘Funding Liquidity’ and ‘Matched Funding’ policies. However, opportunities for improvement include: (i) reviewing and updating the current policies and consolidating them into a comprehensive ALM framework, paying particular attention to currency risk management, interest rate risk management and ALM mismatch reporting; (ii) strengthening data quality and integrity through automation of the systems and models used to monitor ALM residual exposures and validate data accuracy and completeness; and (iii) granting Corporate Risk Management staff access to the ALM database so that they can generate ALM exposure analysis from source data to provide effective independent oversight of interest rate and foreign currency risks. 8. IFC’s Monitoring of the Environmental and Social (E&S) Conditions During Project Supervision The objective of the audit was to evaluate the design adequacy and operating effectiveness of the processes for monitoring E&S conditions in projects during project supervision. Specifically, the audit focused on whether IFC had: (i) monitored and verified clients’ conformance with the E&S conditions identified during project appraisal; (ii) followed established protocols and escalation mechanisms for responding to unfulfilled E&S conditions in projects; (iii) reviewed the effectiveness of its portfolio management; (iv) reported E&S related information to Senior Management and the Board for informed decision-making; and (v) maintained information systems, data and tools for effective management of the E&S risks. The audit concluded that E&S risks are identified and adequately managed during project supervision. However, two issues were identified: (i) system workflow does not require clearance of conditions by the E&S specialist, and (ii) IFC’s E&S procedures do not require the recording and tracking of all E&S client actions agreed during supervision. These issues can make it difficult for IFC management to have a portfolio view of pending client E&S actions. GIA FY2019 Quarter 4 Activity Report 6 GIA FY19 Q4 Completed Engagements 9. IFC’s Portfolio Approach The objective of the advisory review was to provide advice in support of management’s efforts to develop and implement the portfolio approach (PA). The review examined the following aspects of the PA: (i) clarity of the business objectives and executive sponsorship for the initiative; (ii) definition and clarity of roles and responsibilities of various IFC functions to enable the implementation of the initiative; (iii) arrangements for management review and oversight of, and reporting on the initiative; (iv) methodology, processes and tools for capturing, analyzing and integrating the portfolio-level information on risk, return and development impact dimensions; and (v) the project plan for PA implementation. The review gave advice on both the implementation and methodological aspects of PA. Given the nascent nature of the PA, a phased approach to its implementation was suggested to enable management to refine the methodology before it is used systematically for strategic decision- making. The PA would benefit from further clarification on its purpose and application and the establishment of strong governance for its roll-out. In addition, the application would require the establishment of a roadmap that covers both the transition phase, during which the PA model can be tested and calibrated, and the steady state phase. GIA FY2019 Quarter 4 Activity Report 7