99599 Internal Audit Vice Presidency (IADVP) FY15 Fourth Quarter Activity Report September 16, 2015 Table of Contents 1 Summary of Key Engagement Outcomes ……………………………………… 2 2 Annex 1: List of Engagements in the FY15 Q4 Activity Report ……………… 8 The Internal Audit Vice Presidency (IAD) is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of the WBG entities. It assists WBG in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes. The purpose of this report is to provide a high level overview of IAD activities in the quarter to Senior Management and the Audit Committee. This Quarterly Activity Report is also publicly disclosed, under the Bank’s Access to Information Policy. IADVP FY15 Fourth Quarter Activity Report 1. Summary of Key Engagement Outcomes Thirteen engagements were finalized during the quarter. These included: four World Bank Group (WBG) audits, three International Bank for Reconstruction and Development/International Development Association (IBRD/IDA) audits, one Multilateral Investment Guarantee Agency (MIGA) audit, three WBG advisory reviews, and two IBRD/IDA advisory reviews. 1. The objective of the audit of WBG IT Sourcing and Vendor Despite ongoing efforts Management was to determine whether governance, risk to establish tighter management, and control processes over the management controls and service the of WBG’s IT sourcing and vendors were adequate and WBG’s IT needs more effective to sustain service excellence, control costs, and effectively, there are mitigate risks throughout the vendor management lifecycle. While recognizing that efforts at the institutional level were design gaps in the underway to establish tighter controls, the audit identified governance framework design gaps in the governance framework for the management of WBG IT sourcing and vendor management activities. These gaps included the lack of: (i) structured processes for the defining, measuring, re-calibrating, and on- going monitoring of an IT sourcing strategy; (ii) an institutional forum for consultations and deliberations over IT sourcing and vendor management risk exposures and activities; and (iii) a formal process for reporting to senior management on key targets, achievements and shortfalls. 2. The objective of the audit of WBG Identity Credential and The multi-year ICAM Access Management (ICAM) was to assess the program is based on a management of the ICAM program currently in place. The clear business case and audit concluded that implementation and management of the defined roles and multi-year ICAM program is based on a clear business case responsibilities and defined roles and responsibilities. While no significant issues were identified, opportunities to further enhance governance and technology integration related to the program include: (i) directly linking Sailpoint, the system used by the ICAM solution, with PeopleSoft; (ii) integrating ICAM requirements for new applications in the early stages of development; and (iii) establishing a formal process to identify key performance and risk indicators. IADVP FY15 Fourth Quarter Activity Report 2 1. Summary of Key Engagement Outcomes 3. The objectives of the audit of WBG Mobile Application Needed improvements Development and Security were to confirm whether (i) the include the development processes to evaluate business needs, maintain inventory, of a formalized and manage the development lifecycle of mobile applications governance structure are designed and operating effectively; (ii) mobile and supporting applications are developed and implemented to maintain confidentiality, integrity and availability of the WBG data; and processes with clearly (iii) mobile application changes and patches are implemented defined requirements to timely and follow a controlled process. Despite recent evaluate needs for improvements in the overall management of mobile external mobile applications, the audit noted that there is no formalized applications and centrally governance structure with clearly defined requirements to evaluate needs for external mobile applications and centrally drive development, drive development, publication, and maintenance of such publication, and applications. In addition, improvement is needed in the maintenance of such evaluation of business needs, tracking of benefits realization, applications and management of third party vendors engaged for developing applications, and tracking of the development and maintenance expenditures of external mobile applications. 4. The objective of the audit of the Post Implementation While the system re- Review of PeopleSoft was to evaluate whether the key implementation project business drivers / objectives of the PeopleSoft 9.1 re- implementation project were met and the intended benefits yielded a number of achieved. While noting that the PeopleSoft 9.1 re- benefits, management implementation project has yielded a number of tangible needs to address benefits, the audit identified remaining control weaknesses to remaining control be addressed, including (i) the absence of an effective weaknesses of the mechanism to measure the overall success of the project; (ii) the absence of a comprehensive post-implementation system and close the analysis to draw lessons learned from implementation learning loop by drawing challenges; (iii) control over privileged user access and direct lessons from data fixes, change migration processes, data corrections, and implementation segregation of duties. experience. IADVP FY15 Fourth Quarter Activity Report 3 1. Summary of Key Engagement Outcomes 5. The objective of the audit of the Bank’s Risk Management Despite the generally in Financial Intermediary Lending (FIL) Projects was to sound assessment and assess the adequacy of the risk management processes in monitoring of risks in FIL consideration of the unique characteristics of FIL projects. projects, improvements The audit concluded that the various risks in FIL projects are could be achieved generally well assessed and closely monitored by the Bank’s task teams during project implementation. Task team through greater members have a strong grasp of project risk and consistency in the corresponding mitigation measures at the project and sub- application of standards project level, and are generally cognizant of the capacity in managing risks in FIL strengths and weaknesses of the financial intermediaries projects involved in the projects. However, the audit noted that the application of standards in managing risks in FIL projects is inconsistent on environment and social safeguards, client capacity assessment, and anti-fraud and corruption measures. The Bank and IFC should further explore collaboration to leverage knowledge of each other when clients or markets overlap. Also, management should clarify the approach for analyzing on-lending pricing and subsidies in projects. While EFO revenues are 6. The objective of the audit of the Use of Externally Financed well integrated into the Outputs (EFOs) was to assess the adequacy of the governance, risk management, and internal controls over budgeting process for EFO processes. The audit noted that while EFO revenues work program delivery, are well integrated into the budgeting process for work the use of EFOs can be program delivery, and the information systems that support further strengthened the establishment and management of EFOs are well through undertaking a designed and operate effectively, there are also some areas for improvement. Management needs to analyze EFO portfolio-level analysis of contributions to work program delivery at the portfolio level to EFO contributions to facilitate their understanding of the operational impact of work program delivery EFOs and inform their strategic decisions on using the EFO instrument as a funding source going forward. Also, potential inefficiencies coming from the Bank’s inability to receive external funds between $1 million and $2 million were identified. IADVP FY15 Fourth Quarter Activity Report 4 1. Summary of Key Engagement Outcomes Processes and controls 7. The objective of the audit of the Monitoring of the Delivery of Analytic and Advisory Activities (AAA) to Clients was are in place for to assess the effectiveness of existing governance and monitoring the Bank’s control processes, and the design of ongoing control AAA portfolio, but the improvements for monitoring the Bank’s AAA portfolio. The development of more audit concluded that processes are in place to periodically granular institutional AAA monitor the AAA portfolio at all levels across the Bank, such as the establishment of Regional and Global Practice forums delivery indicators is that meet periodically to discuss the status of the AAA needed to enable portfolio, consistent presentation of AAA portfolio information management to use the at senior management forums, and regular reporting to the information more Board in the Quarterly Business and Risk Review. However, effectively areas for improvement include the development of more granular institutional AAA delivery indicators, holistic analysis of cost information (planned and actual) to regularly assess efficiencies in delivering AAA, and advanced portfolio metrics to quantify occurrences of dropped projects and enable the early identification of potential problem projects. 8. The objective of the audit of Integrity Risk Management in MIGA staff are MIGA’s Projects was to assess the adequacy and consistently effectiveness of MIGA's governance, risk management and implementing the controls over integrity risk management. The audit strategic framework, concluded that MIGA has adequate governance, risk procedures and management and controls over integrity risk management. Management has established a coherent understanding of guidelines for integrity integrity risk management objectives, risk appetite, and risk management performance standards. The strategic framework, policies, procedures, and guidelines that define the integrity risk management process have been communicated to MIGA staff and are being consistently implemented. In addition, MIGA has a robust process in place to identify and assess integrity risks during the underwriting phase, and the governance framework ensures consistency in integrity risk related decisions across projects. 9. The objectives of the advisory review of the WBG ITS Cloud Adoption Roadmap were to assess the ability and The roadmap for the readiness of Information and Technology Solutions (ITS) for transition to a cloud- cloud adoption and recommend a target architecture and based environment starts adoption roadmap through short/medium/long-term initiatives with the establishment of and a prioritized approach for migrating cohorts of a solid foundation that applications to cloud. The review noted that ITS is making progress in building a strategy for a cloud-enabled target includes a sound state environment that is aligned with WBG’s business business case, the needs, priorities, and capabilities. definition of standards and well-trained IT staff IADVP FY15 Fourth Quarter Activity Report 5 1. Summary of Key Engagement Outcomes It recommended that ITS should continue to leverage emerging technologies and establish strategies towards implementing a cloud-enabled environment. It also proposed a three-year roadmap based on three strategic themes: (i) building stronger foundations (year 1); (ii) facilitating a progressive transition to the cloud (years 1 and 2); and (iii) creating a broader cloud adoption across the organization (years 2 and 3). The immediate actions to be taken to establish this solid foundation include conducting a cost- benefit analysis and creating the business case for cloud adoption; defining cloud-based application development standards; leveraging the cloud decision-making framework to develop the application migration roadmap; and training WBG IT staff on cloud technologies. 10. The objective of the review of the World Bank Group’s The Cash Systems Cash Systems Replacement Pre-Implementation was to Replacement project is assess the adequacy and effectiveness of the controls on track for the around the implementation of the new Treasury Management System (TMS) to confirm that the system is being developed, scheduled go-live dates configured, and implemented to achieve management’s in November 2015 application control objectives. It concluded that the Cash Systems Replacement project was on track for the scheduled go-live dates in November 2015. The Project Management Team has established good project governance processes to ensure that the project is monitored against agreed upon milestones and key stakeholders are adequately involved at the right time to make timely decisions. While no significant issues were identified, areas for further consideration as the November go-live dates approach include the handling of test results, validation of IT general controls, and implementation and testing of the data migration strategy. 11. The objective of the review of the WBG’s Administrative Increased efficiency Expense Monitoring ‒ Travel-Related Expense was to through developing a advise the Corporate Expense Unit of the Finance and data analytics framework Accounting Vice Presidency (WFACS) on the development of a data analytics framework for the continuous monitoring of for the continuous the WBG’s administrative expenses, with an advisory focus monitoring of travel- on travel expenses. The review team reviewed WFACS’ related expenses current analytics and monitoring capabilities, provided recommendations to achieve the desired end-state, and developed a proof of concept dashboard for continuous monitoring of travel-related expenses. Through the advisory, WFACS will be able to increase efficiency by leveraging a data analytics approach in the monitoring of WBG travel- related expenses. IADVP FY15 Fourth Quarter Activity Report 6 1. Summary of Key Engagement Outcomes 12. The objective of the review of (specific aspects) of IBRD’s Process and control Capital Budget Process was to review the Information improvements are Technology (IT) capital budget finalization, approval and needed to provide for a allocation process for the FY15-17 budget cycle. The review more robust noted documentation gaps and lapses, and recommended documentation trail in the process and control improvements to provide for a more robust documentation trail in the recording and tracking of recording and tracking of budget decisions. In addition, the Budget, Performance budget decisions Review and Strategic Planning Vice Presidency (BPSVP) should consider performing more thematic deep dives and targeted reviews on a systematic basis to consistently challenge the cost base and identify opportunities for cost efficiencies. 13. The objectives of the advisory review of the Bank’s ERM The review provided an Framework were to: (i) provide advisory input and implementation roadmap recommendations to management on its ongoing work to that covered the three enhance, and codify the Framework; and (ii) benchmark key components of the Framework with leading industry level of defense practices, provide a comparative analysis, and identify architecture, the risk opportunities for enhancement that are tailored to the Bank’s management model and context and operating model. The review noted that the risk appetite development of a robust ERM architecture will necessarily be framework a longer-term evolutionary process, and thus provided an implementation roadmap that follows a phased approach. The immediate requirements are enhancing the three level of defense governance architecture and the development of a risk appetite framework. Medium and longer term requirements include assessment of the adequacy and completeness of the existing risk committee structures, and development of a risk appetite framework IADVP FY15 Fourth Quarter Activity Report 7 Annex 1: List of Reports issued in FY15 Q4* WBG Engagements No. Entity Engagement Title Report No. Quarter Issued Date Issued Advisory Review of WBG ITS Cloud Adoption 1 WBG WBG FY15-06 Q4 May 19, 2015 Roadmap 2 WBG Audit of WBG IT Sourcing and Vendor Management WBG FY15-07 Q4 Jun 30, 2015 Advisory Review of WBG Cash Systems 3 WBG WBG FY15-08 Q4 Jun 30, 2015 Replacement Pre-Implementation Audit of WBG Identity Credential and Access 4 WBG WBG FY15-09 Q4 Jul 13, 2015 Management (ICAM) Advisory Review of the WBG Administrative Expense 5 WBG WBG FY15-10 Q4 Jul 16, 2015 Monitoring – Travel-Related Expense Audit of WBG Mobile Application Development and 6 WBG WBG FY15-11 Q4 Jul 22, 2015 Security 7 WBG Post Implementation Review of PeopleSoft WBG FY15-12 Q4 Aug 26, 2015 IBRD/IDA Engagements No. Entity Engagement Title Report No. Quarter Issued Date Issued Audit of the Bank’s Risk Management in Financial 8 IBRD/IDA IBRD FY15-05 Q4 Jun 3, 2015 Intermediary Lending Projects Review of (specific aspects) of IBRD’s Capital Budget 9 IBRD/IDA IBRD FY15-06 Q4 May 19, 2015 Process Advisory Review of the Bank’s Enterprise Risk 10 IBRD/IDA IBRD FY15-07 Q4 May 21, 2015 Management Framework 11 IBRD/IDA Audit of the Use of Externally Financed Outputs IBRD FY15-08 Q4 Jun 10, 2015 Audit of the Bank’s Monitoring of the Delivery of 12 IBRD/IDA IBRD FY15-09 Q4 Jul 2, 2015 Analytic and Advisory Activities (AAA) to Clients MIGA Engagements No. Entity Engagement Title Report No. Quarter Issued Date Issued Audit of Integrity Risk Management in MIGA’s 13 MIGA MIGA FY15-01 Q4 Jun 16, 2015 Projects ------------------------------------- *As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP FY15 Fourth Quarter Activity Report 8