IEG finds that overall IDA’s internal controls framework operates effectively and with high standards, but with some important qualifications.
IEG also finds that the management assessment is transparent, well documented and comprehensive.
However, while the overall framework is robust there are weaknesses (classified as significant deficiencies) that are concentrated in six areas: some fiduciary processes; management oversight of project processes; keeping the Bank’s Operational Policies and Bank Procedures (OP/BPs) in line with current policy; maintaining ready access to operational documentation; improving operational risk management; and greater IT security in some areas.
IEG identifies one important weakness (classified as a material weakness) in the complex of controls to manage the risk of fraud and corruption in operations supported by IDA.
This finding is based on the identification of the risk that fraud and corruption may occur rather than on an assessment of actual occurrences. The weaknesses identified by IEG could potentially increase the risk of misuse of funds for IDA and its development partners unless actions are taken. The finding presents the challenge of addressing the risks more explicitly and to match them with appropriate risk management controls, recognizing that weak governance is a fundamental dimension of the development challenge for IDA and all of its development partners.
Controls over possible fraud and corruption in IDA operations should be addressed on a broad front.
Some actions for this and the other identified control issues could include:
- Deploy specific measures and controls to address fraud and corruption risks into overall risk management and key processes for country assistance strategies, lending design and project supervision.
- Accelerate implementation of the ongoing Governance and Anticorruption (GAC) program and devote additional attention and resources to building an organizational culture and incentive structure that addresses the risks of fraud and corruption, explicitly and cost-effectively.
- Intensify IDA support to strengthen its controls over fiduciary and governance systems and to improve local governance and fiduciary system in client countries.
- Closely monitor the implementation of the remedies for the six significant deficiencies, all of which are contained in one or other of management’s remedial action plans already being implemented.
Closely monitor the implementation of remedies for control deficiencies, including:
- The measures currently in progress to update the OP/BPs.
- A mechanism to ensure the future currency of OP/BPs.
- Improved documentation retention and accessibility and a user-friendly documentation management system.
- Mechanisms to correct and monitor the several IT systems deficiencies identified.
- Measures to address the about 100 identified other as yet unresolved smaller deficiencies.
In its response to the evaluation, Senior Bank Management states that it has moved in formulating and beginning the implementation of corrective measures to address the issues identified by IEG, with most actions in process and many expected to be completed by June 2009. These actions are aimed at strengthening and refocusing IDA’s internal controls to address better governance and anti-corruption issues, enhancing risk identification and management at transaction and entity-levels, and improving effectiveness and efficiency of investment lending.
IEG supports the actions proposed by Bank management as they correspond well to those suggested by the IEG evaluation. At the same time, they are not yet sufficiently operative at this time to be tested or their results evaluated.
A LOOK INSIDE THE REPORT
This evaluation was carried out in two parts, both involving contributions from Bank’s Management, the Internal Audit Department (IAD), and the Independent Evaluation Group (IEG). Part one (volumes IV and V) looks at process mapping and effectiveness of control design (October 2006), and the compliance testing of key controls (June 2007). Part two (volumes I through III) covers a review of entity-level controls (December 2008), and the final evaluation text. The table below presents a further breakdown: