This is the accessible text file for GAO report number GAO-03-366 entitled 'World Bank Group: Important Steps Taken on Internal Control but Additional Assessments Should Be Made' which was released on June 16, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: June 2003: World Bank Group: Important Steps Taken on Internal Control but Additional Assessments Should Be Made: GAO-03-366: GAO Highlights: Highlights of GAO-03-366, a report to Congressional Committees Why GAO Did This Study: The Congress passed Public Law 106-429 because it was concerned about the sufficiency of external audits of the financial operations of the World Bank Group, a set of multilateral development banks. This law provides that GAO report on the sufficiency of such audits of each Bank Group entity. As agreed with your offices, GAO addressed (1) the extent that the external auditor was providing assurance on internal control over financial reporting, operations, and compliance with key provisions of bank charters and policies in conjunction with financial statement audits and (2) the role the Bank Group’s audit committee plays in providing oversight of external financial statement audits and internal control. What GAO Found: The Bank Group has taken important steps in strengthening its assessment and reporting on internal control, including (1) implementing a structured internal control framework, (2) conducting the internal control assessments necessary to provide its external auditor with an assertion about the effectiveness of the Bank Group’s internal control over external financial reporting, and (3) contracting with its external auditor to provide an opinion, in conjunction with the financial statement audit, on whether management’s assertion on internal control over external financial reporting is fairly stated. However, Bank Group management does not include an assertion on internal control over operations and compliance matters, and it has not asked the external auditor to give an opinion on those internal controls. During our review, we were told that the Bank Group does not yet have plans to conduct a comprehensive assessment of those controls. The Bank Group’s external financial statement audits do not, and are not intended to, provide specific assurance about the internal control over the Bank Group’s operations and whether the funds are spent for their intended purposes. Given the inherent risks in the banks’ activities, additional assurance on these other categories of internal control—operations and compliance—would provide an added level of assurance to the Bank Group and its member countries that funds were used for their intended purposes. The Bank Group has established an audit committee that provides oversight of external financial statement audits and internal control. A major function of the committee is to nominate an external auditor and determine the scope of the auditor’s work and the reports to be submitted by the auditor. The audit committee also has the external auditor give an opinion, in conjunction with the financial statement audit, on management’s assertion on the Bank Group’s internal control over external financial reporting. The audit committee has the authority to expand the external audits to include the auditor giving opinions on internal control over operations and compliance matters. Alternatively, the audit committee is also well-positioned to assign to an internal party or provide an external party the task of providing a thorough assessment of such controls. What GAO Recommends: To provide greater assurance that the Bank Group’s funds are spent as intended, GAO is making recommendations for a comprehensive assessment of internal control over operations and compliance matters and annual evaluations of such controls. The Bank Group and the U.S. Treasury Department agreed on the need for a comprehensive assessment of those controls. Treasury did not agree that annual evaluations should be done and the Bank Group, which has reforms on those controls underway, made no comment on timing. We continue to believe that such annual evaluations are necessary. www.gao.gov/cgi-bin/getrpt?GAO-03-366. To view the full report, including the scope and methodology, click on the link above. For more information, contact Jeanette Franzel at (202) 512-9406 or franzelj@gao.gov. [End of section] Letter: Results in Brief: Scope and Methodology: Background: Bank Group Has Taken Important Steps on Internal Control but Reporting Could Be Expanded: Bank Group Has Established an Audit Committee That Provides Oversight of Financial Reporting and Internal Control: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Components of Internal Control under COSO: Appendix II: Transparency International’s 2002 Corruption Perception Index: Appendix III: Comments from the World Bank Group: Appendix IV: Comments from the Department of the Treasury: Tables: Table 1: Bank Group’s Development Assistance and New Projects in 2002: Table 2: U.S. Resources Provided to the Bank Group through June 30, 2002: Table 3: Bank Group Entities’ Bases of Accounting and Auditing Standards: Table 4: World Bank Units Responsible for Internal Control and Oversight of Operations: Table 5: Audit Committee Responsibilities: Figures: Figure 1: Bank Group’s Components and Functions: Figure 2: Bank Group’s Flow of Government Funding and External Audit Reporting: Figure 3: Categories of Internal Control: Figure 4: Countries Included in Transparency International’s 2002 CPI: Abbreviations: COSO: Committee of Sponsoring Organizations of the Treadway Commission: CPI: Corruption Perception Index: IAS: International Accounting Standards: IBRD: International Bank for Reconstruction and Development: IDA: International Development Association: IFC: International Finance Corporation: ISA: International Standards on Auditing : MDB: Multilateral Development Bank: MIGA: Multilateral Investment Guarantee Agency: U.S. GAAP: U.S. generally accepted accounting principles: U.S. GAAS: U.S. generally accepted auditing standards: Letter June 16, 2003 Congressional Committees: Multilateral Development Banks (MDBs) were established to provide financial support for projects and programs designed to promote social and economic progress in developing countries throughout the world. In fiscal year 2002, the United States provided approximately $1.3 billion to support the missions of the MDBs, with about $820 million going to the World Bank Group (Bank Group) and about $460 million going to regional MDBs.[Footnote 1] As a group, the MDBs are the largest source of development aid for middle-and low-income countries. Section 803(a) of the Foreign Operations, Export Financing, and Related Programs Appropriations Act, 2001 (Public Law 106-429) provides that GAO report annually on the sufficiency of audits of the financial operations of each MDB conducted by the persons or entities outside the bank. This is the third in a series of reports in response to Public Law 106-429's reporting requirement.[Footnote 2] As agreed with your offices, this report covers the following MDBs, which are all part of the World Bank Group:[Footnote 3] * International Bank for Reconstruction and Development, * International Development Association, * International Finance Corporation, and: * Multilateral Investment Guarantee Agency. The International Bank for Reconstruction and Development and the International Development Association, which accounted for 80 percent of the development assistance the Bank Group provided to developing countries in 2002, are referred to as the "World Bank." Financial statement audits and the related assurance on internal control provided by the external auditor are important for the Bank Group entities because they: * have missions that emphasize distributing funds for development and accountability for the use of those funds; * operate in countries where transparency and accountability are ranked among the lowest in the world; and: * are multilateral entities not subject to oversight by any single national government. Because borrowing countries often lack the transparency and accountability needed to prevent and detect corruption, the Bank Group entities that provide loans risk having the funds used for purposes other than those intended. The United States and other donors have indicated that they are concerned about these risks. Donors want to be assured that the funds they provide are used only for the intended purpose, and the Bank Group's lending entities need to assure donors that the standard of care over those funds meets donor expectations. Representatives from the United States and the European Union[Footnote 4] have recently stated that they plan to increase contributions to the world's poorest countries if they have assurance that the funds they are providing are used as intended in developing countries and have measurable results. As agreed with your offices, this report addresses the following two specific areas related to the World Bank Group's external financial statement audit process: 1. the extent to which the Bank Group entities are obtaining assurance from their external auditor on internal control[Footnote 5] over financial reporting, operations, and compliance with key provisions of their charters and policies in conjunction with their financial statement audits and: 2. the role the Bank Group's audit committee plays in providing oversight of financial statement audits and internal control. Results in Brief: The Bank Group has taken important steps in strengthening its assessment and reporting on internal control, such as (1) implementing a structured internal control framework, (2) conducting the internal control assessments necessary to provide its external auditor with an assertion on the effectiveness of the Bank Group's internal control over external financial reporting, and (3) contracting with its external auditor to provide an opinion, in conjunction with the financial statement audit, on whether management's assertion on internal control over external financial reporting is fairly stated. However, Bank Group management does not include an assertion on internal control over operations and compliance with key provisions of its bank charters and policies, and it has not asked the external auditor to give an opinion on those internal controls. Although the banks' charters do not specifically call for an assertion or external review of internal control over operations and compliance, they do state that the banks are to take the necessary measures to ensure that the proceeds of any loan made, guaranteed, or participated in by them are used only for the purposes for which the loan was granted. The Bank Group's external financial statement audits do not, and are not intended to, provide specific assurance about the internal control over the Bank Group's operations and whether the funds are spent for their intended purposes. Given the inherent risks in the banks' activities, additional assurance on these other categories of internal control-- operations and compliance--would provide an added level of assurance to the Bank Group and its member countries that funds were used for their intended purposes. The Bank Group has established an audit committee that provides oversight of financial statement audits and internal control. A major function of this committee, a subgroup appointed by the board of executive directors at the Bank Group entities, is to nominate an external auditor for external audits and determine the scope of the auditor's work and the reports to be submitted by the auditor. The Bank Group's audit committee also has the external auditor provide an opinion, in conjunction with the financial statement audit, on management's assertion on the Bank Group's internal control over external financial reporting. The audit committee has the authority, as part of determining the scope of the auditor's work, to expand the external audits to include the auditor giving opinions on internal control over operations and compliance with bank charters and provisions. Alternatively, the audit committee is also well-positioned to assign an internal party or provide an external entity the task of providing a thorough assessment of such controls. However, during our review, we were told that the Bank Group does not yet have plans to provide a comprehensive assessment of its controls. We recommend that the Secretary of the Treasury--who is responsible for the federal government's interactions with the Bank Group entities-- instruct the U.S. Executive Director for the Bank Group to take the lead in working with other executive directors in developing a policy requiring these Bank Group entities to enhance the audit function and reporting of their financial operations. This would entail conducting a comprehensive evaluation of internal controls over operations and compliance to determine whether such controls are in place and are functioning properly to prevent misuse of funds and to ensure compliance with key provisions of bank charters and policies. This group of executive directors would report annually to the Board of Executive Directors, through the audit committee, on the progress made. This evaluation could be carried out in any of several ways, including through the internal audit function; by the external auditor, in conjunction with the financial statement audit; by another entity within the Bank Group; or by an external party, such as a consultant. These Bank Group entities should also provide the results of the assessment to member countries annually. In its comments, the World Bank Group welcomed our recommendation for a comprehensive assessment of internal controls over operations and compliance with bank charters and policies but did not comment on our recommendation that such evaluations be conducted annually. The Bank Group stated that given the many reforms it has underway to strengthen its control framework, an assessment of internal control over operations and compliance would be most useful if undertaken once the range of changes over those controls is substantially in place. We agree that effective timing for implementing our recommendation would coincide with the Bank Group's implementation of reforms. It added that such changes are expected to be complete in about 18 to 24 months. In its comments, the Department of the Treasury agreed with our recommendation for a comprehensive evaluation of internal controls over operations and compliance but not with our recommendation for annual evaluations because it contends that the overall structure of internal controls changes infrequently and usually only marginally. It suggests a one time comprehensive evaluation with periodic updates. We remain convinced that the Bank Group should report annually on those controls given the inherent risks in the Bank Group entities' lending activities. Scope and Methodology: Public Law 106-429, Appendix A, Title VIII, identifies 10 MDBs to be included in the scope of our work. In prior work, we addressed 6 of the MDBs listed in the law--the African Development Bank, African Development Fund, Asian Development Bank, European Bank for Reconstruction and Development, Inter-American Development Bank, and the Inter-American Investment Corporation. As agreed with your offices, this report focuses on the external financial statement audit and internal control reporting process of the remaining four MDBs--which are all part of the Bank Group--listed in the law: * International Bank for Reconstruction and Development (IBRD), * International Development Association (IDA), * International Finance Corporation (IFC), and: * Multilateral Investment Guarantee Agency (MIGA). To meet our objectives, we met with Department of the Treasury officials and a representative of the office of the U.S. Executive Director for the Bank Group. We also: * reviewed the Bank Group entities' 2002 and 2001 audited financial statements and the external auditors' opinions on the financial statements and identified the accounting principles and auditing standards used, * inquired of World Bank management and obtained information on the audit committee, external audits, and the extent of the external auditor giving opinions on internal control over financial reporting, operations, and compliance matters, * analyzed and compiled relevant financial information from the Bank Group entities' annual reports and their audited financial statements, * reviewed the banks' terms of reference to identify the scope of the audit committee's oversight and compared them to relevant guidance on widely accepted internal control frameworks, * reviewed widely accepted internal control frameworks, such as Internal Control--Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission and Guidelines for Internal Control Standards developed by the International Organization of Supreme Audit Institutions, and: * discussed various options for reporting on internal control with representatives from the international accounting firm responsible for the financial statement audits of the Bank Group entities. The Bank Group entities are multilateral, international entities that are autonomous, and the United States, as an individual member country, generally does not have audit authority over their operations. Thus, it was not part of our scope to evaluate the components of the Bank Group entities' internal control governance structure, nor did we evaluate the quality of the external auditor's work on their financial statement audits and internal control examinations over external financial reporting. Moreover, it was not part of our scope to determine whether the audit committee members were independent of the Bank Group entities they served. It was also not part of our scope to make any site visits to review any Bank Group entities' projects or programs. In accordance with GAO's agreement with the Bank Group and the Department of the Treasury on this assignment, our interaction with officials from the Bank Group was limited to the designated representative from the office of the U.S. Executive Director for the Bank Group. The articles of agreement establishing the Bank Group entities require the United States to deal with those organizations only through the Department of the Treasury. Therefore, we used Treasury officials as a conduit for obtaining information to conduct our work. We conducted our work in Washington, D.C., from May 2002 through March 2003 in accordance with U.S. generally accepted government auditing standards. In May 2003, we received comments from the World Bank Group and the Department of the Treasury, which are reproduced in their entirety in appendixes III and IV. In addition, the Bank Group also provided a number of suggested technical changes to our report, which we incorporated as appropriate. Background: The Bank Group entities included in this report--IBRD, IDA, IFC, and MIGA--are multilateral, international entities with a mission to fight poverty and improve the living standards of people in developing countries throughout the world by providing development assistance in the form of loans, equity investments, loan and equity guarantees, and technical assistance. National governments are the shareholders-- referred to as members--of the Bank Group. These members include developing countries[Footnote 6] that borrow from the Bank Group as well as industrialized member countries. All members, including borrowing members, contribute to the capital of the Bank Group and participate in oversight and in setting operating policies through their participation on the boards of governors and executive boards. See figure 1 for a summary of the components of the Bank Group and their functions. Figure 1: Bank Group's Components and Functions: [See PDF for image] [End of figure] The lending activities of the Bank Group can be grouped primarily into the following two types: market-based lending primarily done by IBRD and concessional lending primarily done by IDA.[Footnote 7] IBRD provides loans with market-based rates that are financed primarily through borrowings from world capital markets, members' paid-in capital, and retained earnings. Members also provide support through subscriptions of callable capital.[Footnote 8] Because of the significant proportion of callable capital that is subscribed by members with strong credit ratings, including the United States, IBRD is able to use callable capital as backing to obtain more favorable financing terms when borrowing from world capital markets than would otherwise be available. To date, IBRD has never made a call on this capital. IDA provides concessional loans to the poorest of the developing countries--those meeting certain eligibility requirements--and is financed through contributions from member countries and borrower repayments of outstanding loans. These loans are called "concessional" because they are provided with below-market interest rates and extended repayment terms. Due to the nature of concessional lending and the credit risks[Footnote 9] of borrower countries, the concessional lending arms do not have callable capital subscriptions and do not borrow from world capital markets to finance their operations. Unlike IBRD, which borrows from world capital markets to fund lending, IDA relies on capital replenishments or periodic contributions by members in addition to repayments from loans and transfers of net income from IBRD. As of June 30, 2002, the Bank Group had outstanding loans of about $230 billion, and concessional loans constituted 42 percent, or about $96 billion, of that total. In 2002, the Bank Group entities approved about $24.4 billion of development assistance consisting of loans, loan guarantees, and equity investments for 466 new economic and social development operations and projects. Loans with market-based interest rates, equity investments, and loan guarantees accounted for about $16.3 billion of the total financial support provided by the Bank Group during 2002, while concessional lending amounted to about $8.1 billion. See table 1 for a summary of development assistance in 2002 and number of new projects, by Bank Group entity. Table 1: Bank Group's Development Assistance and New Projects in 2002: Dollars in millions: Bank Group entity: International Bank for Reconstruction and Development; Development assistance: $11,500; New projects: 96. Bank Group entity: International Development Association; Development assistance: 8,100; New projects: 133. Bank Group entity: International Finance Corporation; Development assistance: 3,600; New projects: 204. Bank Group entity: Multilateral Investment Guarantee Agency; Development assistance: 1,200; New projects: 33. Bank Group entity: Total; Development assistance: $24,400; New projects: 466. Source: The World Bank Annual Report, 2002. [End of table] The Bank Group entities' activities are overseen through a board of governors, with a governor from each member country. In general, a board of governors is responsible for admitting new members, authorizing agreements for cooperation with other international organizations, deciding about the board of executive directors, approving the Bank Group entities' financial statements, determining the reserves and the distribution of profits, and deciding the scope of operations. Each Bank Group entity also has a board of executive directors, which is responsible for, among other things, overseeing the banks' daily operations, ensuring the implementation of the decisions of the board of governors, and approving the budgets of the banks. The Bank Group entities' own management and staff of international civil servants carry out the daily operations. The United States is a member in all the Bank Group entities discussed in this report, contributing significant amounts to support their missions and subscribing to a significant amount of their callable capital. The Congress appropriates funds for U.S. contributions and capital subscriptions to the Bank Group. In fiscal year 2002, the Congress appropriated about $800 million in U.S. contributions and approved about $20 million of new subscriptions to callable capital for the Bank Group. The Department of the Treasury oversees U.S. interests in the Bank Group. See table 2 for a summary of U.S. support of about $58.7 billion provided to the components of the Bank Group entities from their inception through June 30, 2002. Table 2: U.S. Resources Provided to the Bank Group through June 30, 2002: Dollars in millions: Bank Group entity: International Bank for Reconstruction and Development; U.S. paid-in capital or contributions: $1,998; U.S. callable capital: $29,966. Bank Group entity: International Development Association; U.S. paid-in capital or contributions: 25,842; U.S. callable capital: -. Bank Group entity: International Finance Corporation; U.S. paid-in capital or contributions: 569; U.S. callable capital: -. Bank Group entity: Multilateral Investment Guarantee Agency; U.S. paid-in capital or contributions: 63; U.S. callable capital: 266. Bank Group entity: Total; U.S. paid-in capital or contributions: $28,472; U.S. callable capital: $30,232. Source: Bank Group entities' 2002 annual reports. [End of table] The Bank Group entities prepare their financial statements to comply with different bases of accounting. They present their financial statements using U.S. generally accepted accounting principles (U.S. GAAP), international accounting standards (IAS), and special purpose basis of accounting, as shown in table 3. According to the Bank Group, due to the special nature and organization of the IDA, the concessional lending arm of the Bank Group, it prepares special purpose financial statements that are meant to show the sources and uses of resources to comply with its articles of agreement.[Footnote 10] Table 3: Bank Group Entities' Bases of Accounting and Auditing Standards: Bank Group entity: International Bank for Reconstruction and Development; Accounting standards used to prepare financial statements: U.S. GAAP and IAS; Auditing standards used to perform audit work: U.S. Generally Accepted Auditing Standards (U.S. GAAS) and International Standards on Auditing (ISA). Bank Group entity: International Development Association; Accounting standards used to prepare financial statements: Special Purpose Basis of Accounting; Auditing standards used to perform audit work: U.S. GAAS and ISA. Bank Group entity: International Finance Corporation; Accounting standards used to prepare financial statements: U.S. GAAP; Auditing standards used to perform audit work: U.S. GAAS. Bank Group entity: Multilateral Investment Guarantee Agency; Accounting standards used to prepare financial statements: U.S. GAAP and IAS; Auditing standards used to perform audit work: U.S. GAAS and ISA. Source: Bank Group entities' 2002 annual reports. [End of table] The Bank Group's external auditor has audited the annual financial statements of all the entities of the Bank Group. Each entity has received an unqualified or "clean" audit opinion on its financial statements for the 3 most recent years. The Bank Group's external financial statement audits, performed by an international accounting firm, provide assurance over its reported financial position at a particular time and the financial results of its operations and cash flows for a given fiscal year. However, the Bank Group's external financial statement audits do not, and are not intended to, provide specific assurance about the internal control over the Bank Group's operations and whether the funds are spent for their intended purposes. Figure 2 shows the relationship between the Bank Group's flow of government funding and its external audit and reporting. Figure 2: Bank Group's Flow of Government Funding and External Audit Reporting: [See PDF for image] [End of figure] The Bank Group's external auditor performs its audits based on U.S. GAAS and ISA. These standards require the independent auditor to obtain a sufficient understanding of internal control to plan the audit and determine the nature, timing, and extent of tests to be performed. As part of the audits of the Bank Group entities, the auditor communicates to the audit committee any internal control material weaknesses and reportable conditions that were noted during the course of the audit. As is common practice, the auditor issues a written document known as a management letter to communicate these weaknesses. The management letter addresses issues detected as part of the financial statement audit work and it is not meant to be a comprehensive examination of the sufficiency of the Bank Group's internal control.[Footnote 11] Bank Group Has Taken Important Steps on Internal Control but Reporting Could Be Expanded: Management of the Bank Group entities has acknowledged the importance of internal control and has (1) implemented a structured internal control framework, (2) conducted the internal control assessments necessary to provide its external auditor with a formal assertion on the effectiveness of the Bank Group's internal control over external financial reporting, and (3) contracted with its external auditor to provide an opinion, in conjunction with the financial statement audits, on whether managements' assertions on internal control over external financial reporting are fairly stated. For fiscal year 2002, the four Bank Group entities included in their annual reports both management's assertion that it met the Committee of Sponsoring Organizations of the Treadway Commission (COSO)[Footnote 12] criteria on internal control over external financial reporting as of June 30, 2002, and the external auditor's opinion that management's assertion on internal control over external financial reporting was fairly stated. However, Bank Group management does not include in its assertion internal control over operations and compliance with key provisions of bank charters and policies, and it has not asked the external auditor to give opinions on those internal controls. Although the banks' charters do not specifically call for a management assertion or an external auditor opinion on internal control over operations and compliance, they do state that the banks are to take the necessary measures to ensure that the proceeds of any loan made, guaranteed, or participated in by them are used only for the purposes for which the loan was granted. Given the inherent risks in the banks' activities, further assurance on these additional categories of internal control--operations and compliance--would provide an added level of assurance to the Bank Group and its member countries that funds were used for their intended purposes. Bank Group Has Engaged an External Auditor to Provide Opinions on Internal Control over Financial Reporting: The Bank Group entities have acknowledged the importance of internal control and have taken an important step in obtaining audit assurance over internal control: They have engaged their external auditor to provide an opinion on management's assertions on internal control over external financial reporting and have included those results in their 2002 annual reports. This public reporting of the external auditor's opinions on management's assertions provides a level of assurance on the Bank Group's ability to record, process, summarize and report financial data consistent with the assertions in the financial statements as well as a level of transparency to member countries and others outside the Bank Group. The Bank Group--specifically through the controllers' departments[Footnote 13]--has also taken steps internally to strengthen internal control. The World Bank, beginning in 1995, adopted the internal control standards of COSO. The Bank Group adopted the COSO framework to establish a common definition of internal control and provide a standard that managers and auditors can use to assess and measure progress in improving internal control. Entities and their internal control needs differ dramatically by line of business and size, and by culture and management philosophy. COSO provides a framework for implementing a system of internal control, but the specific internal controls put in place and monitored by management depend on the type of operations to be managed and the associated risks. See appendix I for a description of the five components of internal control under the COSO framework. Under the COSO framework, the effectiveness of internal control is measured by an organization's capacity to provide reasonable assurance in the following three categories. * Reliability of financial reporting: Financial reporting controls relate to an entity's ability to prepare reliable financial statements. * Effectiveness and efficiency of operations: Operations controls address the entity's basic business objectives, including performance goals and the safeguarding of resources. * Compliance with applicable laws and regulations: Compliance controls deal with the entity complying with those laws and regulations to which the entity is subject. As shown in figure 3, under COSO, an organization is responsible for the effectiveness of three categories of internal control. Figure 3: Categories of Internal Control: [See PDF for image] [End of figure] Internal controls often serve to accomplish more than one objective. Frequently, internal controls established primarily for operations or compliance objectives may also accomplish financial reporting objectives. Internal controls directed at operations and compliance also may deal with events, transactions, or other occurrences that must be reported in the financial statements. Internal control is not one event, but a series of actions and activities occurring throughout an entity's operations and on an ongoing basis. As entities strive to improve operational processes, management should continually assess and evaluate its internal control. Monitoring--a process that assesses the quality of an internal control system's performance over time--is an essential element of internal control and is particularly relevant for carrying out the fiduciary responsibilities that are integral to the Bank Group's operations. Although current financial statement auditing standards established in the private sector do not require the auditor to report on internal control and compliance when performing a financial statement audit, the auditor can be engaged to provide a level of assurance--called an attestation--on internal control over operations and compliance.[Footnote 14] The Bank Group also has other options for providing assurance over internal control over operations and compliance. For example, the Bank Group could request a comprehensive evaluation of its internal controls over these functions, which could be conducted by its internal auditor, its external auditor, an outside consultant, or by another unit within the Bank Group. World Bank Units' Responsibilities for Internal Control and Oversight of Operations: In its anticorruption progress report[Footnote 15] and operations evaluation report,[Footnote 16] the World Bank states that many units provide internal control and oversight over the use of World Bank funds in lending operations, including those shown in table 4. Table 4: World Bank Units Responsible for Internal Control and Oversight of Operations: World Bank units: Internal Auditing Department; Function: Performs audits to assess the integrity of the internal controls of business processes, including those associated with the project cycle. World Bank units: Operations Evaluation Department; Function: Assesses which projects and programs work, and which do not; how a borrower plans to operate and maintain a project; and the lasting contribution to a country's overall development. World Bank units: Inspection Panel; Function: Receives and investigates claims from project-affected people alleging that they have been harmed by the World Bank's violations of its own policies and procedures. World Bank units: Quality Assurance Group; Function: Conducts real time assessments of the quality of the project portfolio, including supervision, financial management, and monitoring and evaluation. World Bank units: Quality Assurance and Compliance Unit; Function: Seeks to improve compliance with safeguard policies. World Bank units: Loan Department; Function: Reviews and signs off on the financial management and disbursement aspects of loan agreements. World Bank units: Legal Department; Function: Drafts loan agreements; reviews and clears compliance with legal aspects of World Bank policies; and reviews the adequacy of the legal framework for project implementation. World Bank units: Operations Policy and Country Services; Function: Provides advice and support on preparing and implementing lending and nonlending operations and managing portfolios, including oversight of the World Bank's procurement and financial management functions and guidelines that govern lending relationships and conditions. World Bank units: Corporate Committee on Fraud and Corruption Policy; Function: Seeks to ensure that anticorruption policies and implementation strategies are designed and effective to help the Bank Group achieve its poverty reduction goals. World Bank units: Department of Institutional Integrity; Function: Investigates allegations of fraud and corruption in World Bank financed projects and allegations of staff misconduct. Source: World Bank's reports on anticorruption, 2000, and operations, 2002. [End of table] The World Bank states that the above units have taken on new and broadened functions for quality assurance and evaluation over the past several years and have strengthened its ability to supervise the fiduciary aspects of its loans and help borrowers--some perceived to have the worst corruption problems in the world as shown in appendix II--strengthen their own capacities. The above units are an important part of the World Bank's internal control over operations and compliance. Although it was not part of our scope to evaluate the effectiveness of these units, or any similar units in IFC and MIGA, they have the potential of providing the basis for the Bank Group to offer further assurance and transparency on its internal controls. For example, the Bank Group's internal or external auditor, or other group or entity, internal or external to the Bank Group, could provide a comprehensive evaluation of the Bank Group's control over operations and compliance to determine whether they are working as designed to ensure that funds are spent as intended. In 1995, the World Bank established a 5-year timeline to ensure that, by the end of fiscal year 2000, management would be able to express assurance that adequate controls were in place, not only for financial reporting purposes, but also for efficiency and effectiveness of operations. The World Bank has not yet met that goal. During our review, we were told that the Bank Group does not yet have plans to have a comprehensive assessment of these controls. Bank Group Could Benefit from Additional Assurance on Internal Control over Operations and Compliance: Because the Bank Group entities operate in a difficult and risky control environment, the member countries could benefit from additional assurance over the Bank Group entities' internal control over operations and compliance with key provisions of their charters. The Bank Group operates in countries where transparency and accountability are often lacking, and corruption--broadly defined as the abuse of public office for private gain--sometimes flourishes. The Bank Group must satisfy its dual mandate of providing development assistance in these environments and exercising its fiduciary responsibility, including ensuring that corruption is minimized in the projects it finances. The World Bank acknowledged in an anticorruption progress report[Footnote 17] that corruption undermines public support for development assistance by creating an erroneous perception that all assistance is affected by corruption. In this report, the World Bank stated that it would make every effort to prevent corruption in the projects and programs it finances in borrower countries. The report also showed the control and oversight units the World Bank established to improve the operational effectiveness of its procurement and financial management practices. However, the Bank Group has not taken steps to provide additional assurance and transparency that its funds are being used as intended by requiring a comprehensive assessment of controls over operations and compliance. In addition, the World Bank in its report Clean Government and Public Financial Accountability[Footnote 18] acknowledged that borrower countries' government and external auditors are unable to give the World Bank sufficient assurance that World Bank funds were exclusively used for intended purposes. Risks that Bank Group funds are used for purposes other than those for which loans were granted--whether for concessional or market-based loans--could be mitigated through effective implementation and evaluation of internal controls over operations and compliance. The Bank Group's system of internal control, adopted under the COSO framework, could facilitate a comprehensive assessment of internal controls over operations and compliance designed to uncover any material internal control weaknesses in operations and compliance that need to be corrected. A comprehensive evaluation of these controls could also provide additional credibility to the Bank Group's (1) internal evaluation reporting system and (2) commitment to provide funds only to those who use the funds for intended purposes. Such an assessment would provide additional assurance to both the Bank Group and its member countries over the use of funds and could be accomplished in one of several ways: (1) through the Bank Group's internal audit function, (2) by the external auditor, in conjunction with its financial statement audit, giving an opinion on whether management's assertions on internal controls over operations and compliance are fairly stated, (3) by another entity within the Bank Group, or (4) by another external entity, such as a consultant. Such an assessment would include identifying the specific elements of the COSO criteria that are objective, measurable, and relevant to use in assessing the reasonableness of internal control over operations and key charter provisions to be included in a review of compliance controls and to define what would constitute compliance with those key provisions of bank charters. After these significant issues are addressed, Bank Group management would be able to comprehensively document and assess the key controls identified and subsequently provide its assertions on the effectiveness of those controls. Bank Group Has Established an Audit Committee That Provides Oversight of Financial Reporting and Internal Control: The Bank Group's board of executive directors has appointed an audit committee to provide, on its behalf, oversight on matters such as the effectiveness of financial policies and reporting; various aspects of financial, business, operating, and reputational risks; and internal control in the Bank Group entities.[Footnote 19] The Bank Group's audit committee has a purpose, scope, and operating principles congruent with those customarily established for audit committees. A major function of the Bank Group's audit committee is to nominate an external auditor to conduct audits of the Bank Group's financial statements and determine the scope of the auditors' work and the reports to be submitted by the auditors. The information provided by the Bank Group on the functions of its audit committee indicated that the audit committee's terms of reference included responsibilities such as those listed in table 5. Table 5: Audit Committee Responsibilities: Area: Financial policies and reporting; Responsibility: Reviewing financial policies and other matters having a significant bearing on financial reporting including policies on financial sustainability, credit risks, as well as the integrity of financial reporting and risk management processes. Area: Independent external audit; Responsibility: Submitting to the executive directors the nomination of a firm of private independent internationally established auditors to audit the Bank Group entities' financial statements; reviewing with the external auditors the scope, design, and results of their examinations; and discussing their opinion on the financial statements prior to the release of the annual financial statements and inviting the auditors' recommendations regarding internal control and other matters. Area: Internal audit; Responsibility: Overseeing and assessing the effectiveness of the Bank Group entities' internal control and satisfying itself that the Bank Group entities' internal audit is adequate, effective, and efficient. Periodically reviewing the guidelines, work programs, and budget for the office to help ensure a strong and independent audit function. Area: Risk management; Responsibility: Focusing primarily on financial and operational risks as it coordinates with other board committees that exercise oversight of other risks and consulting with various officers of the Bank Group. Area: Operating principles; Responsibility: Advising the board on other issues relating to the financial position, controls, and risk management environment, including reviewing the Bank Group's mechanisms for avoiding fraud. Source: Audit Committee's Terms of Reference. [End of table] Information provided to us by the Bank Group indicates that the Bank Group entities' audit committee was actively involved with the external auditor during its financial statement audits. Audit committee activities with the external auditor included communications about internal control recommendations, discussions on management's COSO assertion on internal control over external financial reporting, the external auditor's opinion on management's assertion, and considerations on the external auditor's conclusions on the appropriateness of accounting principles. The information also showed that the audit committee kept current with the work of the internal auditor. The audit committee has a particularly important role to play in assuring fair presentation and appropriate accountability in connection with financial reporting, internal control, compliance and related matters. An effective audit committee facilitates the successful performance of the board of executive directors' oversight responsibilities for financial operations and is an independent safeguard on corporate management with respect to its responsibilities for preparing financial statements and implementing an internal control framework. The Bank Group's audit committee currently has the external auditor provide an opinion on management's assertion on the Bank Group's internal control over external financial reporting. The audit committee has not asked the Bank Group entities' external auditor to provide assurance on internal control over operations or compliance. The audit committee has the authority, as part of determining the scope of the auditor's work, to expand and strengthen the Bank Group entities' internal control reporting processes by requesting the external auditor to give an opinion on internal control over operations and compliance matters once management decides such reporting is appropriate. A key step in this process is for management to first apply the scope of COSO to its controls over operations and compliance and to develop the appropriate criteria to assert on internal control over operations and compliance matters. The audit committee could then have the external auditor to provide an opinion on management's assertions over those controls using the criteria specified by management. Alternatively, the audit committee could work with the internal and external auditors, other entities within the Bank Group, or an external party to conduct a comprehensive evaluation of internal controls over operations and compliance to determine whether such controls are in place and are functioning properly to prevent misuse of funds and to ensure compliance with key provisions of bank charters and policies. Conclusions: The Bank Group has taken important steps in strengthening its assessment and reporting on internal control by performing the internal control assessments necessary to provide an assertion on internal control over external financial reporting and having its external auditor give an opinion on that assertion. At the same time, Bank Group management does not include in its assertion internal control over operations and compliance with key charter provisions, and it has not asked the external auditor or any other organization, internal or external, to provide a comprehensive evaluation of its controls over these areas. The assurance that such an assessment can provide through reporting on internal control over operations and compliance is especially important given the operating risks inherent in the Bank Group's activities. The audit committee is well-positioned to assign an internal party or provide an external entity the task of providing a thorough assessment of such controls. This additional assurance would strengthen the Bank Group's accountability and enhance member country assurance that funds are spent as intended. Recommendations for Executive Action: We recommend that the Secretary of the Treasury instruct the U.S. Executive Director of the Bank Group to take the lead in working with the other executive directors in developing a policy requiring the Bank Group entities to enhance the audit function and reporting of their financial operations. This would entail (1) conducting a comprehensive evaluation of internal controls over operations and compliance to determine whether such controls are in place and are functioning properly to prevent misuse of funds and to ensure compliance with key provisions of bank charters and policies and (2) reporting annually to the board of executive directors through the audit committee on the progress made. This evaluation could be carried out in any of several ways, including through the internal audit function; by the external auditor, in conjunction with the financial statement audit; by another entity within the Bank Group; or by an external party, such as a consultant. These Bank Group entities should also provide the results of the assessment to member countries annually. Agency Comments and Our Evaluation: We received written comments from the Office of the President of the World Bank, which represented the official response of the World Bank Group. We also received written comments from the Deputy Assistant Secretary for Multilateral Development Banks and Specialized Development Institutions at the Department of the Treasury, the agency that represents the United States at the World Bank Group. These comments are reprinted in their entirety in appendixes III and IV. In its comments, the World Bank Group welcomed our recommendation for a comprehensive assessment of internal controls over operations and compliance with bank charters and policies but did not comment on our recommendation that such evaluations be conducted annually. The Bank Group stated that given the many reforms it has underway to strengthen its control framework, an assessment of internal control over operations and compliance would be most useful if undertaken once the range of changes over those controls is substantially in place. We agree that effective timing for implementing our recommendation would coincide with the Bank Group's implementation of reforms. It added that such changes are expected to be complete in about 18 to 24 months. While Treasury also agreed with our recommendation for a comprehensive evaluation of internal controls over operations and compliance, it did not agree that the Bank Group should follow this initial assessment with annual evaluations. It acknowledged that periodic updates would be reasonable but characterized annual evaluations as excessive and unnecessary based on its view that the overall structure of internal controls changes infrequently and usually only marginally. Given the inherent risks in the Bank Group entities' lending activities, we remain convinced that the Bank Group should report annually on all three categories of internal control--financial reporting, operations, and compliance. Under the COSO framework, effective internal control is an essential aspect of managing shifting environments and evolving demands and priorities. Internal control is not one event, but a series of actions and activities occurring throughout an entity's operations and on an ongoing basis. As entities strive to improve operational processes, management should continually assess and evaluate its internal control. Monitoring--a process that assesses the quality of an internal control system's performance over time--is an essential element of internal control and is particularly relevant for carrying out the fiduciary responsibilities that are integral to the Bank Group's operations. Annual reporting on internal control is now common practice both in the public and private sector and is often performed in conjunction with annual financial statement audits. Treasury pointed out that our draft report documents the sufficiency of the Bank Group's current external audits. Although our report provides information about the results of the external financial statement audits at the Bank Group, our report also makes it clear that, by design, the objective of a financial statement audit is not to provide assurance on internal control. The current financial statement audits cover only the banks' financial position at a point in time and the financial results of operations and cash flows for a given fiscal year. Given that the Bank Group's external auditor's opinion on internal control extends only to management's assertions on the effectiveness of internal control over external financial reporting, many facets of internal control would not be covered. The scope of the financial statement audits of the Bank Group entities and the separate assessment of controls over external financial reporting are not intended to and do not provide specific assurance about the effectiveness of the internal control over operations and compliance with bank charters and key policies. Considering the Bank Group's reforms to strengthen internal control over operations and compliance, we emphasize the need for annual assessments of those controls. As acknowledged in comments from the Bank Group, internal control is a "dynamic process," and reforms are under way in the Bank Group to strengthen its control framework. As the Bank Group develops and institutes these reforms, monitoring is needed to help ensure that controls are functioning as intended in preventing misuse of funds and ensuring compliance with key provisions of bank charters and policies. Annual reporting to provide accountability and transparency over lending, equity investment, and guarantee operations carries additional importance for the Bank Group because the international organization's mission requires it, as stated in its comments, "to be active in countries where controls are weak." As acknowledged by the Bank Group, "monitoring exposure against defined benchmarks" is one of several changes that will provide the banks with "significantly improved controls over lending, equity investment, and guarantee operations." As stated in our recommendations, the evaluation and reporting on internal control over operations and compliance could be carried out in several ways, including through the internal audit function; by the external auditor, in conjunction with the financial statement audit; by another entity within the Bank Group; or by an external party, such as a consultant. : We are sending copies of this report to the Secretary of the Treasury, the president of the World Bank Group, and other interested parties. Copies will be made available to others upon request. In addition, the report will be available at no charge on the GAO Web site at http:// www.gao.gov. Please contact me at (202) 512-9406 or by email at franzelj@gao.gov if you or your staffs have any questions concerning this report. Key contributors to this report were Charles Norfleet, Meg Mills, and Maxine Hattery. Signed by: Jeanette M. Franzel Director Financial Management and Assurance: Congressional Committees: The Honorable Richard G. Lugar Chairman The Honorable Joseph R. Biden, Jr. Ranking Minority Member Committee on Foreign Relations United States Senate: The Honorable Ted Stevens Chairman The Honorable Robert C. Byrd Ranking Minority Member Committee on Appropriations United States Senate: The Honorable Mitch McConnell Chairman The Honorable Patrick J. Leahy Ranking Minority Member Subcommittee on Foreign Operations Committee on Appropriations United States Senate: The Honorable Michael G. Oxley Chairman The Honorable Barney Frank Ranking Minority Member Committee on Financial Services House of Representatives: The Honorable Peter T. King Chairman The Honorable Carolyn B. Maloney Ranking Minority Member Subcommittee on Domestic and International Monetary Policy, Trade and Technology Committee on Financial Services House of Representatives: The Honorable C.W. Bill Young Chairman The Honorable David Obey Ranking Minority Member Committee on Appropriations House of Representatives: The Honorable Jim Kolbe Chairman The Honorable Nita M. Lowey Ranking Minority Member Subcommittee for Foreign Operations, Export Financing, and Related Programs Committee on Appropriations House of Representatives: [End of section] Appendixes: Appendix I: Components of Internal Control under COSO: The World Bank, beginning in 1995, adopted the Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework. Under the COSO framework, there are five interrelated components of internal control that define the minimum level of quality acceptable for internal control in an organization and provide the basis against which internal control is to be evaluated. The five components are used as the criteria to evaluate the strengths and weaknesses of the internal controls and to identify actions that can be taken to improve controls. All five components must be present and effective in order for management to have reasonable assurance that risks are managed to ensure the achievement of the organization's objectives. At the Bank Group, management is responsible for developing the detailed policies, procedures, and practices to fit its organization's operations and to ensure that they are built into and are an integral part of its operations. The five internal control components, which apply to all aspects of an organization's operations, including programmatic, financial, and compliance, include the following: Control environment. The control environment reflects management's commitment and attitude to the implementation and maintenance of an effective internal control structure. The control environment which management promulgates through the organization will strongly influence the design and operation of control policies and procedures. It will also determine how effective they are in mitigating risks and achieving objectives. Risk assessment. All organizations, regardless of size or nature, encounter some form of risk that can adversely impact the achievement of its objectives. Assessing risk is a major component of an effective control structure. It involves the identification, analysis, assessment, and prioritization of risks that need to be treated by control activities. Control activities. Control activities are the tailored policies and procedures that ensure (1) the mitigation of risks, (2) irregularities are prevented or detected and corrected, (3) assets are safeguarded from unauthorized use or disposal, and (4) financial records and other relevant databases are complete and accurately reflect the entire operational activities of the organization, and assist in timely preparation of accurate financial statements. Information and communication. Information and communication are critical for performance reporting, decision making, both within the organization and externally, and the achievement of strategic objectives. Monitoring. Monitoring is the final component of an effective internal control structure and is closely linked to information and communication. In addition to performance monitoring, the effectiveness of the control structure itself also needs to be monitored and reviewed. Control monitoring can be undertaken in two ways, by ongoing monitoring and by separate reviews and evaluations. [End of section] Appendix II: Transparency International's 2002 Corruption Perception Index: Transparency International is an organization dedicated to curbing both international and national corruption. Transparency International launched its Corruption Perception Index (CPI) in 1995. The CPI is a collection of polls, drawing on 15 surveys from 9 independent sources for its 2002 results. The goal of the CPI is to provide data on extensive perceptions of corruption within countries. The 2002 CPI shows that the Bank Group entities function in environments that are perceived to have high levels of corruption, underscoring the importance of internal control over operations and compliance within the Bank Group entities that are providing loans to those countries. The CPI serves as an important indicator of the image a country conveys to investors and potential business partners. Because the CPI is derived from 15 different surveys that garner the perceptions of both residents and expatriates, both business people and risk analysts, the index provides a snapshot of the views of the people who make key decisions on investment and trade. The CPI builds public awareness of the corruption issue, and it adds to pressure on governments to directly address the issue and the damaged image of their nation that low rankings in the CPI reflect. The CPI is a composite index that consists of credible sources using diverse sampling frames and different methodologies, including one used by the World Bank. The methodology is reviewed by a steering committee consisting of leading international experts in the fields of corruption, econometrics, and statistics. Members of the steering committee make suggestions to improve the CPI, but the management of Transparency International makes the final decisions on the methodology used. For the 2002 CPI, data was included from the following organizations' surveys and documents: * World Bank, World Business Environment Survey; * World Economic Forum, Africa Competitiveness and Global Competitiveness Reports; * Institute for Management Development, World Competitiveness Yearbook; * PricewaterhouseCoopers, Opacity Index; * Political & Economic Risk Consultancy, Asian Intelligence Issue; * Economist Intelligence Unit, Country Risk Service and Country Forecast; * Freedom House, Nations in Transit; * Gallup International on behalf of Transparency International, Bribe Payers Index; and: * Columbia University, State Capacity Survey. No country was included in the CPI without results from a minimum of three surveys undertaken over the past 3 years. For this reason, not all countries with high levels of corruption may have been added. Figure 4 includes the borrower countries by region. Figure 4: Countries Included in Transparency International's 2002 CPI: [See PDF for image] [End of figure] [End of section] Appendix III: Comments from the World Bank Group: The World Bank Washington, D.C. 20433 U.S.A. OFFICE OF THE PRESIDENT: May 20, 2003: Ms. Carole Brookins: Executive Director for the United States of America The World Bank: WASHINGTON, DC: Dear Ms. Brookins, The GAO has sent us their draft report on the sufficiency of audits of the external financial statements of the World Bank Group for comments. Please find attached the official response of the World Bank Group with regard to this review. I would very much appreciate if you could transmit this letter to the U.S. General Accounting Office. Sincerely yours, Shengman Zhang Acting President: Signed by Shengman Zhang: The World Bank Washington, D.C. 20433 U.S.A. OFFICE OF THE PRESIDENT: May 20, 2003: Ms. Jeanette M. Franzel Director: Financial Management and Assurance U.S. General Accounting Office Washington DC 20548: Dear Ms. Franzel, Thank you for the opportunity to comment on the General Accounting Office's draft report, April 2003, "World Bank Group: Important Steps Taken on Internal Control but Additional Assessments Should be Made," GAO-03-366. We appreciate the GAO's acknowledgement that the World Bank Group has taken important steps over the past years to further strengthen its assessment and reporting on internal control. We have implemented an internal control framework, and we are already conducting internal control assessments. Bank Group Management annually provides the external auditor with an assertion about the effectiveness of internal control over external financial reporting. The external auditor provides an attestation on whether that assertion is fairly stated. Management's assertion, and the external auditor's attestation have been published in the Annual Reports. As acknowledged in your report, the Bank Group's external auditor, an international accounting firm, has performed annual financial statement audits on all of the entities of the Bank Group. Each entity has always received an unqualified audit opinion on its financial statements. These audits provide assurance over the reported financial position at a given point in time and the financial results of our operations and cash flows for a given fiscal year. However, the World Bank Group's financial statement audits do not, and are not intended to, provide assurance about the internal controls over the Bank Group's lending or guarantee operations. With respect to the latter issue, let me point out that the Bank Group has in place various units which form an extensive network of management controls and oversight that are responsible for operations evaluation, internal control, oversight, and compliance with regard to the use of funds in lending, equity investment operations, and guarantee operations. Certain of these key units are independent from Bank Group Management. We are engaged in a series of change initiatives in our operational work to better align our policies and procedures with our objective of achieving greater development impact. We are simplifying our processes and scaling up our activities as part of our agenda of better measuring, monitoring, and managing for development results. We are working on a simplification of investment lending, more focused standard project documentation, reforms in procurement and financial management, a new policy on external audits of projects, simplification of eligibility of expenditure rules, modernization of disbursement processes, enhancement of a framework for loan and equity investment checks and balances including monitoring exposure against defined benchmarks. Collectively these changes will provide significantly improved controls over lending, equity investment, and guarantee operations and, through the simplification component, will further enhance efficient and effective compliance. Your report stated, and we agree, that there are still challenges ahead given the difficult environment with respect to capacity and transparency in some of our client countries. Tackling corruption is difficult and complex and our mission requires the Bank Group to be active in countries where controls are weak. But we are committed to being even more aggressive in our capacity building efforts, one of the key elements of our anticorruption strategy. Internal control over lending and guarantee operations, in the context of working in developing countries, is a dynamic process. We are always open to suggestions from our shareholders on how the Bank Group can further improve its control framework. In this context, we welcome your suggestion of conducting a comprehensive assessment of internal controls over operations and compliance with charters and policies. Given the many reforms underway to strengthen our control framework, we believe that such an assessment would be most useful if it were undertaken once the range of changes that we are currently planning and implementing is substantially in place. We expect this work to be completed in about 18 to 24 months. Again, let me thank you for the opportunity to comment on your draft report. Sincerely yours, Shengman Zhang Acting President: Signed by Shengman Zhang: [End of section] Appendix IV: Comments from the Department of the Treasury: DEPARTMENT OF THE TREASURY WASHINGTON, D.C. 20220: May 21, 2003: Ms. Jeanette M. Franzel Director: Financial Management and Assurance U.S. General Accounting Office Washington, DC 20548: Dear Ms. Franzel: Thank you for the opportunity to comment on the General Accounting Office's draft report, "World Bank Group: Important Steps Taken on Internal Control but Additional Assessments Should be Made", on the sufficiency of external audits of the financial operations of the World Bank Group (WBG), prepared in response to section 803 of the Foreign Operations Appropriations Act, FY2001. [NOTE 1] The draft report: * outlines what is, and what is not, covered by financial statement audits of the external auditor; * documents the active role of the Audit Committee of the WBG's executive boards in overseeing the external audit process and communicating about those audits with both the external auditors and the WBG's boards of directors; * emphasizes that the external auditor is not required by the charters of the four respective entities of the WBG to audit or provide assurances with respect to internal controls over operations and compliance; * affirms that the current external audits are sufficient; * publicizes that the Fiscal Year 2002 annual reports of IBRD/IDA, IFC and MIGA included for the first time two letters - 1) management's assertion and 2) the external auditor's attestation regarding management's assertion, with respect to internal controls relating to external financial reporting; * highlights that there are three categories of internal control: 1) financial reporting; 2) operations; and 3) compliance; and: * lists eleven units --including the Internal Auditing Department, the Loan Department, the Quality Assurance Group, and the Operations Evaluation Department--that currently are responsible for IBRD and IDA internal controls. The draft report recommends that Treasury instruct the U.S. Executive Director of the WBG to take the lead in working with other Executive Directors to develop a policy requiring the WBG entities to further enhance the audit function and reporting of their financial operations. GAO states that "this would entail conducting a comprehensive evaluation of internal controls over operations and compliance to determine whether such controls are in place and are functioning properly... and report annually to the board of executive directors through the audit committee on the progress made." (pp. 24-25). GAO suggests several options for carrying out this evaluation: 1) through the internal audit function; 2) by the external auditor in conjunction with the financial statement audit; 3) by another entity within the Bank Group; or 4) by an external party such as a consultant. As you know, the Treasury Department has given, and will continue to give, strong support to oversight mechanisms to help assure productive development assistance. An effective control environment is essential for the World Bank Group - the International Bank for Reconstruction and Development (IBRD), the International Development Association (IDA), the International Finance Corporation (ITC), and the Multilateral Investment Guarantee Agency (MIGA). We have worked with G- 7 partners and other member countries on a number of initiatives in this area which aim to: * strengthen the WBG's internal control mechanisms; * assure compliance with safeguard and fiduciary policies; * put in place independent operations evaluation units; * ensure that operations and strategies are designed around results measurement frameworks; and: * enhance the development effectiveness of WBG project and non-project assistance. The WBG awards the external audit contract through a competitive selection process. Recently, the Audit Committee and the Board, with our active support, strengthened the principles for the appointment of the external auditor of the WBG. As of Fiscal Year 2004, the following practices will apply: * audit firm tenure of "5 years plus 5 years" with the ability of the incumbent to re-bid after the first 5 years; * mandatory rotation of the audit firm after 10 years provided that the Audit Committee may exceptionally recommend that circumstances are such that the incumbent audit firm should be allowed to participate in the re-bidding; * audit firm senior partner rotation every 5 years; * Audit Committee review of the audit firm's performance at mid-term (30 months); * audit firm exclusion from being eligible to provide pure consulting services (effective February 2003); and: * audit firm eligible only to provide certain extremely and strictly limited "audit-related"consulting services, to be approved on a case- by-case basis by the Executive Directors or Directors of the respective Boards with the Audit Committee's recommendation (effective February 2003). The financial statement audits by external auditors are important because they provide assurances to the entities of the WBG, their bondholders and member country governments. We have worked with other members of the executive boards of the WBG to strengthen the financial statement audit process. We have also worked to assure that the Audit Committee of the executive boards exercise oversight over and maintain a dialogue with the external auditors. Since the WBG has a number of units that have an internal control function, we are pleased that Bank Group management's response, which is published in this report, states that the WBG welcomes the GAO's suggestion that the WBG conduct a comprehensive assessment of internal controls over operations and compliance. We agree with GAO's recommendation that it would be useful for the United States to work with other chairs to develop a policy that would require the WBG to conduct a comprehensive evaluation of internal controls over operations and compliance and to report the results of the evaluation through the Audit Committee to the Board of Executive Directors. Our view, however, is that GAO's recommendation for annual evaluations of this nature is excessive and unnecessary because the overall structure of internal controls changes infrequently and usually marginally. We believe that a one-time comprehensive evaluation with appropriate periodic updates is a reasonable approach. We will be instructing the U.S. Executive Director of the WBG to proceed on this basis. We attach enormous importance to working to ensure strong internal controls for all entities of the WBG. The GAO's draft report documents the "sufficiency" of the external audits of the WBG. The draft report states that "each entity has received an unqualified or `clean' audit opinion on their financial statements for the three most recent years." ( p.12). We intend to continue to support appropriate and strong internal control environments at the WBG, which are essential to enhancing project quality and the effectiveness of development resources. Sincerely, [See PDF for image] [End of figure] William E. Schuerch Deputy Assistant Secretary Multilateral Development Banks and Specialized Development Institutions: Signed by William E. Schuerch: NOTES: [1] Section 803(a). "ANNUAL REPORT ON FINANCIAL OPERATIONS. -Beginning 180 days after the date of enactment of this Act, or October 31, 2000, whichever is later, and on October 31 of each year thereafter, the Comptroller General of the United States shall submit to the appropriate congressional committees a report on the sufficiency of audits of the financial operations of each multilateral development bank conducted by persons or entities outside such bank." (P.L. 106-429). [End of section] (194069): FOOTNOTES [1] Foreign Operations, Export Financing, and Related Programs Appropriations Act, 2002 (Public Law 107-115), which states that these funds are available to the MDBs until expended. [2] The first in this series was Multilateral Development Banks: Profiles of Selected Multilateral Development Banks (GAO-01-665, May 18, 2001) and the second was Regional Multilateral Development Banks: External Audit Reporting Could Be Expanded (GAO-02-27, December 14, 2001). [3] The Bank Group actually consists of five closely associated institutions but one of them--the International Centre for Settlement of Investment Disputes--is not within the scope of our work required by Public Law 106-429. [4] The European Union consists of the following countries: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Portugal, Spain, Sweden, and the United Kingdom. [5] Internal control comprises the plans, methods, and procedures used to meet missions, goals, and objectives and, in doing so, supports performance-based management. Internal control also serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud. In short, internal control, which is synonymous with management control, helps program managers achieve desired results. [6] Member countries that borrow from the Bank Group are generally low- and middle-income countries in need of social or economic development. [7] IBRD and IDA are separate entities, but the term "World Bank" is commonly used to refer to them as one. [8] Callable capital is a form of capital that is subscribed by members and resembles promissory notes from members to honor Bank Group debts if the Bank Group cannot meet its obligations through other available resources. [9] Credit risk refers to the risk of default by a borrower or guarantor that may result from nonperformance under the terms of lending agreements. [10] Article VI, Section 11(a) of the Articles of Agreement of IDA. [11] Private sector standards and guidance for financial statement audits do not require the auditor to provide an opinion on the effectiveness of internal control when performing a financial statement audit. Financial statement audits are not intended to provide a basis for the evaluation of the overall quality of the entity's system of internal control. Therefore, in a typical financial statement audit, many controls designed to ensure the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with key provisions of bank charters may not be tested. [12] COSO provides a framework designed to assist management in assessing its internal control system against an established standard to help identify basic weaknesses in operations, financial reporting, and legal/regulatory compliance controls and act to strengthen them. See appendix I for a description of the five components of internal control under the COSO framework. [13] The controllers' departments within IBRD, IDA, IFC, and MIGA oversee the internal control framework and focus on financial integrity and control, financial reporting, and monitoring. [14] Attestation standards apply whenever the auditor has been engaged to provide assurance or report on a subject matter that is the responsibility of another party. Certain engagements, such as a financial statement audit, are not subject to attestation standards. [15] World Bank, Helping Countries Combat Corruption: Progress at the World Bank Since 1997 (Washington, D.C., June 2000). [16] World Bank Operations Evaluation Department, 2002 Annual Report on Operations Evaluation (Washington, D.C., 2002). [17] See Helping Countries Combat Corruption. [18] World Bank Operations Evaluation Department, Clean Government and Public Financial Accountability, OED Working Paper Series No. 17, (Washington, D.C., Summer 2000). [19] In addition to the audit committee, the Bank Group has a Multilateral Audit Advisory Group that is tasked with advising the audit committee on audit requests by Supreme Audit Institutions, such as GAO, assessing compliance with the agreed terms of reference for the audit, assessing adherence to the agreed ground rules, and providing objective comment on the resulting audit reports. GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: