This is the accessible text file for GAO report number GAO-03-366 
entitled 'World Bank Group: Important Steps Taken on Internal Control 
but Additional Assessments Should Be Made' which was released on June 
16, 2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to Congressional Committees:

June 2003:

World Bank Group:

Important Steps Taken on Internal Control but Additional Assessments 
Should Be Made:

GAO-03-366:

GAO Highlights:

Highlights of GAO-03-366, a report to Congressional Committees 

Why GAO Did This Study:

The Congress passed Public Law 106-429 because it was concerned about 
the sufficiency of external audits of the financial operations of the 
World Bank Group, a set of multilateral development banks. This law 
provides that GAO report on the sufficiency of such audits of each 
Bank Group entity. As agreed with your offices, GAO addressed (1) the 
extent that the external auditor was providing assurance on internal 
control over financial reporting, operations, and compliance with key 
provisions of bank charters and policies in conjunction with financial 
statement audits and (2) the role the Bank Group’s audit committee 
plays in providing oversight of external financial statement audits 
and internal control.

What GAO Found:

The Bank Group has taken important steps in strengthening its 
assessment and reporting on internal control, including (1) 
implementing a structured internal control framework, (2) conducting 
the internal control assessments necessary to provide its external 
auditor with an assertion about the effectiveness of the Bank Group’s 
internal control over external financial reporting, and (3) 
contracting with its external auditor to provide an opinion, in 
conjunction with the financial statement audit, on whether 
management’s assertion on internal control over external financial 
reporting is fairly stated. However, Bank Group management does not 
include an assertion on internal control over operations and 
compliance matters, and it has not asked the external auditor to give 
an opinion on those internal controls. During our review, we were told 
that the Bank Group does not yet have plans to conduct a comprehensive 
assessment of those controls. The Bank Group’s external financial 
statement audits do not, and are not intended to, provide specific 
assurance about the internal control over the Bank Group’s operations 
and whether the funds are spent for their intended purposes. Given the 
inherent risks in the banks’ activities, additional assurance on these 
other categories of internal control—operations and compliance—would 
provide an added level of assurance to the Bank Group and its member 
countries that funds were used for their intended purposes. 

The Bank Group has established an audit committee that provides 
oversight of external financial statement audits and internal control. 
A major function of the committee is to nominate an external auditor 
and determine the scope of the auditor’s work and the reports to be 
submitted by the auditor. The audit committee also has the external 
auditor give an opinion, in conjunction with the financial statement 
audit, on management’s assertion on the Bank Group’s internal control 
over external financial reporting. The audit committee has the 
authority to expand the external audits to include the auditor giving 
opinions on internal control over operations and compliance matters. 
Alternatively, the audit committee is also well-positioned to assign 
to an internal party or provide an external party the task of 
providing a thorough assessment of such controls. 

What GAO Recommends:

To provide greater assurance that the Bank Group’s funds are spent as 
intended, GAO is making recommendations for a comprehensive assessment 
of internal control over operations and compliance matters and annual 
evaluations of such controls.

The Bank Group and the U.S. Treasury Department agreed on the need for 
a comprehensive assessment of those controls. Treasury did not agree 
that annual evaluations should be done and the Bank Group, which has 
reforms on those controls underway, made no comment on timing. We 
continue to believe that such annual evaluations are necessary.

www.gao.gov/cgi-bin/getrpt?GAO-03-366.
To view the full report, including the scope and methodology, click on 
the link above. For more information, contact Jeanette Franzel at 
(202) 512-9406 or franzelj@gao.gov.

[End of section]

Letter:

Results in Brief:

Scope and Methodology:

Background:

Bank Group Has Taken Important Steps on Internal Control but Reporting 
Could Be Expanded:

Bank Group Has Established an Audit Committee That Provides Oversight 
of Financial Reporting and Internal Control:

Conclusions:

Recommendations for Executive Action:

Agency Comments and Our Evaluation:

Appendixes:

Appendix I: Components of Internal Control under COSO:

Appendix II: Transparency International’s 2002 Corruption Perception
Index:

Appendix III: Comments from the World Bank Group:

Appendix IV: Comments from the Department of the Treasury:

Tables: 

Table 1: Bank Group’s Development Assistance and New Projects in 2002:

Table 2: U.S. Resources Provided to the Bank Group through June 30, 
2002:

Table 3: Bank Group Entities’ Bases of Accounting and Auditing
Standards:

Table 4: World Bank Units Responsible for Internal Control and
Oversight of Operations: 
Table 5: Audit Committee Responsibilities:

Figures: 

Figure 1: Bank Group’s Components and Functions:

Figure 2: Bank Group’s Flow of Government Funding and External
Audit Reporting:

Figure 3: Categories of Internal Control:

Figure 4: Countries Included in Transparency International’s 2002
CPI:

Abbreviations:

COSO: Committee of Sponsoring Organizations of the Treadway Commission:

CPI: Corruption Perception Index:

IAS: International Accounting Standards:

IBRD: International Bank for Reconstruction and Development:

IDA: International Development Association:

IFC: International Finance Corporation:

ISA: International Standards on Auditing :

MDB: Multilateral Development Bank:

MIGA: Multilateral Investment Guarantee Agency:

U.S. GAAP: U.S. generally accepted accounting principles:

U.S. GAAS: U.S. generally accepted auditing standards:

Letter June 16, 2003

Congressional Committees:

Multilateral Development Banks (MDBs) were established to provide 
financial support for projects and programs designed to promote social 
and economic progress in developing countries throughout the world. In 
fiscal year 2002, the United States provided approximately $1.3 billion 
to support the missions of the MDBs, with about $820 million going to 
the World Bank Group (Bank Group) and about $460 million going to 
regional MDBs.[Footnote 1] As a group, the MDBs are the largest source 
of development aid for middle-and low-income countries.

Section 803(a) of the Foreign Operations, Export Financing, and Related 
Programs Appropriations Act, 2001 (Public Law 106-429) provides that 
GAO report annually on the sufficiency of audits of the financial 
operations of each MDB conducted by the persons or entities outside the 
bank. This is the third in a series of reports in response to Public 
Law 106-429's reporting requirement.[Footnote 2] As agreed with your 
offices, this report covers the following MDBs, which are all part of 
the World Bank Group:[Footnote 3]

* International Bank for Reconstruction and Development,

* International Development Association,

* International Finance Corporation, and:

* Multilateral Investment Guarantee Agency.

The International Bank for Reconstruction and Development and the 
International Development Association, which accounted for 80 percent 
of the development assistance the Bank Group provided to developing 
countries in 2002, are referred to as the "World Bank." Financial 
statement audits and the related assurance on internal control provided 
by the external auditor are important for the Bank Group entities 
because they:

* have missions that emphasize distributing funds for development and 
accountability for the use of those funds;

* operate in countries where transparency and accountability are ranked 
among the lowest in the world; and:

* are multilateral entities not subject to oversight by any single 
national government.

Because borrowing countries often lack the transparency and 
accountability needed to prevent and detect corruption, the Bank Group 
entities that provide loans risk having the funds used for purposes 
other than those intended. The United States and other donors have 
indicated that they are concerned about these risks. Donors want to be 
assured that the funds they provide are used only for the intended 
purpose, and the Bank Group's lending entities need to assure donors 
that the standard of care over those funds meets donor expectations. 
Representatives from the United States and the European Union[Footnote 
4] have recently stated that they plan to increase contributions to the 
world's poorest countries if they have assurance that the funds they 
are providing are used as intended in developing countries and have 
measurable results.

As agreed with your offices, this report addresses the following two 
specific areas related to the World Bank Group's external financial 
statement audit process:

1. the extent to which the Bank Group entities are obtaining assurance 
from their external auditor on internal control[Footnote 5] over 
financial reporting, operations, and compliance with key provisions of 
their charters and policies in conjunction with their financial 
statement audits and:

2. the role the Bank Group's audit committee plays in providing 
oversight of financial statement audits and internal control.

Results in Brief:

The Bank Group has taken important steps in strengthening its 
assessment and reporting on internal control, such as (1) implementing 
a structured internal control framework, (2) conducting the internal 
control assessments necessary to provide its external auditor with an 
assertion on the effectiveness of the Bank Group's internal control 
over external financial reporting, and (3) contracting with its 
external auditor to provide an opinion, in conjunction with the 
financial statement audit, on whether management's assertion on 
internal control over external financial reporting is fairly stated. 
However, Bank Group management does not include an assertion on 
internal control over operations and compliance with key provisions of 
its bank charters and policies, and it has not asked the external 
auditor to give an opinion on those internal controls. Although the 
banks' charters do not specifically call for an assertion or external 
review of internal control over operations and compliance, they do 
state that the banks are to take the necessary measures to ensure that 
the proceeds of any loan made, guaranteed, or participated in by them 
are used only for the purposes for which the loan was granted. The Bank 
Group's external financial statement audits do not, and are not 
intended to, provide specific assurance about the internal control over 
the Bank Group's operations and whether the funds are spent for their 
intended purposes. Given the inherent risks in the banks' activities, 
additional assurance on these other categories of internal control--
operations and compliance--would provide an added level of assurance to 
the Bank Group and its member countries that funds were used for their 
intended purposes.

The Bank Group has established an audit committee that provides 
oversight of financial statement audits and internal control. A major 
function of this committee, a subgroup appointed by the board of 
executive directors at the Bank Group entities, is to nominate an 
external auditor for external audits and determine the scope of the 
auditor's work and the reports to be submitted by the auditor. The Bank 
Group's audit committee also has the external auditor provide an 
opinion, in conjunction with the financial statement audit, on 
management's assertion on the Bank Group's internal control over 
external financial reporting. The audit committee has the authority, as 
part of determining the scope of the auditor's work, to expand the 
external audits to include the auditor giving opinions on internal 
control over operations and compliance with bank charters and 
provisions. Alternatively, the audit committee is also well-positioned 
to assign an internal party or provide an external entity the task of 
providing a thorough assessment of such controls. However, during our 
review, we were told that the Bank Group does not yet have plans to 
provide a comprehensive assessment of its controls.

We recommend that the Secretary of the Treasury--who is responsible for 
the federal government's interactions with the Bank Group entities--
instruct the U.S. Executive Director for the Bank Group to take the 
lead in working with other executive directors in developing a policy 
requiring these Bank Group entities to enhance the audit function and 
reporting of their financial operations. This would entail conducting a 
comprehensive evaluation of internal controls over operations and 
compliance to determine whether such controls are in place and are 
functioning properly to prevent misuse of funds and to ensure 
compliance with key provisions of bank charters and policies. This 
group of executive directors would report annually to the Board of 
Executive Directors, through the audit committee, on the progress made. 
This evaluation could be carried out in any of several ways, including 
through the internal audit function; by the external auditor, in 
conjunction with the financial statement audit; by another entity 
within the Bank Group; or by an external party, such as a consultant. 
These Bank Group entities should also provide the results of the 
assessment to member countries annually.

In its comments, the World Bank Group welcomed our recommendation for a 
comprehensive assessment of internal controls over operations and 
compliance with bank charters and policies but did not comment on our 
recommendation that such evaluations be conducted annually. The Bank 
Group stated that given the many reforms it has underway to strengthen 
its control framework, an assessment of internal control over 
operations and compliance would be most useful if undertaken once the 
range of changes over those controls is substantially in place. We 
agree that effective timing for implementing our recommendation would 
coincide with the Bank Group's implementation of reforms. It added that 
such changes are expected to be complete in about 18 to 24 months.

In its comments, the Department of the Treasury agreed with our 
recommendation for a comprehensive evaluation of internal controls over 
operations and compliance but not with our recommendation for annual 
evaluations because it contends that the overall structure of internal 
controls changes infrequently and usually only marginally. It suggests 
a one time comprehensive evaluation with periodic updates. We remain 
convinced that the Bank Group should report annually on those controls 
given the inherent risks in the Bank Group entities' lending 
activities.

Scope and Methodology:

Public Law 106-429, Appendix A, Title VIII, identifies 10 MDBs to be 
included in the scope of our work. In prior work, we addressed 6 of the 
MDBs listed in the law--the African Development Bank, African 
Development Fund, Asian Development Bank, European Bank for 
Reconstruction and Development, Inter-American Development Bank, and 
the Inter-American Investment Corporation. As agreed with your offices, 
this report focuses on the external financial statement audit and 
internal control reporting process of the remaining four MDBs--which 
are all part of the Bank Group--listed in the law:

* International Bank for Reconstruction and Development (IBRD),

* International Development Association (IDA),

* International Finance Corporation (IFC), and:

* Multilateral Investment Guarantee Agency (MIGA).

To meet our objectives, we met with Department of the Treasury 
officials and a representative of the office of the U.S. Executive 
Director for the Bank Group. We also:

* reviewed the Bank Group entities' 2002 and 2001 audited financial 
statements and the external auditors' opinions on the financial 
statements and identified the accounting principles and auditing 
standards used,

* inquired of World Bank management and obtained information on the 
audit committee, external audits, and the extent of the external 
auditor giving opinions on internal control over financial reporting, 
operations, and compliance matters,

* analyzed and compiled relevant financial information from the Bank 
Group entities' annual reports and their audited financial statements,

* reviewed the banks' terms of reference to identify the scope of the 
audit committee's oversight and compared them to relevant guidance on 
widely accepted internal control frameworks,

* reviewed widely accepted internal control frameworks, such as 
Internal Control--Integrated Framework issued by the Committee of 
Sponsoring Organizations of the Treadway Commission and Guidelines for 
Internal Control Standards developed by the International Organization 
of Supreme Audit Institutions, and:

* discussed various options for reporting on internal control with 
representatives from the international accounting firm responsible for 
the financial statement audits of the Bank Group entities.

The Bank Group entities are multilateral, international entities that 
are autonomous, and the United States, as an individual member country, 
generally does not have audit authority over their operations. Thus, it 
was not part of our scope to evaluate the components of the Bank Group 
entities' internal control governance structure, nor did we evaluate 
the quality of the external auditor's work on their financial statement 
audits and internal control examinations over external financial 
reporting. Moreover, it was not part of our scope to determine whether 
the audit committee members were independent of the Bank Group entities 
they served.

It was also not part of our scope to make any site visits to review any 
Bank Group entities' projects or programs. In accordance with GAO's 
agreement with the Bank Group and the Department of the Treasury on 
this assignment, our interaction with officials from the Bank Group was 
limited to the designated representative from the office of the U.S. 
Executive Director for the Bank Group. The articles of agreement 
establishing the Bank Group entities require the United States to deal 
with those organizations only through the Department of the Treasury. 
Therefore, we used Treasury officials as a conduit for obtaining 
information to conduct our work.

We conducted our work in Washington, D.C., from May 2002 through March 
2003 in accordance with U.S. generally accepted government auditing 
standards. In May 2003, we received comments from the World Bank Group 
and the Department of the Treasury, which are reproduced in their 
entirety in appendixes III and IV. In addition, the Bank Group also 
provided a number of suggested technical changes to our report, which 
we incorporated as appropriate.

Background:

The Bank Group entities included in this report--IBRD, IDA, IFC, and 
MIGA--are multilateral, international entities with a mission to fight 
poverty and improve the living standards of people in developing 
countries throughout the world by providing development assistance in 
the form of loans, equity investments, loan and equity guarantees, and 
technical assistance. National governments are the shareholders--
referred to as members--of the Bank Group. These members include 
developing countries[Footnote 6] that borrow from the Bank Group as 
well as industrialized member countries. All members, including 
borrowing members, contribute to the capital of the Bank Group and 
participate in oversight and in setting operating policies through 
their participation on the boards of governors and executive boards. 
See figure 1 for a summary of the components of the Bank Group and 
their functions.

Figure 1: Bank Group's Components and Functions:

[See PDF for image]

[End of figure]

The lending activities of the Bank Group can be grouped primarily into 
the following two types: market-based lending primarily done by IBRD 
and concessional lending primarily done by IDA.[Footnote 7] IBRD 
provides loans with market-based rates that are financed primarily 
through borrowings from world capital markets, members' paid-in 
capital, and retained earnings. Members also provide support through 
subscriptions of callable capital.[Footnote 8] Because of the 
significant proportion of callable capital that is subscribed by 
members with strong credit ratings, including the United States, IBRD 
is able to use callable capital as backing to obtain more favorable 
financing terms when borrowing from world capital markets than would 
otherwise be available. To date, IBRD has never made a call on this 
capital.

IDA provides concessional loans to the poorest of the developing 
countries--those meeting certain eligibility requirements--and is 
financed through contributions from member countries and borrower 
repayments of outstanding loans. These loans are called "concessional" 
because they are provided with below-market interest rates and extended 
repayment terms.

Due to the nature of concessional lending and the credit risks[Footnote 
9] of borrower countries, the concessional lending arms do not have 
callable capital subscriptions and do not borrow from world capital 
markets to finance their operations. Unlike IBRD, which borrows from 
world capital markets to fund lending, IDA relies on capital 
replenishments or periodic contributions by members in addition to 
repayments from loans and transfers of net income from IBRD. As of June 
30, 2002, the Bank Group had outstanding loans of about $230 billion, 
and concessional loans constituted 42 percent, or about $96 billion, of 
that total.

In 2002, the Bank Group entities approved about $24.4 billion of 
development assistance consisting of loans, loan guarantees, and equity 
investments for 466 new economic and social development operations and 
projects. Loans with market-based interest rates, equity investments, 
and loan guarantees accounted for about $16.3 billion of the total 
financial support provided by the Bank Group during 2002, while 
concessional lending amounted to about $8.1 billion. See table 1 for a 
summary of development assistance in 2002 and number of new projects, 
by Bank Group entity.

Table 1: Bank Group's Development Assistance and New Projects in 2002:

Dollars in millions: 

Bank Group entity: International Bank for 
Reconstruction and Development; Development assistance: $11,500; New 
projects: 96.

Bank Group entity: International Development 
Association; Development assistance: 8,100; New projects: 133.

Bank Group entity: International Finance 
Corporation; Development assistance: 3,600; New projects: 204.

Bank Group entity: Multilateral Investment 
Guarantee Agency; Development assistance: 1,200; New projects: 33.

Bank Group entity: Total; Development assistance: 
$24,400; New projects: 466.

Source: The World Bank Annual Report, 2002.

[End of table]

The Bank Group entities' activities are overseen through a board of 
governors, with a governor from each member country. In general, a 
board of governors is responsible for admitting new members, 
authorizing agreements for cooperation with other international 
organizations, deciding about the board of executive directors, 
approving the Bank Group entities' financial statements, determining 
the reserves and the distribution of profits, and deciding the scope of 
operations. Each Bank Group entity also has a board of executive 
directors, which is responsible for, among other things, overseeing the 
banks' daily operations, ensuring the implementation of the decisions 
of the board of governors, and approving the budgets of the banks. The 
Bank Group entities' own management and staff of international civil 
servants carry out the daily operations.

The United States is a member in all the Bank Group entities discussed 
in this report, contributing significant amounts to support their 
missions and subscribing to a significant amount of their callable 
capital. The Congress appropriates funds for U.S. contributions and 
capital subscriptions to the Bank Group. In fiscal year 2002, the 
Congress appropriated about $800 million in U.S. contributions and 
approved about $20 million of new subscriptions to callable capital for 
the Bank Group. The Department of the Treasury oversees U.S. interests 
in the Bank Group. See table 2 for a summary of U.S. support of about 
$58.7 billion provided to the components of the Bank Group entities 
from their inception through June 30, 2002.

Table 2: U.S. Resources Provided to the Bank Group through June 30, 
2002:

Dollars in millions: 

Bank Group entity: International Bank for 
Reconstruction and Development; U.S. paid-in capital or contributions: 
$1,998; U.S. callable capital: $29,966.

Bank Group entity: International Development 
Association; U.S. paid-in capital or contributions: 25,842; U.S. 
callable capital: -.

Bank Group entity: International Finance 
Corporation; U.S. paid-in capital or contributions: 569; U.S. callable 
capital: -.

Bank Group entity: Multilateral Investment 
Guarantee Agency; U.S. paid-in capital or contributions: 63; U.S. 
callable capital: 266.

Bank Group entity: Total; U.S. paid-in capital or 
contributions: $28,472; U.S. callable capital: $30,232.

Source: Bank Group entities' 2002 annual reports.

[End of table]

The Bank Group entities prepare their financial statements to comply 
with different bases of accounting. They present their financial 
statements using U.S. generally accepted accounting principles (U.S. 
GAAP), international accounting standards (IAS), and special purpose 
basis of accounting, as shown in table 3. According to the Bank Group, 
due to the special nature and organization of the IDA, the concessional 
lending arm of the Bank Group, it prepares special purpose financial 
statements that are meant to show the sources and uses of resources to 
comply with its articles of agreement.[Footnote 10]

Table 3: Bank Group Entities' Bases of Accounting and Auditing 
Standards:

Bank Group entity: International Bank for Reconstruction and 
Development; Accounting standards used to prepare financial statements: 
U.S. GAAP and IAS; Auditing standards used to perform audit work: U.S. 
Generally Accepted Auditing Standards (U.S. GAAS) and International 
Standards on Auditing (ISA).

Bank Group entity: International Development Association; Accounting 
standards used to prepare financial statements: Special Purpose Basis 
of Accounting; Auditing standards used to perform audit work: U.S. GAAS 
and ISA.

Bank Group entity: International Finance Corporation; Accounting 
standards used to prepare financial statements: U.S. GAAP; Auditing 
standards used to perform audit work: U.S. GAAS.

Bank Group entity: Multilateral Investment Guarantee Agency; Accounting 
standards used to prepare financial statements: U.S. GAAP and IAS; 
Auditing standards used to perform audit work: U.S. GAAS and ISA.

Source: Bank Group entities' 2002 annual reports.

[End of table]

The Bank Group's external auditor has audited the annual financial 
statements of all the entities of the Bank Group. Each entity has 
received an unqualified or "clean" audit opinion on its financial 
statements for the 3 most recent years. The Bank Group's external 
financial statement audits, performed by an international accounting 
firm, provide assurance over its reported financial position at a 
particular time and the financial results of its operations and cash 
flows for a given fiscal year. However, the Bank Group's external 
financial statement audits do not, and are not intended to, provide 
specific assurance about the internal control over the Bank Group's 
operations and whether the funds are spent for their intended purposes. 
Figure 2 shows the relationship between the Bank Group's flow of 
government funding and its external audit and reporting.

Figure 2: Bank Group's Flow of Government Funding and External Audit 
Reporting:

[See PDF for image]

[End of figure]

The Bank Group's external auditor performs its audits based on U.S. 
GAAS and ISA. These standards require the independent auditor to obtain 
a sufficient understanding of internal control to plan the audit and 
determine the nature, timing, and extent of tests to be performed. As 
part of the audits of the Bank Group entities, the auditor communicates 
to the audit committee any internal control material weaknesses and 
reportable conditions that were noted during the course of the audit. 
As is common practice, the auditor issues a written document known as a 
management letter to communicate these weaknesses. The management 
letter addresses issues detected as part of the financial statement 
audit work and 
it is not meant to be a comprehensive examination of the sufficiency of 
the Bank Group's internal control.[Footnote 11]

Bank Group Has Taken Important Steps on Internal Control but Reporting 
Could Be Expanded:

Management of the Bank Group entities has acknowledged the importance 
of internal control and has (1) implemented a structured internal 
control framework, (2) conducted the internal control assessments 
necessary to provide its external auditor with a formal assertion on 
the effectiveness of the Bank Group's internal control over external 
financial reporting, and (3) contracted with its external auditor to 
provide an opinion, in conjunction with the financial statement audits, 
on whether managements' assertions on internal control over external 
financial reporting are fairly stated.

For fiscal year 2002, the four Bank Group entities included in their 
annual reports both management's assertion that it met the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO)[Footnote 12] 
criteria on internal control over external financial reporting as of 
June 30, 2002, and the external auditor's opinion that management's 
assertion on internal control over external financial reporting was 
fairly stated. However, Bank Group management does not include in its 
assertion internal control over operations and compliance with key 
provisions of bank charters and policies, and it has not asked the 
external auditor to give opinions on those internal controls.

Although the banks' charters do not specifically call for a management 
assertion or an external auditor opinion on internal control over 
operations and compliance, they do state that the banks are to take the 
necessary measures to ensure that the proceeds of any loan made, 
guaranteed, or participated in by them are used only for the purposes 
for which the loan was granted. Given the inherent risks in the banks' 
activities, further assurance on these additional categories of 
internal control--operations and compliance--would provide an added 
level of assurance to the Bank Group and its member countries that 
funds were used for their intended purposes.

Bank Group Has Engaged an External Auditor to Provide Opinions on 
Internal Control over Financial Reporting:

The Bank Group entities have acknowledged the importance of internal 
control and have taken an important step in obtaining audit assurance 
over internal control: They have engaged their external auditor to 
provide an opinion on management's assertions on internal control over 
external financial reporting and have included those results in their 
2002 annual reports. This public reporting of the external auditor's 
opinions on management's assertions provides a level of assurance on 
the Bank Group's ability to record, process, summarize and report 
financial data consistent with the assertions in the financial 
statements as well as a level of transparency to member countries and 
others outside the Bank Group.

The Bank Group--specifically through the controllers' 
departments[Footnote 13]--has also taken steps internally to strengthen 
internal control. The World Bank, beginning in 1995, adopted the 
internal control standards of COSO. The Bank Group adopted the COSO 
framework to establish a common definition of internal control and 
provide a standard that managers and auditors can use to assess and 
measure progress in improving internal control. Entities and their 
internal control needs differ dramatically by line of business and 
size, and by culture and management philosophy. COSO provides a 
framework for implementing a system of internal control, but the 
specific internal controls put in place and monitored by management 
depend on the type of operations to be managed and the associated 
risks. See appendix I for a description of the five components of 
internal control under the COSO framework.

Under the COSO framework, the effectiveness of internal control is 
measured by an organization's capacity to provide reasonable assurance 
in the following three categories.

* Reliability of financial reporting: Financial reporting controls 
relate to an entity's ability to prepare reliable financial statements.

* Effectiveness and efficiency of operations: Operations controls 
address the entity's basic business objectives, including performance 
goals and the safeguarding of resources.

* Compliance with applicable laws and regulations: Compliance controls 
deal with the entity complying with those laws and regulations to which 
the entity is subject.

As shown in figure 3, under COSO, an organization is responsible for 
the effectiveness of three categories of internal control.

Figure 3: Categories of Internal Control:

[See PDF for image]

[End of figure]

Internal controls often serve to accomplish more than one objective. 
Frequently, internal controls established primarily for operations or 
compliance objectives may also accomplish financial reporting 
objectives. Internal controls directed at operations and compliance 
also may deal with events, transactions, or other occurrences that must 
be reported in the financial statements. Internal control is not one 
event, but a series of actions and activities occurring throughout an 
entity's operations and on an ongoing basis. As entities strive to 
improve operational processes, management should continually assess and 
evaluate its internal control. Monitoring--a process that assesses the 
quality of an internal control system's performance over time--is an 
essential element of internal control and is particularly relevant for 
carrying out the fiduciary responsibilities that are integral to the 
Bank Group's operations.

Although current financial statement auditing standards established in 
the private sector do not require the auditor to report on internal 
control and compliance when performing a financial statement audit, the 
auditor can be engaged to provide a level of assurance--called an 
attestation--on internal control over operations and 
compliance.[Footnote 14] The Bank Group also has other options for 
providing assurance over internal control over operations and 
compliance. For example, the Bank Group could request a comprehensive 
evaluation of its internal controls over these functions, which could 
be conducted by its internal auditor, its external auditor, an outside 
consultant, or by another unit within the Bank Group.

World Bank Units' Responsibilities for Internal Control and Oversight 
of Operations:

In its anticorruption progress report[Footnote 15] and operations 
evaluation report,[Footnote 16] the World Bank states that many units 
provide internal control and oversight over the use of World Bank funds 
in lending operations, including those shown in table 4.

Table 4: World Bank Units Responsible for Internal Control and 
Oversight of Operations:

World Bank units: Internal Auditing Department; Function: Performs 
audits to assess the integrity of the internal controls of business 
processes, including those associated with the project cycle.

World Bank units: Operations Evaluation Department; Function: Assesses 
which projects and programs work, and which do not; how a borrower 
plans to operate and maintain a project; and the lasting contribution 
to a country's overall development.

World Bank units: Inspection Panel; Function: Receives and investigates 
claims from project-affected people alleging that they have been harmed 
by the World Bank's violations of its own policies and procedures.

World Bank units: Quality Assurance Group; Function: Conducts real time 
assessments of the quality of the project portfolio, including 
supervision, financial management, and monitoring and evaluation.

World Bank units: Quality Assurance and Compliance Unit; Function: 
Seeks to improve compliance with safeguard policies.

World Bank units: Loan Department; Function: Reviews and signs off on 
the financial management and disbursement aspects of loan agreements.

World Bank units: Legal Department; Function: Drafts loan agreements; 
reviews and clears compliance with legal aspects of World Bank 
policies; and reviews the adequacy of the legal framework for project 
implementation.

World Bank units: Operations Policy and Country Services; Function: 
Provides advice and support on preparing and implementing lending and 
nonlending operations and managing portfolios, including oversight of 
the World Bank's procurement and financial management functions and 
guidelines that govern lending relationships and conditions.

World Bank units: Corporate Committee on Fraud and Corruption Policy; 
Function: Seeks to ensure that anticorruption policies and 
implementation strategies are designed and effective to help the Bank 
Group achieve its poverty reduction goals.

World Bank units: Department of Institutional Integrity; Function: 
Investigates allegations of fraud and corruption in World Bank financed 
projects and allegations of staff misconduct.

Source: World Bank's reports on anticorruption, 2000, and operations, 
2002.

[End of table]

The World Bank states that the above units have taken on new and 
broadened functions for quality assurance and evaluation over the past 
several years and have strengthened its ability to supervise the 
fiduciary aspects of its loans and help borrowers--some perceived to 
have the worst corruption problems in the world as shown in appendix 
II--strengthen their own capacities. The above units are an important 
part of the World Bank's internal control over operations and 
compliance. Although it was not part of our scope to evaluate the 
effectiveness of these units, or any similar units in IFC and MIGA, 
they have the potential of providing the basis for the Bank Group to 
offer further assurance and transparency on its internal controls. For 
example, the Bank Group's internal or external auditor, or other group 
or entity, internal or external to the Bank Group, could provide a 
comprehensive evaluation of the Bank Group's control over operations 
and compliance to determine whether they are working as designed to 
ensure that funds are spent as intended. In 1995, the World Bank 
established a 5-year timeline to ensure that, by the end of fiscal year 
2000, management would be able to express assurance that adequate 
controls were in place, not only for financial reporting purposes, but 
also for efficiency and effectiveness of operations. The World Bank has 
not yet met that goal. During our review, we were told that the Bank 
Group does not yet have plans to have a comprehensive assessment of 
these controls.

Bank Group Could Benefit from Additional Assurance on Internal Control 
over Operations and Compliance:

Because the Bank Group entities operate in a difficult and risky 
control environment, the member countries could benefit from additional 
assurance over the Bank Group entities' internal control over 
operations and compliance with key provisions of their charters. The 
Bank Group operates in countries where transparency and accountability 
are often lacking, and corruption--broadly defined as the abuse of 
public office for private gain--sometimes flourishes. The Bank Group 
must satisfy its dual mandate of providing development assistance in 
these environments and exercising its fiduciary responsibility, 
including ensuring that corruption is minimized in the projects it 
finances.

The World Bank acknowledged in an anticorruption progress 
report[Footnote 17] that corruption undermines public support for 
development assistance by creating an erroneous perception that all 
assistance is affected by corruption. In this report, the World Bank 
stated that it would make every effort to prevent corruption in the 
projects and programs it finances in borrower countries. The report 
also showed the control and oversight units the World Bank established 
to improve the operational effectiveness of its procurement and 
financial management practices. However, the Bank Group has not taken 
steps to provide additional assurance and transparency that its funds 
are being used as intended by requiring a comprehensive assessment of 
controls over operations and compliance.

In addition, the World Bank in its report Clean Government and Public 
Financial Accountability[Footnote 18] acknowledged that borrower 
countries' government and external auditors are unable to give the 
World Bank sufficient assurance that World Bank funds were exclusively 
used for intended purposes. Risks that Bank Group funds are used for 
purposes other than those for which loans were granted--whether for 
concessional or market-based loans--could be mitigated through 
effective implementation and evaluation of internal controls over 
operations and compliance.

The Bank Group's system of internal control, adopted under the COSO 
framework, could facilitate a comprehensive assessment of internal 
controls over operations and compliance designed to uncover any 
material internal control weaknesses in operations and compliance that 
need to be corrected. A comprehensive evaluation of these controls 
could also provide additional credibility to the Bank Group's (1) 
internal evaluation reporting system and (2) commitment to provide 
funds only to those who use the funds for intended purposes. Such an 
assessment would provide additional assurance to both the Bank Group 
and its member countries over the use of funds and could be 
accomplished in one of several ways: (1) through the Bank Group's 
internal audit function, (2) by the external auditor, in conjunction 
with its financial statement audit, giving an opinion on whether 
management's assertions on internal controls over operations and 
compliance are fairly stated, (3) by another entity within the Bank 
Group, or (4) by another external entity, such as a consultant.

Such an assessment would include identifying the specific elements of 
the COSO criteria that are objective, measurable, and relevant to use 
in assessing the reasonableness of internal control over operations and 
key charter provisions to be included in a review of compliance 
controls and to define what would constitute compliance with those key 
provisions of bank charters. After these significant issues are 
addressed, Bank Group management would be able to comprehensively 
document and assess the key controls identified and subsequently 
provide its assertions on the effectiveness of those controls.

Bank Group Has Established an Audit Committee That Provides Oversight 
of Financial Reporting and Internal Control:

The Bank Group's board of executive directors has appointed an audit 
committee to provide, on its behalf, oversight on matters such as the 
effectiveness of financial policies and reporting; various aspects of 
financial, business, operating, and reputational risks; and internal 
control in the Bank Group entities.[Footnote 19] The Bank Group's audit 
committee has a purpose, scope, and operating principles congruent with 
those customarily established for audit committees. A major function of 
the Bank Group's audit committee is to nominate an external auditor to 
conduct audits of the Bank Group's financial statements and determine 
the scope of the auditors' work and the reports to be submitted by the 
auditors.

The information provided by the Bank Group on the functions of its 
audit committee indicated that the audit committee's terms of reference 
included responsibilities such as those listed in table 5.

Table 5: Audit Committee Responsibilities:

Area: Financial policies and reporting; Responsibility: Reviewing 
financial policies and other matters having a significant bearing on 
financial reporting including policies on financial sustainability, 
credit risks, as well as the integrity of financial reporting and risk 
management processes.

Area: Independent external audit; Responsibility: Submitting to the 
executive directors the nomination of a firm of private independent 
internationally established auditors to audit the Bank Group entities' 
financial statements; reviewing with the external auditors the scope, 
design, and results of their examinations; and discussing their opinion 
on the financial statements prior to the release of the annual 
financial statements and inviting the auditors' recommendations 
regarding internal control and other matters.

Area: Internal audit; Responsibility: Overseeing and assessing the 
effectiveness of the Bank Group entities' internal control and 
satisfying itself that the Bank Group entities' internal audit is 
adequate, effective, and efficient. Periodically reviewing the 
guidelines, work programs, and budget for the office to help ensure a 
strong and independent audit function.

Area: Risk management; Responsibility: Focusing primarily on financial 
and operational risks as it coordinates with other board committees 
that exercise oversight of other risks and consulting with various 
officers of the Bank Group.

Area: Operating principles; Responsibility: Advising the board on other 
issues relating to the financial position, controls, and risk 
management environment, including reviewing the Bank Group's mechanisms 
for avoiding fraud.

Source: Audit Committee's Terms of Reference.

[End of table]

Information provided to us by the Bank Group indicates that the Bank 
Group entities' audit committee was actively involved with the external 
auditor during its financial statement audits. Audit committee 
activities with the external auditor included communications about 
internal control recommendations, discussions on management's COSO 
assertion on internal control over external financial reporting, the 
external auditor's opinion on management's assertion, and 
considerations on the external auditor's conclusions on the 
appropriateness of accounting principles. The information also showed 
that the audit committee kept current with the work of the internal 
auditor.

The audit committee has a particularly important role to play in 
assuring fair presentation and appropriate accountability in connection 
with financial reporting, internal control, compliance and related 
matters. An effective audit committee facilitates the successful 
performance of the board of executive directors' oversight 
responsibilities for financial operations and is an independent 
safeguard on corporate management with respect to its responsibilities 
for preparing financial statements and implementing an internal control 
framework.

The Bank Group's audit committee currently has the external auditor 
provide an opinion on management's assertion on the Bank Group's 
internal control over external financial reporting. The audit committee 
has not asked the Bank Group entities' external auditor to provide 
assurance on internal control over operations or compliance. The audit 
committee has the authority, as part of determining the scope of the 
auditor's work, to expand and strengthen the Bank Group entities' 
internal control reporting processes by requesting the external auditor 
to give an opinion on internal control over operations and compliance 
matters once management decides such reporting is appropriate. A key 
step in this process is for management to first apply the scope of COSO 
to its controls over operations and compliance and to develop the 
appropriate criteria to assert on internal control over operations and 
compliance matters. The audit committee could then have the external 
auditor to provide an opinion on management's assertions over those 
controls using the criteria specified by management.

Alternatively, the audit committee could work with the internal and 
external auditors, other entities within the Bank Group, or an external 
party to conduct a comprehensive evaluation of internal controls over 
operations and compliance to determine whether such controls are in 
place and are functioning properly to prevent misuse of funds and to 
ensure compliance with key provisions of bank charters and policies.

Conclusions:

The Bank Group has taken important steps in strengthening its 
assessment and reporting on internal control by performing the internal 
control assessments necessary to provide an assertion on internal 
control over external financial reporting and having its external 
auditor give an opinion on that assertion. At the same time, Bank Group 
management does not include in its assertion internal control over 
operations and compliance with key charter provisions, and it has not 
asked the external auditor or any other organization, internal or 
external, to provide a comprehensive evaluation of its controls over 
these areas. The assurance that such an assessment can provide through 
reporting on internal control over operations and compliance is 
especially important given the operating risks inherent in the Bank 
Group's activities. The audit committee is well-positioned to assign an 
internal party or provide an external entity the task of providing a 
thorough assessment of such controls. This additional assurance would 
strengthen the Bank Group's accountability and enhance member country 
assurance that funds are spent as intended.

Recommendations for Executive Action:

We recommend that the Secretary of the Treasury instruct the U.S. 
Executive Director of the Bank Group to take the lead in working with 
the other executive directors in developing a policy requiring the Bank 
Group entities to enhance the audit function and reporting of their 
financial operations. This would entail (1) conducting a comprehensive 
evaluation of internal controls over operations and compliance to 
determine whether such controls are in place and are functioning 
properly to prevent misuse of funds and to ensure compliance with key 
provisions of bank charters and policies and (2) reporting annually to 
the board of executive directors through the audit committee on the 
progress made. This evaluation could be carried out in any of several 
ways, including through the internal audit function; by the external 
auditor, in conjunction with the financial statement audit; by another 
entity within the Bank Group; or by an external party, such as a 
consultant. These Bank Group entities should also provide the results 
of the assessment to member countries annually.

Agency Comments and Our Evaluation:

We received written comments from the Office of the President of the 
World Bank, which represented the official response of the World Bank 
Group. We also received written comments from the Deputy Assistant 
Secretary for Multilateral Development Banks and Specialized 
Development Institutions at the Department of the Treasury, the agency 
that represents the United States at the World Bank Group. These 
comments are reprinted in their entirety in appendixes III and IV.

In its comments, the World Bank Group welcomed our recommendation for a 
comprehensive assessment of internal controls over operations and 
compliance with bank charters and policies but did not comment on our 
recommendation that such evaluations be conducted annually. The Bank 
Group stated that given the many reforms it has underway to strengthen 
its control framework, an assessment of internal control over 
operations and compliance would be most useful if undertaken once the 
range of changes over those controls is substantially in place. We 
agree that effective timing for implementing our recommendation would 
coincide with the Bank Group's implementation of reforms. It added that 
such changes are expected to be complete in about 18 to 24 months.

While Treasury also agreed with our recommendation for a comprehensive 
evaluation of internal controls over operations and compliance, it did 
not agree that the Bank Group should follow this initial assessment 
with annual evaluations. It acknowledged that periodic updates would be 
reasonable but characterized annual evaluations as excessive and 
unnecessary based on its view that the overall structure of internal 
controls changes infrequently and usually only marginally.

Given the inherent risks in the Bank Group entities' lending 
activities, we remain convinced that the Bank Group should report 
annually on all three categories of internal control--financial 
reporting, operations, and compliance. Under the COSO framework, 
effective internal control is an essential aspect of managing shifting 
environments and evolving demands and priorities. Internal control is 
not one event, but a series of actions and activities occurring 
throughout an entity's operations and on an ongoing basis. As entities 
strive to improve operational processes, management should continually 
assess and evaluate its internal control. Monitoring--a process that 
assesses the quality of an internal control system's performance over 
time--is an essential element of internal control and is particularly 
relevant for carrying out the fiduciary responsibilities that are 
integral to the Bank Group's operations. Annual reporting on internal 
control is now common practice both in the public and private sector 
and is often performed in conjunction with annual financial statement 
audits.

Treasury pointed out that our draft report documents the sufficiency of 
the Bank Group's current external audits. Although our report provides 
information about the results of the external financial statement 
audits at the Bank Group, our report also makes it clear that, by 
design, the objective of a financial statement audit is not to provide 
assurance on internal control. The current financial statement audits 
cover only the banks' financial position at a point in time and the 
financial results of operations and cash flows for a given fiscal year. 
Given that the Bank Group's external auditor's opinion on internal 
control extends only to management's assertions on the effectiveness of 
internal control over external financial reporting, many facets of 
internal control would not be covered. The scope of the financial 
statement audits of the Bank Group entities and the separate assessment 
of controls over external financial reporting are not intended to and 
do not provide specific assurance about the effectiveness of the 
internal control over operations and compliance with bank charters and 
key policies.

Considering the Bank Group's reforms to strengthen internal control 
over operations and compliance, we emphasize the need for annual 
assessments of those controls. As acknowledged in comments from the 
Bank Group, internal control is a "dynamic process," and reforms are 
under way in the Bank Group to strengthen its control framework. As the 
Bank Group develops and institutes these reforms, monitoring is needed 
to help ensure that controls are functioning as intended in preventing 
misuse of funds and ensuring compliance with key provisions of bank 
charters and policies. Annual reporting to provide accountability and 
transparency over lending, equity investment, and guarantee operations 
carries additional importance for the Bank Group because the 
international organization's mission requires it, as stated in its 
comments, "to be active in countries where controls are weak." As 
acknowledged by the Bank Group, "monitoring exposure against defined 
benchmarks" is one of several changes that will provide the banks with 
"significantly improved controls over lending, equity investment, and 
guarantee operations." As stated in our recommendations, the evaluation 
and reporting on internal control over operations and compliance could 
be carried out in several ways, including through the internal audit 
function; by the external auditor, in conjunction with the financial 
statement audit; by another entity within the Bank Group; or by an 
external party, such as a consultant.

:

We are sending copies of this report to the Secretary of the Treasury, 
the president of the World Bank Group, and other interested parties. 
Copies will be made available to others upon request. In addition, the 
report will be available at no charge on the GAO Web site at http://
www.gao.gov.

Please contact me at (202) 512-9406 or by email at franzelj@gao.gov if 
you or your staffs have any questions concerning this report. Key 
contributors to this report were Charles Norfleet, Meg Mills, and 
Maxine Hattery.

Signed by:

Jeanette M. Franzel 
Director 
Financial Management and Assurance:

Congressional Committees:

The Honorable Richard G. Lugar 
Chairman 

The Honorable Joseph R. Biden, Jr. 
Ranking Minority Member 
Committee on Foreign Relations 
United States Senate:

The Honorable Ted Stevens 
Chairman 

The Honorable Robert C. Byrd 
Ranking Minority Member 
Committee on Appropriations 
United States Senate:

The Honorable Mitch McConnell 
Chairman 
The Honorable Patrick J. Leahy 
Ranking Minority Member 
Subcommittee on Foreign Operations 
Committee on Appropriations 
United States Senate:

The Honorable Michael G. Oxley 
Chairman 
The Honorable Barney Frank 
Ranking Minority Member 
Committee on Financial Services 
House of Representatives:

The Honorable Peter T. King 
Chairman 
The Honorable Carolyn B. Maloney 
Ranking Minority Member 
Subcommittee on Domestic and International Monetary Policy, 
Trade and Technology 
Committee on Financial Services 
House of Representatives:

The Honorable C.W. Bill Young
Chairman 
The Honorable David Obey 
Ranking Minority Member 
Committee on Appropriations 
House of Representatives:

The Honorable Jim Kolbe Chairman The Honorable Nita M. Lowey Ranking 
Minority Member Subcommittee for Foreign Operations, Export Financing, 
and Related Programs Committee on Appropriations House of 
Representatives:

[End of section]

Appendixes:

Appendix I: Components of Internal Control under COSO:

The World Bank, beginning in 1995, adopted the Committee of Sponsoring 
Organizations of the Treadway Commission (COSO) internal control 
framework. Under the COSO framework, there are five interrelated 
components of internal control that define the minimum level of quality 
acceptable for internal control in an organization and provide the 
basis against which internal control is to be evaluated. The five 
components are used as the criteria to evaluate the strengths and 
weaknesses of the internal controls and to identify actions that can be 
taken to improve controls. All five components must be present and 
effective in order for management to have reasonable assurance that 
risks are managed to ensure the achievement of the organization's 
objectives. At the Bank Group, management is responsible for developing 
the detailed policies, procedures, and practices to fit its 
organization's operations and to ensure that they are built into and 
are an integral part of its operations. The five internal control 
components, which apply to all aspects of an organization's operations, 
including programmatic, financial, and compliance, include the 
following:

Control environment. The control environment reflects management's 
commitment and attitude to the implementation and maintenance of an 
effective internal control structure. The control environment which 
management promulgates through the organization will strongly influence 
the design and operation of control policies and procedures. It will 
also determine how effective they are in mitigating risks and achieving 
objectives.

Risk assessment. All organizations, regardless of size or nature, 
encounter some form of risk that can adversely impact the achievement 
of its objectives. Assessing risk is a major component of an effective 
control structure. It involves the identification, analysis, 
assessment, and prioritization of risks that need to be treated by 
control activities.

Control activities. Control activities are the tailored policies and 
procedures that ensure (1) the mitigation of risks, (2) irregularities 
are prevented or detected and corrected, (3) assets are safeguarded 
from unauthorized use or disposal, and (4) financial records and other 
relevant databases are complete and accurately reflect the entire 
operational activities of the organization, and assist in timely 
preparation of accurate financial statements.

Information and communication. Information and communication are 
critical for performance reporting, decision making, both within the 
organization and externally, and the achievement of strategic 
objectives.

Monitoring. Monitoring is the final component of an effective internal 
control structure and is closely linked to information and 
communication. In addition to performance monitoring, the effectiveness 
of the control structure itself also needs to be monitored and 
reviewed. Control monitoring can be undertaken in two ways, by ongoing 
monitoring and by separate reviews and evaluations.

[End of section]

Appendix II: Transparency International's 2002 Corruption Perception 
Index:

Transparency International is an organization dedicated to curbing both 
international and national corruption. Transparency International 
launched its Corruption Perception Index (CPI) in 1995. The CPI is a 
collection of polls, drawing on 15 surveys from 9 independent sources 
for its 2002 results. The goal of the CPI is to provide data on 
extensive perceptions of corruption within countries. The 2002 CPI 
shows that the Bank Group entities function in environments that are 
perceived to have high levels of corruption, underscoring the 
importance of internal control over operations and compliance within 
the Bank Group entities that are providing loans to those countries.

The CPI serves as an important indicator of the image a country conveys 
to investors and potential business partners. Because the CPI is 
derived from 15 different surveys that garner the perceptions of both 
residents and expatriates, both business people and risk analysts, the 
index provides a snapshot of the views of the people who make key 
decisions on investment and trade. The CPI builds public awareness of 
the corruption issue, and it adds to pressure on governments to 
directly address the issue and the damaged image of their nation that 
low rankings in the CPI reflect.

The CPI is a composite index that consists of credible sources using 
diverse sampling frames and different methodologies, including one used 
by the World Bank. The methodology is reviewed by a steering committee 
consisting of leading international experts in the fields of 
corruption, econometrics, and statistics. Members of the steering 
committee make suggestions to improve the CPI, but the management of 
Transparency International makes the final decisions on the methodology 
used. For the 2002 CPI, data was included from the following 
organizations' surveys and documents:

* World Bank, World Business Environment Survey;

* World Economic Forum, Africa Competitiveness and Global 
Competitiveness Reports;

* Institute for Management Development, World Competitiveness Yearbook;

* PricewaterhouseCoopers, Opacity Index;

* Political & Economic Risk Consultancy, Asian Intelligence Issue;

* Economist Intelligence Unit, Country Risk Service and Country 
Forecast;

* Freedom House, Nations in Transit;

* Gallup International on behalf of Transparency International, Bribe 
Payers Index; and:

* Columbia University, State Capacity Survey.

No country was included in the CPI without results from a minimum of 
three surveys undertaken over the past 3 years. For this reason, not 
all countries with high levels of corruption may have been added. 
Figure 4 includes the borrower countries by region.


Figure 4: Countries Included in Transparency International's 2002 CPI:

[See PDF for image]

[End of figure]

[End of section]

Appendix III: Comments from the World Bank Group:

The World Bank Washington, D.C. 20433 U.S.A.

OFFICE OF THE PRESIDENT:

May 20, 2003:

Ms. Carole Brookins:

Executive Director for the United States of America The World Bank:

WASHINGTON, DC:

Dear Ms. Brookins,

The GAO has sent us their draft report on the sufficiency of audits of 
the external financial statements of the World Bank Group for comments. 
Please find attached the official response of the World Bank Group with 
regard to this review. I would very much appreciate if you could 
transmit this letter to the U.S. General Accounting Office.

Sincerely yours,

Shengman Zhang 
Acting President:

Signed by Shengman Zhang:

The World Bank Washington, D.C. 20433 U.S.A.

OFFICE OF THE PRESIDENT:

May 20, 2003:

Ms. Jeanette M. Franzel Director:

Financial Management and Assurance U.S. General Accounting Office 
Washington DC 20548:

Dear Ms. Franzel,

Thank you for the opportunity to comment on the General Accounting 
Office's draft report, April 2003, "World Bank Group: Important Steps 
Taken on Internal Control but Additional Assessments Should be Made," 
GAO-03-366.

We appreciate the GAO's acknowledgement that the World Bank Group has 
taken important steps over the past years to further strengthen its 
assessment and reporting on internal control. We have implemented an 
internal control framework, and we are already conducting internal 
control assessments. Bank Group Management annually provides the 
external auditor with an assertion about the effectiveness of internal 
control over external financial reporting. The external auditor 
provides an attestation on whether that assertion is fairly stated. 
Management's assertion, and the external auditor's attestation have 
been published in the Annual Reports.

As acknowledged in your report, the Bank Group's external auditor, an 
international accounting firm, has performed annual financial statement 
audits on all of the entities of the Bank Group. Each entity has always 
received an unqualified audit opinion on its financial statements. 
These audits provide assurance over the reported financial position at 
a given point in time and the financial results of our operations and 
cash flows for a given fiscal year. However, the World Bank Group's 
financial statement audits do not, and are not intended to, provide 
assurance about the internal controls over the Bank Group's lending or 
guarantee operations.

With respect to the latter issue, let me point out that the Bank Group 
has in place various units which form an extensive network of 
management controls and oversight that are responsible for operations 
evaluation, internal control, oversight, and compliance with regard to 
the use of funds in lending, equity investment operations, and 
guarantee operations. Certain of these key units are independent from 
Bank Group Management.

We are engaged in a series of change initiatives in our operational 
work to better align our policies and procedures with our objective of 
achieving greater development impact. We are simplifying our processes 
and scaling up our activities as part of our agenda of better 
measuring, monitoring, and managing for development results. We are 
working on a simplification of investment lending, more focused 
standard project documentation, reforms in procurement and financial 
management, a new policy on external audits of projects, simplification 
of eligibility of expenditure rules, modernization of disbursement 
processes, enhancement of a framework for loan and equity investment 
checks and balances including monitoring exposure against defined 
benchmarks. Collectively these changes will provide significantly 
improved controls over lending, equity investment, and guarantee 
operations and, through the simplification component, will further 
enhance efficient and effective compliance.

Your report stated, and we agree, that there are still challenges ahead 
given the difficult environment with respect to capacity and 
transparency in some of our client countries. Tackling corruption is 
difficult and complex and our mission requires the Bank Group to be 
active in countries where controls are weak. But we are committed to 
being even more aggressive in our capacity building efforts, one of the 
key elements of our anticorruption strategy.

Internal control over lending and guarantee operations, in the context 
of working in developing countries, is a dynamic process. We are always 
open to suggestions from our shareholders on how the Bank Group can 
further improve its control framework. In this context, we welcome your 
suggestion of conducting a comprehensive assessment of internal 
controls over operations and compliance with charters and policies. 
Given the many reforms underway to strengthen our control framework, we 
believe that such an assessment would be most useful if it were 
undertaken once the range of changes that we are currently planning and 
implementing is substantially in place. We expect this work to be 
completed in about 18 to 24 months.

Again, let me thank you for the opportunity to comment on your draft 
report.

Sincerely yours,

Shengman Zhang 
Acting President:

Signed by Shengman Zhang:

[End of section]

Appendix IV: Comments from the Department of the Treasury:

DEPARTMENT OF THE TREASURY WASHINGTON, D.C. 20220:

May 21, 2003:

Ms. Jeanette M. Franzel Director:

Financial Management and Assurance U.S. General Accounting Office 
Washington, DC 20548:

Dear Ms. Franzel:

Thank you for the opportunity to comment on the General Accounting 
Office's draft report, "World Bank Group: Important Steps Taken on 
Internal Control but Additional Assessments Should be Made", on the 
sufficiency of external audits of the financial operations of the World 
Bank Group (WBG), prepared in response to section 803 of the Foreign 
Operations Appropriations Act, FY2001. [NOTE 1]

The draft report:

* outlines what is, and what is not, covered by financial statement 
audits of the external auditor;

* documents the active role of the Audit Committee of the WBG's 
executive boards in overseeing the external audit process and 
communicating about those audits with both the external auditors and 
the WBG's boards of directors;

* emphasizes that the external auditor is not required by the charters 
of the four respective entities of the WBG to audit or provide 
assurances with respect to internal controls over operations and 
compliance;

* affirms that the current external audits are sufficient;

* publicizes that the Fiscal Year 2002 annual reports of IBRD/IDA, IFC 
and MIGA included for the first time two letters - 1) management's 
assertion and 2) the external auditor's attestation regarding 
management's assertion, with respect to internal controls relating to 
external financial reporting;

* highlights that there are three categories of internal control: 1) 
financial reporting; 2) operations; and 3) compliance; and:

* lists eleven units --including the Internal Auditing Department, the 
Loan Department, the Quality Assurance Group, and the Operations 
Evaluation Department--that currently are responsible for IBRD and IDA 
internal controls.

The draft report recommends that Treasury instruct the U.S. Executive 
Director of the WBG to take the lead in working with other Executive 
Directors to develop a policy requiring the WBG entities to further 
enhance the audit function and reporting of their financial operations. 
GAO states that "this would entail conducting a comprehensive 
evaluation of internal controls over 
operations and compliance to determine whether such controls are in 
place and are functioning properly... and report annually to the board 
of executive directors through the audit committee on the progress 
made." (pp. 24-25). GAO suggests several options for carrying out this 
evaluation: 1) through the internal audit function; 2) by the external 
auditor in conjunction with the financial statement audit; 3) by 
another entity within the Bank Group; or 4) by an external party such 
as a consultant.

As you know, the Treasury Department has given, and will continue to 
give, strong support to oversight mechanisms to help assure productive 
development assistance. An effective control environment is essential 
for the World Bank Group - the International Bank for Reconstruction 
and Development (IBRD), the International Development Association 
(IDA), the International Finance Corporation (ITC), and the 
Multilateral Investment Guarantee Agency (MIGA). We have worked with G-
7 partners and other member countries on a number of initiatives in 
this area which aim to:

* strengthen the WBG's internal control mechanisms;

* assure compliance with safeguard and fiduciary policies;

* put in place independent operations evaluation units;

* ensure that operations and strategies are designed around results 
measurement frameworks; and:

* enhance the development effectiveness of WBG project and non-project 
assistance.

The WBG awards the external audit contract through a competitive 
selection process. Recently, the Audit Committee and the Board, with 
our active support, strengthened the principles for the appointment of 
the external auditor of the WBG. As of Fiscal Year 2004, the following 
practices will apply:

* audit firm tenure of "5 years plus 5 years" with the ability of the 
incumbent to re-bid after the first 5 years;

* mandatory rotation of the audit firm after 10 years provided that the 
Audit Committee may exceptionally recommend that circumstances are such 
that the incumbent audit firm should be allowed to participate in the 
re-bidding;

* audit firm senior partner rotation every 5 years;

* Audit Committee review of the audit firm's performance at mid-term (30 
months);

* audit firm exclusion from being eligible to provide pure consulting 
services (effective February 2003); and:

* audit firm eligible only to provide certain extremely and strictly 
limited "audit-related"consulting services, to be approved on a case-
by-case basis by the Executive Directors or Directors of the respective 
Boards with the Audit Committee's recommendation (effective February 
2003).

The financial statement audits by external auditors are important 
because they provide assurances to the entities of the WBG, their 
bondholders and member country governments. We have worked with other 
members of the executive boards of the WBG to strengthen the financial 
statement audit process. We have also worked to assure that the Audit 
Committee of the executive boards exercise oversight over and maintain 
a dialogue with the external auditors.

Since the WBG has a number of units that have an internal control 
function, we are pleased that Bank Group management's response, which 
is published in this report, states that the WBG welcomes the GAO's 
suggestion that the WBG conduct a comprehensive assessment of internal 
controls over operations and compliance. We agree with GAO's 
recommendation that it would be useful for the United States to work 
with other chairs to develop a policy that would require the WBG to 
conduct a comprehensive evaluation of internal controls over operations 
and compliance and to report the results of the evaluation through the 
Audit Committee to the Board of Executive Directors. Our view, however, 
is that GAO's recommendation for annual evaluations of this nature is 
excessive and unnecessary because the overall structure of internal 
controls changes infrequently and usually marginally. We believe that a 
one-time comprehensive evaluation with appropriate periodic updates is 
a reasonable approach. We will be instructing the U.S. Executive 
Director of the WBG to proceed on this basis.

We attach enormous importance to working to ensure strong internal 
controls for all entities of the WBG. The GAO's draft report documents 
the "sufficiency" of the external audits of the WBG. The draft report 
states that "each entity has received an unqualified or `clean' audit 
opinion on their financial statements for the three most recent years." 
( p.12). We intend to continue to support appropriate and strong 
internal control environments at the WBG, which are essential to 
enhancing project quality and the effectiveness of development 
resources.

Sincerely,

[See PDF for image]

[End of figure]

William E. Schuerch
Deputy Assistant Secretary 
Multilateral Development 
Banks and Specialized Development Institutions:

Signed by William E. Schuerch:


NOTES:

[1] Section 803(a). "ANNUAL REPORT ON FINANCIAL OPERATIONS. -Beginning 180 
days after the date of enactment of this Act, or October 31, 2000, 
whichever is later, and on October 31 of each year thereafter, the 
Comptroller General of the United States shall submit to the 
appropriate congressional committees a report on the sufficiency of 
audits of the financial operations of each multilateral development 
bank conducted by persons or entities outside such bank." 
(P.L. 106-429).

[End of section]

(194069):

FOOTNOTES

[1] Foreign Operations, Export Financing, and Related Programs 
Appropriations Act, 2002 (Public Law 107-115), which states that these 
funds are available to the MDBs until expended. 

[2] The first in this series was Multilateral Development Banks: 
Profiles of Selected Multilateral Development Banks (GAO-01-665, May 
18, 2001) and the second was Regional Multilateral Development Banks: 
External Audit Reporting Could Be Expanded (GAO-02-27, December 14, 
2001). 

[3] The Bank Group actually consists of five closely associated 
institutions but one of them--the International Centre for Settlement 
of Investment Disputes--is not within the scope of our work required by 
Public Law 106-429. 

[4] The European Union consists of the following countries: Austria, 
Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, 
Luxembourg, the Netherlands, Portugal, Spain, Sweden, and the United 
Kingdom. 

[5] Internal control comprises the plans, methods, and procedures used 
to meet missions, goals, and objectives and, in doing so, supports 
performance-based management. Internal control also serves as the first 
line of defense in safeguarding assets and preventing and detecting 
errors and fraud. In short, internal control, which is synonymous with 
management control, helps program managers achieve desired results.

[6] Member countries that borrow from the Bank Group are generally low-
and middle-income countries in need of social or economic development.

[7] IBRD and IDA are separate entities, but the term "World Bank" is 
commonly used to refer to them as one. 

[8] Callable capital is a form of capital that is subscribed by members 
and resembles promissory notes from members to honor Bank Group debts 
if the Bank Group cannot meet its obligations through other available 
resources.

[9] Credit risk refers to the risk of default by a borrower or 
guarantor that may result from nonperformance under the terms of 
lending agreements.

[10] Article VI, Section 11(a) of the Articles of Agreement of IDA.

[11] Private sector standards and guidance for financial statement 
audits do not require the auditor to provide an opinion on the 
effectiveness of internal control when performing a financial statement 
audit. Financial statement audits are not intended to provide a basis 
for the evaluation of the overall quality of the entity's system of 
internal control. Therefore, in a typical financial statement audit, 
many controls designed to ensure the reliability of financial 
reporting, effectiveness and efficiency of operations, and compliance 
with key provisions of bank charters may not be tested.

[12] COSO provides a framework designed to assist management in 
assessing its internal control system against an established standard 
to help identify basic weaknesses in operations, financial reporting, 
and legal/regulatory compliance controls and act to strengthen them. 
See appendix I for a description of the five components of internal 
control under the COSO framework.

[13] The controllers' departments within IBRD, IDA, IFC, and MIGA 
oversee the internal control framework and focus on financial integrity 
and control, financial reporting, and monitoring.

[14] Attestation standards apply whenever the auditor has been engaged 
to provide assurance or report on a subject matter that is the 
responsibility of another party. Certain engagements, such as a 
financial statement audit, are not subject to attestation standards.

[15] World Bank, Helping Countries Combat Corruption: Progress at the 
World Bank Since 1997 (Washington, D.C., June 2000).

[16] World Bank Operations Evaluation Department, 2002 Annual Report on 
Operations Evaluation (Washington, D.C., 2002).

[17] See Helping Countries Combat Corruption.

[18] World Bank Operations Evaluation Department, Clean Government and 
Public Financial Accountability, OED Working Paper Series No. 17, 
(Washington, D.C., Summer 2000).

[19] In addition to the audit committee, the Bank Group has a 
Multilateral Audit Advisory Group that is tasked with advising the 
audit committee on audit requests by Supreme Audit Institutions, such 
as GAO, assessing compliance with the agreed terms of reference for the 
audit, assessing adherence to the agreed ground rules, and providing 
objective comment on the resulting audit reports.

GAO's Mission:

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. General Accounting Office

441 G Street NW,

Room LM Washington,

D.C. 20548:

To order by Phone: 

Voice: (202) 512-6000:

TDD: (202) 512-2537:

Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.

General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.

20548: