56821 FAST TRACKBRIEF January 14, 2009 The IEG report "Review of IDA Internal Controls: An Evaluation of Management's Assessment and the IDA Review," was discussed by CODE on January 14, 2009 Review of IDA Internal Controls: An Evaluation of Management's Assessment and the IAD Review IEG's evaluation found that IDA's internal controls framework operates to a high standard overall, giving reasonable assurance that controls operate effectively, but it identified weaknesses in parts of the framework. IEG found one material weakness in the IDA controls framework, which is in the complex of controls governing IDA's efforts to ensure against fraud and corruption in lending operations. The independent evaluation was based on management's detailed self-assessment. I DA stakeholders want to be assured that IDA complies with its Articles and policies, and that the funds it provides for development purposes are used as intended and have measurable results. A key purpose of IDA's control system is to provide such assurance. Hence, method as transparent, well documented, and comprehensive. The analysis includes several recommendations. First, controls over possible fraud and corruption in IDA the Board of Executive Directors requested a full operations should be addressed on a broad front, starting evaluation of the system by the Independent Evaluation with risk management processes and country assistance Group (IEG), through an assessment by IDA management strategies, and including the development and deployment and a review by the Internal Audit Department. The of specific additional instruments directed at fraud and evaluation is the first of its kind not only for the Bank but corruption issues at the level of programs and projects. also for all international financial organizations. In this Second, the implementation of remedies for the other sense the Bank and IDA have taken an important lead in control deficiencies should be closely monitored. assessment of internal controls. Management has recognized the need for such remedies, and many are contained in the Governance and Anti- In this concluding step in the exercise, IEG finds that, with corruption (GAC) program currently being implemented some important qualifications, IDA's internal controls (including some still under preparation). These remedies framework operates to a high standard overall, giving appear in both scope and content to address the key issues, reasonable assurance that the controls operate effectively. and they correspond well to those suggested by IEG in this The weaknesses are concentrated mainly in the areas of report. However, they are not yet sufficiently operative to fiduciary controls and the related lack of a specific focus on be tested and, if effective, thereby lessen the materiality of controls at the transactions level against fraud and the controls weaknesses identified. IEG thus believes it corruption in operations supported by IDA. With regard to would be premature to conclude that F&C risks have been the management assessment, IEG finds its approach and successfully resolved under the current IDA controls framework. Approach and Method Management, IAD, and IEG all found that, while the overall framework is robust, there are weaknesses that During the IDA14 Replenishment process, in response to are concentrated in a few key areas. The three parties shareholder concerns, World Bank management committed generally agree on the nature of the deficiencies uncovered, to have carried out (by IEG) "an independent but there are somewhat different judgments as to their comprehensive assessment of IDA's internal control materiality: IEG found one material weakness and six framework, including internal controls over IDA significant deficiencies. Management found significant deficiencies operations and compliance with its charter and policies." In in five areas but no material weakness. IAD found that a the process agreed with the Board, management would material weakness will arise if a combination of significant assess the controls, the Internal Audit Department (IAD) deficiencies in fiduciary controls, entity-level controls, would then review the assessment, and IEG would conduct controls over fraud and corruption, and information an independent evaluation of both the management and technology (IT) controls are not remedied in timely IAD reports. manner. Management used the COSO (Committee of Sponsoring Evaluating Controls Under COSO. IEG evaluated the Organizations of the Treadway Commission) framework as overall effectiveness of the entity-level controls framework the basis for its assessment. It divided its study into two under COSO and compared the relative strengths of parts, Part I dealing with compliance issues within business controls within each of the five COSO components, using transactions, and Part II dealing with efficiency and the audit standards agreed for the review. The overall effectiveness issues within IDA entity-level controls. Part rating is satisfactory with qualifications, and this rating was IA of the review was completed in late 2006 and Part IB in given equally to controls within all five components. mid 2007. Material Weakness. Evidence emerged during the This report presents IEG's evaluation of the effectiveness review--commensurate with the known prevalence of of IDA's integrated internal controls framework. The fraud and corruption (F&C) in many borrowing evaluation covers both methods and findings, taking Parts I countries-- that suggested that there are significant risks of and II together. F&C impinging on IDA's lending operations. There has been progress in building the Bank`s governance and anti- IEG has evaluated management's approach and F&C agenda. However, both the specific tools to address method as transparent, well documented, and F&C issues at the transactions level in IL and heightened comprehensive, though it would have been preferable efforts to support the building of client country systems to have examined the entity-level controls before the that can protect IDA funds from F&C in DPL/PRSC type transactions level controls--in other words, for Part II lending (i.e. budget support) have been put in place only to have preceded Part I, because this would have recently, and their overall effectiveness cannot yet be enabled a more prioritized, risk-based focus to the tested. These weaknesses are reinforced by significant transactions level assessment. deficiencies found in other related controls: in risk management, project financial management, and Key Findings of Part II procurement. Since the risk of fraud and corruption by local beneficiaries, contractors and other stakeholders can Evidence presented by management for both the result in diversion of funds that, in the worst case, can entity- and transactions-level controls gives reasonable impair IDA's mission, IEG considers this weakness to be a assurance--except for weaknesses identified in certain material weakness. parts of the overall framework--that controls operate effectively. With these exceptions, the controls framework IEG stresses that this finding is based on the risk of F&C provides Senior Management and the Board with rather than any clear measure of the extent to which F&C reasonable assurance that the three COSO objectives are may have actually occurred in operations supported by IDA being achieved: Reliable financial reporting, compliance financing. It should also be kept in mind that weak with policies and procedures, and the efficiency and governance is a widespread problem and a fundamental effectiveness of operations. Evidence of controls dimension of the development challenge, and the risk of effectiveness at the entity level (based on questionnaire misuse of funds exists not only for IDA but also for its results) includes pass rates ranging from 92 percent to 95 development partners. The challenge, which IDA is now percent, depending on the method. The earlier evidence at addressing, is to bring it more into the open and match it the transactions level includes a pass rate of 93 percent with risk management controls. (document-based testing of key controls). 2 Significant Deficiencies. At the conclusion of this final IEG was assisted by a senior international Advisory Panel. part of the evaluation, IEG found six significant It concluded that the evaluation of IDA's controls has been deficiencies: (i) a need to maintain the currency of the a comprehensive, timely and responsible initiative, and that Bank's Operational Policies and Bank Procedures the approaches and specific tools have been consistent with (OP/BPs); (ii) a need for improved systems of document what the Panel would expect from an independent retention and accessibility; (iii) generic weaknesses in evaluation. The Panel agreed with the IEG finding of one controls over financial management and procurement material weakness and endorsed the reasoning underlying processes (Part I); (iv) a need for improved management the finding, as it did for the six significant deficiencies. The oversight of project processing and supervision, coupled Panel expressed the view that for an organization as with improved staff incentive structures and performance significant and complex as the Bank, such findings would accountability; (v) a need to improve risk management, be common for a first review, and it concluded that the including inserting specific F&C risk factors into the Risk outcome of the overall Review reflects a high level of Scan and integrating risk treatment from the entity level to effectiveness compared to results in other organizations of the activity level; (vi) a need for greater IT security in some similar size and complexity but with less international areas. involvement. Other Deficiencies. During the two parts of the review a Recommendations total of over 160 deficiencies of various kinds were identified. These are numerous but relatively minor Based on its evaluation, IEG makes the following weaknesses, which neither individually nor collectively rise recommendations to IDA management: above the level of minor deficiencies. Most of these have now been remedied or their remedies are in progress. (a) Address on a broad front the controls needed to ensure that F&C practices in IDA client IAD Review and Opinion. IAD noted the significant countries and among participating stakeholders do deficiencies and other issues uncovered by the assessment not impinge on IDA's mission. Actions could in Parts I and II and, based on its review, expressed the include: opinion that management's assessment and qualified conclusions as to the effectiveness of IDA's internal · Accelerate implementation of the ongoing controls review were fairly stated. However, it pointed to Governance and Anti-Corruption (GAC) the identified significant deficiencies relating to fiduciary program, and devote additional attention controls, entity-level controls, IT controls, and fraud and and resources to building an organizational corruption controls, which in combination could create culture and incentive structure in which the vulnerabilities which, if not remedied in a timely manner, risks of F&C are explicitly and cost- could lead to a material weakness. IEG is unclear about effectively addressed in the management of the meaning of this, since if any weakness or deficiency has IDA's operations. While Management has been identified, it should be considered to exist until correctly observed that such awareness has been mitigating measures have been introduced and proven to spreading, including through the follow-up to be effective. the Volcker report, the systematic integration of this awareness into daily operations still has Accomplishments of the review: This was the first some way to go and needs to be given sustained review of this kind for any multilateral financial institution. emphasis going forward. It has thus broken new ground both in creating methodologies (controls mapping and testing, the ELCQ, · Develop and deploy specific F&C related the IEG templates) and in building strong factual instruments into the Bank's Risk Scan knowledge about the Bank's internal controls framework. processes, CASs, lending and project The corpus of materials emanating from the review designs, and ISRs. Remedies have already provides a solid basis for mounting similar reviews in the been initiated as part of the GAC initiative and future and for other analytical exercises. The review has the Volcker Report, and INT has recently also led to an acceleration in the developing of new become involved in helping to design toolkits controls for good governance within IDA's client countries, and specifically within IDA operations. to address F&C at various levels of the lending cycle, although it is too early to judge the Advisory Panel impact of these initiatives. It is also important to link country-based risk assessments through 3 the Risk Scan to specific tools to address · The measures currently in progress to lending risks in both IL and DPL/PRSC type update the OP/BPs. These also need to be lending. extended to key areas (AAA, F&C) not yet · Continue the ongoing reforms of FM and covered or where new policies are being PR processes (launched in response to the developed. findings of this review) and link them · A mechanism to ensure the future currency closely to the F&C agenda. These are key of OP/BPs. There has been progress in elements in the Bank's fiduciary and governance bringing the body of OP/BPs into conformity systems, but evidence from the review suggests with overall Bank and IDA policies and that new toolkits (such as those being strategic goals, and IEG has therefore developed under the "GAC in Projects" downgraded the weakness uncovered in this program) need to be deployed, made operative area during Part I from a potential material and later tested for effectiveness. weakness to a significant deficiency. · Intensify IDA support to strengthen clients' · Improved documentation retention and fiduciary and governance systems, accessibility and a user-friendly recognizing that this is a principal means to documentation management system. In its guard against F&C and to ensure the Part IB report IEG had already downgraded the effective use of IDA resources (and the only materiality of this issue from a potential means to do so in the case of budget support material weakness to a significant deficiency. operations such as PRSCs). In the case of However, the needed IT systems are not yet in DPL/PRSC operations, special emphasis needs place and the Enterprise Content and to be given to developing tools that could attach, Document Management (ECDM) system of for example, to the Letter of Development which they will be a part should be developed Policy and to CFAA requirements, to raise the as a matter of priority. attention to systemic F&C issues at the country · Mechanisms to correct and monitor the level. several IT systems deficiencies identified. · Make arrangements for testing the These included password management, operating effectiveness of these and other business continuity and change management, new controls at some appropriate time in and need for tighter control over IT access the future, since the material weakness and privileges for staff who rotate into new other identified deficiencies will be deemed to positions. persist until this has been done. · Measures to address the about 100 identified other as yet unresolved (b) Closely monitor the implementation of deficiencies. Remedies for many of these are remedies for control deficiencies, including: already in progress, but specific monitoring is needed given the wide front and many areas in which remedial actions are needed. 4 About Fast Track Briefs Fast Track Briefs help inform the World Bank Group (WBG) managers and staff about new evaluation findings and recommendations. The views expressed here are those of IEG and should not be attributed to the WBG or its affiliated organizations. Management's Response to IEG is included in the published IEG report. The findings here do not support any general inferences beyond the scope of the evaluation, including any inferences about the WBG's past, current or prospective overall performance. The Fast Track Brief, which summarizes major IEG evaluations, will be distributed to World Bank Group staff. If you would like to be added to the subscription list, please email us at ieg@worldbank.org, with "FTB subscription" in the subject line and your mail-stop number. If you would like to stop receiving FTBs, please email us at ieg@worldbank.org, with "FTB unsubscribe" in the subject line. Contact IEG: Director-General, Evaluation: Vinod Thomas Director: Cheryl Gray (IEG-WB) Task Manager: Nils Fostvedt (IEGCR) Copies of the report are available at: http://www.worldbank.org/ieg/idacontrols IEG Help Desk: (202) 458-4497 E-mail: ieg@worldbank.org 5