61968 rev Internal Audit Vice Presidency (IADVP) Final FY11 Third Quarter Activity Report April 25, 2011 Table of Contents 1. Summary of Key Engagement Outcomes .............................................................................. 3 2. IDA Internal Controls ............................................................................................................ 6 3. Other Activities and Staffing and Resource Utilization .......................................................... 6 Annex 1: List of Engagements Included in the FY11 Q3 Activity Report ..................................... 7 The Internal Audit Vice Presidency (IAD) is an independent and objective assurance and advisory function designed to add value to the World Bank Group (WBG) by improving the operations of the WBG organizations. It assists WBG in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes. The purpose of this report is to provide a high level overview of IAD activities since the last quarter to Senior Management and the Audit Committee. This Quarterly Activity Report is also publicly disclosed, under the Bank’s Access to Information Policy. IADVP Final FY 11 Third Quarter Activity Report / 2 1. Summary of Key Engagement Outcomes Twelve engagements have been completed by IAD since the last quarterly report. These included two Group-wide reviews (WBG), five IBRD/IDA (Bank), four The areas of management International Financial Corporation (IFC) reviews and one MIGA review. WBG reviews cover Group-wide strategies, end-to-end processes and/or shared services and administration of that have an impact on the institution as a whole. WBG staff benefits that could be improved were the design and 1. Audit of the Management and Administration of World Bank Group Staff Benefits: The review covered design aspects of the policy framework, implementation of governance structure, benefit administration, service delivery, data and system policies, enhanced change management, exception reporting and adequacy of quality assurance monitoring and processes. The review identified opportunities in the areas of policy design and performance standards. implementation, monitoring mechanisms, performance standards and system enhancements. The level of governance, 2. Audit of WBG Global Real Estate and Facilities Management: The scope of the audit included a review of WBG’s strategic framework for evaluating key real risk management and estate options, roles and responsibilities, controls over the execution and controls over real estate monitoring of construction, acquisitions and leases, use of external vendors for and facilities should be facilities management and compliance with significant policies and procedures. consistent between HQ The review indicated that governance processes and related controls over real estate and facilities in Headquarters are effective. However, real estate and and country offices. facility management in the country offices requires further attention, particularly in the areas of strategy and accountability. 3. Bank’s Process for Integrating Trust Funds in Country Programs : Controls for aligning recipient-executed trust funds (RETFs) and country-specific bank- executed trust funds (BETFs) with country priorities were adequate. However, there is an opportunity to improve the alignment of country priorities to financial intermediary funds (FIFs) and network-managed BETFs, as well as reporting of country-specific trust fund portfolios. IADVP Final FY 11 Third Quarter Activity Report / 3 1. Summary of Key Engagement Outcomes (continued) 4. The audit engagement of the Bank’s Trust Fund Financial Risk Management indicated that governance processes and related controls over the management Governance processes and of financial risks of trust funds (TF) are in place. The Bank maintains an related controls for the adequate Trust Fund Management Framework, which was reviewed and formally Trust Fund Financial Risk approved by the Board and addresses key aspects of TF management. Opportunities for improvement were identified on increasing donor awareness Management and Credit about exposure to currency risk, clarification of bank policies on the basis of Risk Management are in commitments for grants and enhancement of reporting. place. 5. Audit of Bank’s Commercial Credit Risk Management: The engagement indicated that operational controls over the management of commercial credit risk are operating effectively. The audit noted potential for improvement in the areas of documentation, key person dependency and system capability to aggregate counterparty exposure. In addition, similar to the challenge that most financial institutions are experiencing, there is dependency on credit rating agencies. 6. IAD concluded in the Audit of Bank Application Development and Maintenance (ADM) that the program, portfolio and project management The Application activities are well-managed. However, control improvements were noted in the Development and areas of application change management monitoring and the involvement of Maintenance reviews noted Enterprise Architecture in development projects. While IAD noted delays in some of the projects selected for review as well as occasional overruns of approved that the program and budgets, such exceptions were properly governed, decisions were taken in a portfolio activities for both transparent manner, and project and portfolio management activities were the Bank and IFC are well- appropriate. managed. 7. Audit of IFC Application Development and Maintenance (ADM): The audit determined that the ADM program and portfolio activities are well-managed through a centralized governance process. Control improvements were noted in the areas of application maintenance, project management and user access testing. IADVP Final FY 11 Third Quarter Activity Report / 4 1. Summary of Key Engagement Outcomes (continued) 8. Activities related to IFC’s Asset Management Company (AMC): This Continued focus on the engagement focus on IFC’s internal processes for handling AMC -related oversight of the newly matters and managing relevant risks. It included IFC’s oversight of its established Asset ownership of AMC, investment in AMC’s funds, reporting, risk management, provision of services to AMC and information technology security. The review Management Company of highlighted that continued focus is required on the implementation of defined IFC is required. procedures for managing its relationship with AMC. 9. IAD completed an Audit of the IFC iDesk Portal and determined that there is an opportunity to strengthen iDesk ownership and improve the monitoring of performance, functionality requirements and database activity. The change management process for the software or hardware associated with iDesk in general is appropriate. 10. Audit of MIGA’s Provisioning for Guarantee Losses: The engagement of MIGA’s Provisioning for Guarantee Losses identified that MIGA’s provisioning methodology has significantly improved since the introduction of the model in FY05. However, there is still room for improvement in the areas of reserve calculation, core parameters review and model change approval. Two of the twelve reports 11. IFC’s Donor Fund-Raising Activities for Advisory Services: Advisory issues were advisory Services management recognized that fund-raising activities should be conducted in a more structured manner and with greater coordination among engagements and related units raising funds at different levels of the organization. Management had to donor fund-raising already introduced a number of measures to facilitate information-sharing activities. among fundraisers and to disseminate donor intelligence. 12. Bank’s Donor Fund Raising Activities: This advisory review acknowledged Bank Management’s increasing awareness of the need for a more coordinated and structured approach to donor fund-raising. Management had already carried out consultations for fund-raising coordination and introduced a number of measures to improve information sharing and gathering donor intelligence. IADVP Final FY 11 Third Quarter Activity Report / 5 2. IDA Internal Controls 13. Review of the Implementation of Management’s IDA Internal Controls Assessment Five Point Action Plan: IAD continues to monitor the implementation of the corrective actions related to IDA Internal Controls. As of IAD continues to follow the close of Q3, four out of 22 corrective actions remained outstanding. These up and report on the corrective actions are related to clarifying lines of accountability; updating procurement policies; improving accessibility of operational documents and implementation of rationalizing processes and controls for Analytic and Advisory Activities. corrective actions related to IDA internal controls. Management is maintaining focus on the completion of the remaining corrective As of the time of issuance actions. IAD will also validate the operating effectiveness once the re-designed controls have been in operation for a sufficient period of time such that IAD can of this report, four items perform testing. While the implementation times of the corrective actions vary, remained outstanding. IAD anticipates that testing will be completed by the end of FY13. 3. Other IAD Activities 14. Results of Quality Assurance: As part of IAD’s Quality Assessment and Improvement Program (QAIP), a semi-annual internal review is conducted to As part of its Quality ensure that ongoing monitoring is performed at the engagement level. The Assurance and semi-annual review concluded that IAD is still in conformance with established Improvement Program, policies and procedures and the execution of newer audits indicated that the issues noted in the previous QAIP review were being addressed. IAD reviewed a sample of engagements completed Specifically, the following improvements were noted: in the first and second quarter of FY11.  Improved discipline in using the audit tool;  Improved articulation of audit objectives; and  Key performance indicators were established to track budgeted workdays and audit milestones for each engagement. There are still issues that need to be addressed. These include:  Maintaining consistency in documentation; and  Providing additional guidance to ensure consistency in reporting. IAD has utilized $8.3 15. Resources and Budget: IAD continues to exercise strict fiscal responsibility in million or 68% of its annual order to manage the budget. As of March 31, 2011, IAD had 48 permanent staff. budget. Total expenditures during FY11 Q3 were $2.8 million for a nine month total of $8.3 million representing 68% of the FY11 budget of $12.2 million. IADVP Final FY 11 Third Quarter Activity Report / 6 Annex 1: List of Engagements Included in the FY11 Q3 Activity Report 1 WBG Engagements (covering processes across Bank, IFC & MIGA) No. Entity Engagement Title Report No. Date Issued Audit of the World Bank Group Global Real Estate and Facilities 1 WBG WBG FY11-04 25-Feb-11 Management Audit of the Management and Administration of World Bank Group Staff 2 WBG WBG FY11-05 1-March-11 Benefits Bank Engagements No. Entity Engagement Title Report No. Date Issued 3 IBRD/IDA Audit of Bank Application Development and Maintenance IBRD FY11-08 15-Feb-11 4 IBRD/IDA Audit of Bank Trust Fund Financial Risk Management IBRD FY11-09 13-Apr-11 5 IBRD/IDA Advisory Review of Bank Donor Fund Raising IBRD FY11-10 15-Apr-11 6 IBRD/IDA Audit of Commercial Credit Risk Management IBRD FY11-11 19-Apr-11 7 IBRD/IDA Audit of Bank’s Process for Integrating Trust Funds in Country Programs IBRD FY11-11 15-Apr-11 IFC Engagements No. Entity Engagement Title Report No. Date Issued 8 IFC Audit of IFC Application Development and Maintenance IFC FY11-05 9-Mar-11 9 IFC Review of IFC’s Donor Fund-Raising Activities for Advisory Services IFC FY11-04 25-Feb-11 Audit of IFC's Activities related to its Asset Management Company 10 IFC IFC FY11-06 30-Mar-11 (AMC) 11 IFC Audit of IFC iDesk Portal IFC FY11-07 12-Apr-11 MIGA Engagement No. Entity Engagement Title Report No. Date Issued 12 MIGA Audit of MIGA's Provisioning for Guarantee Losses MIGA FY11-02 22-Apr-11 1 As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed, except its finalized Annual and Quarterly Activity Reports. IADVP Final FY 11 Third Quarter Activity Report / 7