66694 Internal Audit Vice Presidency (IADVP) FY12 Second Quarter Activity Report February 6, 2012   Table of Contents 1. Summary of Key Engagement Outcomes .................................................................. 3 2. FY12 Mid-Year Risk Assessment Refresh .................................................................... 5 3. Resource Utilization …………………………………………………………………….………………………….5 Annex 1: List of Engagements in the FY12 Q2 Activity Report ........................................ 6 The Internal Audit Vice Presidency (IAD) is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of the WBG organizations. It assists WBG in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes. The purpose of this report is to provide a high level overview of IAD activities since the last quarter to Senior Management and the Audit Committee. This Quarterly Activity Report is also publicly disclosed, under the Bank’s Access to Information Policy. IADVP FY12 Second Quarter Activity Report / 2   1. Summary of Key Engagement Outcomes Eight engagements relating to the FY12 Work Program were finalized during FY12 Q2. These included: three Group-wide (WBG) reviews, three International Bank for Reconstruction and Development/ International Development Association (IBRD/IDA) reviews, one International Financial Corporation (IFC) engagement, and one Multilateral Investment Guarantee Agency (MIGA) review. WBG reviews cover Group-wide strategies, end-to-end processes and/or shared services that have an impact on the institution as a whole. Management should 1. IAD’s audit of the Management of World Bank Group (WBG) continue to explore Offshored Corporate and Back Office Functions covered controls over administrative management, local disaster recovery and business opportunities for continuity, crisis management planning, safety and security, and local synergies in its WBG human resource management. IAD recommended that management offshoring model. continue to explore further opportunities for synergies and efficiencies, and perform a quantitative cost benefit assessment of the offshoring model regularly. WBG Two-Factor 2. The audit of the WBG Management of Two-Factor Authentication Authentication provides covered systems such as webmail, remote access, Summit, Client Connection and administrator access to servers, databases, and network one layer of a defense-in- devices (i.e. firewalls and routers). WBG two-factor authentication depth approach for a provides one layer of a defense-in-depth approach for a secure secure environment. environment. The management of two-factor authentication includes a number of good practices, such as: token provisioning, monitoring, secure infrastructure, and help desk support. The audit of the WBG Framework for Policies 3. The engagement on the WBG Framework for Policies and Procedures and Procedures focused was designed to verify whether WBG’s policies and procedures are developed, communicated and maintained effectively to promote on overall policy consistent business practices and to support the achievement of architecture, organizational objectives. The audit focused on overall policy implementation aspects, architecture, including ownership of policies and procedures, processes policy retirement, and for the development of new and significant revisions to existing policies and procedures, implementation process, policy retirement and archiving. archiving. IAD recommended that WBG Senior Management sponsor the development of a single WBG Policy and Procedures Framework, taking into account the various initiatives underway by several units. The The strengths of the framework should establish the requirements and responsibilities for the development, approval, communication, implementation and review of all Institutional Control policies and procedures. Framework for Financial Activities of Country 4. IAD’s audit of the Institutional Control Framework for Financial Activities of Country Offices in IBRD/IDA covered key controls in 14 Offices rest with the country offices across six regions and review of transaction testing by oversight by the Regional Controllers’ (CTR) Assurance and Country Office Acc ounting Unit in CAOs and on-site reviews Chennai, India. It was observed that the strengths of the current control of country offices. framework rest with the oversight by the Regional Chief Administrative Officers (CAOs) and CTR’s real time compliance testing through on-site reviews. To further strengthen the control environment, offices, IAD recommended a better structured training for Country Managers (CM) and country Resource Management (RM) staff on financial activities. IADVP FY12 Second Quarter Activity Report / 3 5. IAD’s advisory review of the SAP Upgrade Project indicated that the extensive SAP and project implementation experience of the system testers from both IMT and the business units, repetition of test scripts during the two user testing cycles, and the daily meetings that were held for defects escalation and resolution, were contributing factors towards the system going live as planned at the end of November 2011. 6. IAD’s audit of IBRD’s Market Risk Management Process covered: (i) IAD made specific the governance structure; (ii) processes for setting market risk strategy, recommendations for limits, policies and procedures; (iii) quality of risk measurements, more comprehensive and assumptions, data inputs, and outputs and, (iv) risk monitoring, reporting and compliance with established risk tolerance guidelines. The review consistent execution of indicated there were no serious weaknesses in the operation of existing IBRD’s market risk stress controls and that the risk function (CFRMC) within the Corporate Finance testing and scenario & Risk Management (CFR) Vice Presidency has been working towards developing and expanding some of its own risk measurement and analysis. analytics capabilities. In order to further enhance CFRMC’s ability to act as an independent risk assessment and measurement function, IAD made specific recommendations for more comprehensive and consistent execution of market risk stress testing and scenario analysis practices and for consolidating and updating policies and procedures. The risk management 7. IAD’s advisory review of IFC’s Risk Management Process for functions in IFC have Decentralized Investment Operations was conducted at a time of made significant progress change when IFC was in the process of operationalizing its client-centric vision in its first Operations Center (OC) in Istanbul. Despite the in reassigning and changing environment, the risk management functions have made relocating resources from significant progress in reassigning and relocating resources from HQ to HQ to the field. the field and have been successful in mitigating significant risks at the project level, consistent with the IFC Operational Procedures. Professionals tasked with project risk management have good understanding of risks and controls and how significant project risks should be mitigated within each risk discipline. As IFC further develops its OC model, IAD recommended the establishment of an integrated approach to risk management which would provide opportunities for IAD’s Post- better leverage of risk and control activities across functional boundaries Implementation Review (i.e., risk disciplines). of the MIGA Guarantee System (MGS) covered 8. IAD’s Post-Implementation Review of the MIGA Guarantee System (MGS) covered key aspects of the implementation and roll-out of MGS key aspects of the including: (i) the alignment of MGS with the business needs; (ii) implementation and roll- application level access controls; (iii) application-specific controls over out of MGS. inputs, processing, and outputs; (iv) end-user guidelines and reference materials for roll-out; (v) support and maintenance and, (vi) system remediation processes. IAD made specific recommendations relating to incorporation of business process changes in system design, project management, data reliability, and resolution of system issues. IAD also recommended prioritization of limitations that have resulted in manual workarounds before undertaking any additional systems development work. IADVP FY12 Second Quarter Activity Report / 4 2. FY12 Mid-Year Risk Assessment Refresh IAD carried out its FY12 mid-year risk assessment refresh during November and The mid-year refresh December 2011. The objective of this exercise was to ensure that the IAD Work exercise entailed reviewing Program for the second half of FY12 remains relevant. institutional risk scans and targeted discussions with The refresh exercise entailed reviewing institutional risk scans and other reports to understand shifts in risk profiles. In addition, targeted discussions were held VPUs on emerging risks. with key VPUs on emerging risks and updates on major initiatives. The mid-year refresh resulted in specific modifications to the Work Program and covered the following areas:  Financial Management  Resource Allocation for Risk-based Approach for Investment Lending Reform,  Fee-based Services  Small Grants  Cloud Computing and Mobile Computing  Administration of Trust Funds in MIGA  Renewal of key IT systems in IFC The risk refresh outcomes were shared with Audit Committee. 3. Budget Status Total expenditures at the end of FY11 Q2 were $5.1 million which represents 42% of the FY11 budget of $12.2 million. IADVP FY12 Second Quarter Activity Report / 5 Annex 1: List of Engagements in the FY12 Q2 Activity Report 1 WBG Engagements (covering processes across IBRD/IDA, IFC & MIGA) No. Entity Engagement Title Report No. Date Issued Audit of the Management of World Bank Group (WBG) Offshored 1 WBG Corporate and Back Office Functions WBG FY12-02 20-Dec-11 Audit of the WBG Management of Two-Factor Authentication WBG FY12-03 21-Dec-11 2 WBG 3 WBG Audit of the WBG Framework for Policies and Procedures WBG FY12-04 20-Jan-12 IBRD/IDA Engagements No. Entity Engagement Title Report No. Date Issued Audit of the Institutional Control Framework for Financial Activities of 4 IBRD/IDA Country Offices IBRD FY12-02 20-Dec-11 Advisory Review of the SAP Upgrade Project 5 IBRD/IDA IBRD FY12-03 4-Jan-12 6 IBRD/IDA Audit of IBRD/IDA Market Risk Management Process IBRD FY12-04 23-Jan-12 IFC Engagements No. Entity Engagement Title Report No. Date Issued Advisory Review of IFC’s Risk Management Process for Decentralized 7 IFC Investment Operations IFC FY12-01 12-Dec-11 MIGA Engagements No. Entity Engagement Title Report No. Date Issued 8 MIGA Post-Implementation Review of the MIGA Guarantee System (MGS) MIGA FY12-01 19-Jan-12 1 As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY12 Second Quarter Activity Report / 6