oversight

World Bank Group: Important Steps Taken on Internal Control but Additional Assessments Should Be Made

Published by the Government Accountability Office on 2003-06-16.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

             United States General Accounting Office

GAO          Report to Congressional Committees




June 2003
             WORLD BANK
             GROUP
             Important Steps Taken
             on Internal Control
             but Additional
             Assessments Should
             Be Made




GAO-03-366
             a
                                               June 2003


                                               WORLD BANK GROUP

                                               Important Steps Taken on Internal
Highlights of GAO-03-366, a report to          Control but Additional Assessments
Congressional Committees
                                               Should Be Made



The Congress passed Public Law                 The Bank Group has taken important steps in strengthening its assessment
106-429 because it was concerned               and reporting on internal control, including (1) implementing a structured
about the sufficiency of external              internal control framework, (2) conducting the internal control assessments
audits of the financial operations of          necessary to provide its external auditor with an assertion about the
the World Bank Group, a set of                 effectiveness of the Bank Group’s internal control over external financial
multilateral development banks.
This law provides that GAO report              reporting, and (3) contracting with its external auditor to provide an opinion,
on the sufficiency of such audits of           in conjunction with the financial statement audit, on whether management’s
each Bank Group entity. As agreed              assertion on internal control over external financial reporting is fairly stated.
with your offices, GAO addressed               However, Bank Group management does not include an assertion on internal
(1) the extent that the external               control over operations and compliance matters, and it has not asked the
auditor was providing assurance on             external auditor to give an opinion on those internal controls. During our
internal control over financial                review, we were told that the Bank Group does not yet have plans to
reporting, operations, and                     conduct a comprehensive assessment of those controls. The Bank Group’s
compliance with key provisions of              external financial statement audits do not, and are not intended to, provide
bank charters and policies in                  specific assurance about the internal control over the Bank Group’s
conjunction with financial                     operations and whether the funds are spent for their intended purposes.
statement audits and (2) the role
the Bank Group’s audit committee               Given the inherent risks in the banks’ activities, additional assurance on
plays in providing oversight of                these other categories of internal control—operations and compliance—
external financial statement audits            would provide an added level of assurance to the Bank Group and its
and internal control.                          member countries that funds were used for their intended purposes.

                                               The Bank Group has established an audit committee that provides oversight
                                               of external financial statement audits and internal control. A major function
To provide greater assurance that              of the committee is to nominate an external auditor and determine the scope
the Bank Group’s funds are spent
                                               of the auditor’s work and the reports to be submitted by the auditor. The
as intended, GAO is making
recommendations for a                          audit committee also has the external auditor give an opinion, in conjunction
comprehensive assessment of                    with the financial statement audit, on management’s assertion on the Bank
internal control over operations               Group’s internal control over external financial reporting. The audit
and compliance matters and annual              committee has the authority to expand the external audits to include the
evaluations of such controls.                  auditor giving opinions on internal control over operations and compliance
                                               matters. Alternatively, the audit committee is also well-positioned to assign
The Bank Group and the U.S.                    to an internal party or provide an external party the task of providing a
Treasury Department agreed on the              thorough assessment of such controls.
need for a comprehensive
                                                Categories of Internal Control
assessment of those controls.
Treasury did not agree that annual
evaluations should be done and the
Bank Group, which has reforms on
those controls underway, made no
comment on timing. We continue to
believe that such annual
evaluations are necessary.

www.gao.gov/cgi-bin/getrpt?GAO-03-366.
To view the full report, including the scope
and methodology, click on the link above.
For more information, contact Jeanette
Franzel at (202) 512-9406 or
franzelj@gao.gov.
Contents



Letter                                                                                                1
                             Results in Brief                                                         3
                             Scope and Methodology                                                    5
                             Background                                                               7
                             Bank Group Has Taken Important Steps on Internal Control but
                               Reporting Could Be Expanded                                           13
                             Bank Group Has Established an Audit Committee That Provides
                               Oversight of Financial Reporting and Internal Control                 20
                             Conclusions                                                             22
                             Recommendations for Executive Action                                    22
                             Agency Comments and Our Evaluation                                      23


Appendixes
              Appendix I:    Components of Internal Control under COSO                               28
             Appendix II:    Transparency International’s 2002 Corruption Perception
                             Index                                                                   30
             Appendix III:   Comments from the World Bank Group                                      33
             Appendix IV:    Comments from the Department of the Treasury                            36


Tables                       Table 1: Bank Group’s Development Assistance and New Projects
                                      in 2002                                                         9
                             Table 2: U.S. Resources Provided to the Bank Group through
                                      June 30, 2002                                                  10
                             Table 3: Bank Group Entities’ Bases of Accounting and Auditing
                                      Standards                                                      11
                             Table 4: World Bank Units Responsible for Internal Control and
                                      Oversight of Operations                                        17
                             Table 5: Audit Committee Responsibilities                               20


Figures                      Figure 1: Bank Group’s Components and Functions                          8
                             Figure 2: Bank Group’s Flow of Government Funding and External
                                       Audit Reporting                                               12
                             Figure 3: Categories of Internal Control                                15
                             Figure 4: Countries Included in Transparency International’s 2002
                                       CPI                                                           32




                             Page i                                          GAO-03-366 World Bank Group
Contents




Abbreviations

COSO             Committee of Sponsoring Organizations of the Treadway
                 Commission
CPI              Corruption Perception Index
IAS              International Accounting Standards
IBRD             International Bank for Reconstruction and Development
IDA              International Development Association
IFC              International Finance Corporation
ISA              International Standards on Auditing
MDB              Multilateral Development Bank
MIGA             Multilateral Investment Guarantee Agency
U.S. GAAP        U.S. generally accepted accounting principles
U.S. GAAS        U.S. generally accepted auditing standards


 This is a work of the U.S. Government and is not subject to copyright protection in the
 United States. It may be reproduced and distributed in its entirety without further
 permission from GAO. It may contain copyrighted graphics, images or other materials.
 Permission from the copyright holder may be necessary should you wish to reproduce
 copyrighted materials separately from GAO’s product.




Page ii                                                     GAO-03-366 World Bank Group
A
United States General Accounting Office
Washington, D.C. 20548



                                    June 16, 2003                                                                                 Lert




                                    Congressional Committees

                                    Multilateral Development Banks (MDBs) were established to provide
                                    financial support for projects and programs designed to promote social and
                                    economic progress in developing countries throughout the world. In fiscal
                                    year 2002, the United States provided approximately $1.3 billion to support
                                    the missions of the MDBs, with about $820 million going to the World Bank
                                    Group (Bank Group) and about $460 million going to regional MDBs.1 As a
                                    group, the MDBs are the largest source of development aid for middle- and
                                    low-income countries.

                                    Section 803(a) of the Foreign Operations, Export Financing, and Related
                                    Programs Appropriations Act, 2001 (Public Law 106-429) provides that
                                    GAO report annually on the sufficiency of audits of the financial operations
                                    of each MDB conducted by the persons or entities outside the bank. This is
                                    the third in a series of reports in response to Public Law 106-429’s reporting
                                    requirement.2 As agreed with your offices, this report covers the following
                                    MDBs, which are all part of the World Bank Group:3

                                    • International Bank for Reconstruction and Development,

                                    • International Development Association,

                                    • International Finance Corporation, and

                                    • Multilateral Investment Guarantee Agency.




                                    1
                                      Foreign Operations, Export Financing, and Related Programs Appropriations Act, 2002
                                    (Public Law 107-115), which states that these funds are available to the MDBs until
                                    expended.
                                    2
                                     The first in this series was Multilateral Development Banks: Profiles of Selected
                                    Multilateral Development Banks (GAO-01-665, May 18, 2001) and the second was Regional
                                    Multilateral Development Banks: External Audit Reporting Could Be Expanded (GAO-02-
                                    27, December 14, 2001).
                                    3
                                      The Bank Group actually consists of five closely associated institutions but one of them—
                                    the International Centre for Settlement of Investment Disputes—is not within the scope of
                                    our work required by Public Law 106-429.




                                    Page 1                                                       GAO-03-366 World Bank Group
The International Bank for Reconstruction and Development and the
International Development Association, which accounted for 80 percent of
the development assistance the Bank Group provided to developing
countries in 2002, are referred to as the “World Bank.” Financial statement
audits and the related assurance on internal control provided by the
external auditor are important for the Bank Group entities because they

• have missions that emphasize distributing funds for development and
  accountability for the use of those funds;

• operate in countries where transparency and accountability are ranked
  among the lowest in the world; and

• are multilateral entities not subject to oversight by any single national
  government.

Because borrowing countries often lack the transparency and
accountability needed to prevent and detect corruption, the Bank Group
entities that provide loans risk having the funds used for purposes other
than those intended. The United States and other donors have indicated
that they are concerned about these risks. Donors want to be assured that
the funds they provide are used only for the intended purpose, and the
Bank Group’s lending entities need to assure donors that the standard of
care over those funds meets donor expectations. Representatives from the
United States and the European Union4 have recently stated that they plan
to increase contributions to the world’s poorest countries if they have
assurance that the funds they are providing are used as intended in
developing countries and have measurable results.

As agreed with your offices, this report addresses the following two
specific areas related to the World Bank Group’s external financial
statement audit process:




4
  The European Union consists of the following countries: Austria, Belgium, Denmark,
Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Portugal,
Spain, Sweden, and the United Kingdom.




Page 2                                                      GAO-03-366 World Bank Group
                   1. the extent to which the Bank Group entities are obtaining assurance
                      from their external auditor on internal control5 over financial reporting,
                      operations, and compliance with key provisions of their charters and
                      policies in conjunction with their financial statement audits and

                   2. the role the Bank Group’s audit committee plays in providing oversight
                      of financial statement audits and internal control.



Results in Brief   The Bank Group has taken important steps in strengthening its assessment
                   and reporting on internal control, such as (1) implementing a structured
                   internal control framework, (2) conducting the internal control
                   assessments necessary to provide its external auditor with an assertion on
                   the effectiveness of the Bank Group’s internal control over external
                   financial reporting, and (3) contracting with its external auditor to provide
                   an opinion, in conjunction with the financial statement audit, on whether
                   management’s assertion on internal control over external financial
                   reporting is fairly stated. However, Bank Group management does not
                   include an assertion on internal control over operations and compliance
                   with key provisions of its bank charters and policies, and it has not asked
                   the external auditor to give an opinion on those internal controls. Although
                   the banks’ charters do not specifically call for an assertion or external
                   review of internal control over operations and compliance, they do state
                   that the banks are to take the necessary measures to ensure that the
                   proceeds of any loan made, guaranteed, or participated in by them are used
                   only for the purposes for which the loan was granted. The Bank Group’s
                   external financial statement audits do not, and are not intended to, provide
                   specific assurance about the internal control over the Bank Group’s
                   operations and whether the funds are spent for their intended purposes.
                   Given the inherent risks in the banks’ activities, additional assurance on
                   these other categories of internal control—operations and compliance—
                   would provide an added level of assurance to the Bank Group and its
                   member countries that funds were used for their intended purposes.




                   5
                     Internal control comprises the plans, methods, and procedures used to meet missions,
                   goals, and objectives and, in doing so, supports performance-based management. Internal
                   control also serves as the first line of defense in safeguarding assets and preventing and
                   detecting errors and fraud. In short, internal control, which is synonymous with
                   management control, helps program managers achieve desired results.




                   Page 3                                                       GAO-03-366 World Bank Group
The Bank Group has established an audit committee that provides
oversight of financial statement audits and internal control. A major
function of this committee, a subgroup appointed by the board of executive
directors at the Bank Group entities, is to nominate an external auditor for
external audits and determine the scope of the auditor’s work and the
reports to be submitted by the auditor. The Bank Group’s audit committee
also has the external auditor provide an opinion, in conjunction with the
financial statement audit, on management’s assertion on the Bank Group’s
internal control over external financial reporting. The audit committee has
the authority, as part of determining the scope of the auditor’s work, to
expand the external audits to include the auditor giving opinions on
internal control over operations and compliance with bank charters and
provisions. Alternatively, the audit committee is also well-positioned to
assign an internal party or provide an external entity the task of providing a
thorough assessment of such controls. However, during our review, we
were told that the Bank Group does not yet have plans to provide a
comprehensive assessment of its controls.

We recommend that the Secretary of the Treasury—who is responsible for
the federal government’s interactions with the Bank Group entities—
instruct the U.S. Executive Director for the Bank Group to take the lead in
working with other executive directors in developing a policy requiring
these Bank Group entities to enhance the audit function and reporting of
their financial operations. This would entail conducting a comprehensive
evaluation of internal controls over operations and compliance to
determine whether such controls are in place and are functioning properly
to prevent misuse of funds and to ensure compliance with key provisions of
bank charters and policies. This group of executive directors would report
annually to the Board of Executive Directors, through the audit committee,
on the progress made. This evaluation could be carried out in any of several
ways, including through the internal audit function; by the external auditor,
in conjunction with the financial statement audit; by another entity within
the Bank Group; or by an external party, such as a consultant. These Bank
Group entities should also provide the results of the assessment to member
countries annually.

In its comments, the World Bank Group welcomed our recommendation
for a comprehensive assessment of internal controls over operations and
compliance with bank charters and policies but did not comment on our
recommendation that such evaluations be conducted annually. The Bank
Group stated that given the many reforms it has underway to strengthen its
control framework, an assessment of internal control over operations and



Page 4                                              GAO-03-366 World Bank Group
              compliance would be most useful if undertaken once the range of changes
              over those controls is substantially in place. We agree that effective timing
              for implementing our recommendation would coincide with the Bank
              Group’s implementation of reforms. It added that such changes are
              expected to be complete in about 18 to 24 months.

              In its comments, the Department of the Treasury agreed with our
              recommendation for a comprehensive evaluation of internal controls over
              operations and compliance but not with our recommendation for annual
              evaluations because it contends that the overall structure of internal
              controls changes infrequently and usually only marginally. It suggests a one
              time comprehensive evaluation with periodic updates. We remain
              convinced that the Bank Group should report annually on those controls
              given the inherent risks in the Bank Group entities’ lending activities.



Scope and     Public Law 106-429, Appendix A, Title VIII, identifies 10 MDBs to be
              included in the scope of our work. In prior work, we addressed 6 of the
Methodology   MDBs listed in the law—the African Development Bank, African
              Development Fund, Asian Development Bank, European Bank for
              Reconstruction and Development, Inter-American Development Bank, and
              the Inter-American Investment Corporation. As agreed with your offices,
              this report focuses on the external financial statement audit and internal
              control reporting process of the remaining four MDBs—which are all part
              of the Bank Group—listed in the law:

              • International Bank for Reconstruction and Development (IBRD),

              • International Development Association (IDA),

              • International Finance Corporation (IFC), and

              • Multilateral Investment Guarantee Agency (MIGA).

              To meet our objectives, we met with Department of the Treasury officials
              and a representative of the office of the U.S. Executive Director for the
              Bank Group. We also

              • reviewed the Bank Group entities’ 2002 and 2001 audited financial
                statements and the external auditors’ opinions on the financial
                statements and identified the accounting principles and auditing
                standards used,



              Page 5                                             GAO-03-366 World Bank Group
• inquired of World Bank management and obtained information on the
  audit committee, external audits, and the extent of the external auditor
  giving opinions on internal control over financial reporting, operations,
  and compliance matters,

• analyzed and compiled relevant financial information from the Bank
  Group entities’ annual reports and their audited financial statements,

• reviewed the banks’ terms of reference to identify the scope of the audit
  committee’s oversight and compared them to relevant guidance on
  widely accepted internal control frameworks,

• reviewed widely accepted internal control frameworks, such as Internal
  Control—Integrated Framework issued by the Committee of
  Sponsoring Organizations of the Treadway Commission and Guidelines
  for Internal Control Standards developed by the International
  Organization of Supreme Audit Institutions, and

• discussed various options for reporting on internal control with
  representatives from the international accounting firm responsible for
  the financial statement audits of the Bank Group entities.

The Bank Group entities are multilateral, international entities that are
autonomous, and the United States, as an individual member country,
generally does not have audit authority over their operations. Thus, it was
not part of our scope to evaluate the components of the Bank Group
entities’ internal control governance structure, nor did we evaluate the
quality of the external auditor’s work on their financial statement audits
and internal control examinations over external financial reporting.
Moreover, it was not part of our scope to determine whether the audit
committee members were independent of the Bank Group entities they
served.

It was also not part of our scope to make any site visits to review any Bank
Group entities’ projects or programs. In accordance with GAO’s agreement
with the Bank Group and the Department of the Treasury on this
assignment, our interaction with officials from the Bank Group was limited
to the designated representative from the office of the U.S. Executive
Director for the Bank Group. The articles of agreement establishing the
Bank Group entities require the United States to deal with those
organizations only through the Department of the Treasury. Therefore, we




Page 6                                            GAO-03-366 World Bank Group
             used Treasury officials as a conduit for obtaining information to conduct
             our work.

             We conducted our work in Washington, D.C., from May 2002 through March
             2003 in accordance with U.S. generally accepted government auditing
             standards. In May 2003, we received comments from the World Bank Group
             and the Department of the Treasury, which are reproduced in their entirety
             in appendixes III and IV. In addition, the Bank Group also provided a
             number of suggested technical changes to our report, which we
             incorporated as appropriate.



Background   The Bank Group entities included in this report—IBRD, IDA, IFC, and
             MIGA—are multilateral, international entities with a mission to fight
             poverty and improve the living standards of people in developing countries
             throughout the world by providing development assistance in the form of
             loans, equity investments, loan and equity guarantees, and technical
             assistance. National governments are the shareholders—referred to as
             members—of the Bank Group. These members include developing
             countries6 that borrow from the Bank Group as well as industrialized
             member countries. All members, including borrowing members, contribute
             to the capital of the Bank Group and participate in oversight and in setting
             operating policies through their participation on the boards of governors
             and executive boards. See figure 1 for a summary of the components of the
             Bank Group and their functions.




             6
              Member countries that borrow from the Bank Group are generally low- and middle-income
             countries in need of social or economic development.




             Page 7                                                   GAO-03-366 World Bank Group
Figure 1: Bank Group’s Components and Functions

    The International Bank for Reconstruction          The International Development Association
    and Development aims to reduce poverty in          serves as a concessional lending arm and
    middle-income and creditworthy poorer              promotes economic development by providing
    countries by promoting sustainable                 annual interest-free credits to the world’s
    development through loans, guarantees, and         poorest borrowers.
    nonlending advisory services.

    The International Finance Corporation works        The Multilateral Investment Guarantee
    with business partners in the private sector and   Agency helps encourage foreign investment in
    invests in sustainable private enterprises in      developing countries by providing guarantees
    developing countries and provides long-term        to foreign investors and provides technical
    loans, guarantees, and risk management and         assistance to help countries disseminate
    advisory services.                                 information on investment opportunities.


Source: Bank Group entities’ 2002 annual reports.




The lending activities of the Bank Group can be grouped primarily into the
following two types: market-based lending primarily done by IBRD and
concessional lending primarily done by IDA.7 IBRD provides loans with
market-based rates that are financed primarily through borrowings from
world capital markets, members’ paid-in capital, and retained earnings.
Members also provide support through subscriptions of callable capital.8
Because of the significant proportion of callable capital that is subscribed
by members with strong credit ratings, including the United States, IBRD is
able to use callable capital as backing to obtain more favorable financing
terms when borrowing from world capital markets than would otherwise
be available. To date, IBRD has never made a call on this capital.

IDA provides concessional loans to the poorest of the developing
countries—those meeting certain eligibility requirements—and is financed
through contributions from member countries and borrower repayments of
outstanding loans. These loans are called “concessional” because they are
provided with below-market interest rates and extended repayment terms.




7
 IBRD and IDA are separate entities, but the term “World Bank” is commonly used to refer to
them as one.
8
 Callable capital is a form of capital that is subscribed by members and resembles
promissory notes from members to honor Bank Group debts if the Bank Group cannot meet
its obligations through other available resources.




Page 8                                                               GAO-03-366 World Bank Group
Due to the nature of concessional lending and the credit risks9 of borrower
countries, the concessional lending arms do not have callable capital
subscriptions and do not borrow from world capital markets to finance
their operations. Unlike IBRD, which borrows from world capital markets
to fund lending, IDA relies on capital replenishments or periodic
contributions by members in addition to repayments from loans and
transfers of net income from IBRD. As of June 30, 2002, the Bank Group
had outstanding loans of about $230 billion, and concessional loans
constituted 42 percent, or about $96 billion, of that total.

In 2002, the Bank Group entities approved about $24.4 billion of
development assistance consisting of loans, loan guarantees, and equity
investments for 466 new economic and social development operations and
projects. Loans with market-based interest rates, equity investments, and
loan guarantees accounted for about $16.3 billion of the total financial
support provided by the Bank Group during 2002, while concessional
lending amounted to about $8.1 billion. See table 1 for a summary of
development assistance in 2002 and number of new projects, by Bank
Group entity.



Table 1: Bank Group’s Development Assistance and New Projects in 2002

Dollars in millions
                                                                 Development             New
Bank Group entity                                                  assistance        projects
International Bank for Reconstruction and Development                  $11,500                96
International Development Association                                    8,100               133
International Finance Corporation                                        3,600               204
Multilateral Investment Guarantee Agency                                 1,200                33
Total                                                                  $24,400               466
Source: The World Bank Annual Report, 2002.


The Bank Group entities’ activities are overseen through a board of
governors, with a governor from each member country. In general, a board
of governors is responsible for admitting new members, authorizing
agreements for cooperation with other international organizations,

9
 Credit risk refers to the risk of default by a borrower or guarantor that may result from
nonperformance under the terms of lending agreements.




Page 9                                                        GAO-03-366 World Bank Group
deciding about the board of executive directors, approving the Bank Group
entities’ financial statements, determining the reserves and the distribution
of profits, and deciding the scope of operations. Each Bank Group entity
also has a board of executive directors, which is responsible for, among
other things, overseeing the banks’ daily operations, ensuring the
implementation of the decisions of the board of governors, and approving
the budgets of the banks. The Bank Group entities’ own management and
staff of international civil servants carry out the daily operations.

The United States is a member in all the Bank Group entities discussed in
this report, contributing significant amounts to support their missions and
subscribing to a significant amount of their callable capital. The Congress
appropriates funds for U.S. contributions and capital subscriptions to the
Bank Group. In fiscal year 2002, the Congress appropriated about
$800 million in U.S. contributions and approved about $20 million of new
subscriptions to callable capital for the Bank Group. The Department of the
Treasury oversees U.S. interests in the Bank Group. See table 2 for a
summary of U.S. support of about $58.7 billion provided to the components
of the Bank Group entities from their inception through June 30, 2002.



Table 2: U.S. Resources Provided to the Bank Group through June 30, 2002

Dollars in millions
                                                      U.S. paid-in
                                                        capital or   U.S. callable
Bank Group entity                                   contributions          capital
International Bank for Reconstruction and                  $1,998          $29,966
Development
International Development Association                      25,842                -
International Finance Corporation                             569                -
Multilateral Investment Guarantee Agency                       63             266
Total                                                     $28,472          $30,232
Source: Bank Group entities’ 2002 annual reports.


The Bank Group entities prepare their financial statements to comply with
different bases of accounting. They present their financial statements using
U.S. generally accepted accounting principles (U.S. GAAP), international
accounting standards (IAS), and special purpose basis of accounting, as
shown in table 3. According to the Bank Group, due to the special nature
and organization of the IDA, the concessional lending arm of the Bank



Page 10                                              GAO-03-366 World Bank Group
Group, it prepares special purpose financial statements that are meant to
show the sources and uses of resources to comply with its articles of
agreement.10



Table 3: Bank Group Entities’ Bases of Accounting and Auditing Standards

                                             Accounting standards
                                             used to prepare financial   Auditing standards used
Bank Group entity                            statements                  to perform audit work
International Bank for                       U.S. GAAP and IAS           U.S. Generally Accepted
Reconstruction and                                                       Auditing Standards (U.S.
Development                                                              GAAS) and International
                                                                         Standards on Auditing (ISA)
International Development                    Special Purpose Basis of    U.S. GAAS and ISA
Association                                  Accounting
International Finance                        U.S. GAAP                   U.S. GAAS
Corporation
Multilateral Investment                      U.S. GAAP and IAS           U.S. GAAS and ISA
Guarantee Agency
Source: Bank Group entities’ 2002 annual reports.


The Bank Group’s external auditor has audited the annual financial
statements of all the entities of the Bank Group. Each entity has received
an unqualified or “clean” audit opinion on its financial statements for the 3
most recent years. The Bank Group’s external financial statement audits,
performed by an international accounting firm, provide assurance over its
reported financial position at a particular time and the financial results of
its operations and cash flows for a given fiscal year. However, the Bank
Group’s external financial statement audits do not, and are not intended to,
provide specific assurance about the internal control over the Bank
Group’s operations and whether the funds are spent for their intended
purposes. Figure 2 shows the relationship between the Bank Group’s flow
of government funding and its external audit and reporting.




10
     Article VI, Section 11(a) of the Articles of Agreement of IDA.




Page 11                                                                  GAO-03-366 World Bank Group
Figure 2: Bank Group’s Flow of Government Funding and External Audit Reporting

                                                       Member
                                                     governments



                                                             $



                                                     Bank Group

                        External
                   audit process
                                                            $


      Normally disbursements to borrowers/end users below this line are in the hands of member
      governments, private contractors, or both. These disbursements are not specifically covered
                       by the Bank Group's financial statement audit processes.



        Audits                                          Technical
                            Infrastructure                                        Education
    performed                                          assistance                                          Projects
   by member                                                                                               and
  government                                                                                               programs
     or private                                                                                            in member
        sector                                                                                             countries
                                           Agriculture                 Health
      auditors



               Management makes an assertion and external auditor gives an opinion only on internal
               control over external financial reporting in conjunction with the financial statement audit.

Source: GAO analysis based on review of Bank Group documents and discussions with representatives of the international
financial and audit communities.



The Bank Group’s external auditor performs its audits based on U.S. GAAS
and ISA. These standards require the independent auditor to obtain a
sufficient understanding of internal control to plan the audit and determine
the nature, timing, and extent of tests to be performed. As part of the audits
of the Bank Group entities, the auditor communicates to the audit
committee any internal control material weaknesses and reportable
conditions that were noted during the course of the audit. As is common
practice, the auditor issues a written document known as a management
letter to communicate these weaknesses. The management letter addresses
issues detected as part of the financial statement audit work and




Page 12                                                                              GAO-03-366 World Bank Group
                       it is not meant to be a comprehensive examination of the sufficiency of the
                       Bank Group’s internal control.11



Bank Group Has Taken   Management of the Bank Group entities has acknowledged the importance
                       of internal control and has (1) implemented a structured internal control
Important Steps on     framework, (2) conducted the internal control assessments necessary to
Internal Control but   provide its external auditor with a formal assertion on the effectiveness of
                       the Bank Group’s internal control over external financial reporting, and
Reporting Could Be     (3) contracted with its external auditor to provide an opinion, in
Expanded               conjunction with the financial statement audits, on whether managements’
                       assertions on internal control over external financial reporting are fairly
                       stated.

                       For fiscal year 2002, the four Bank Group entities included in their annual
                       reports both management’s assertion that it met the Committee of
                       Sponsoring Organizations of the Treadway Commission (COSO)12 criteria
                       on internal control over external financial reporting as of June 30, 2002, and
                       the external auditor’s opinion that management’s assertion on internal
                       control over external financial reporting was fairly stated. However, Bank
                       Group management does not include in its assertion internal control over
                       operations and compliance with key provisions of bank charters and
                       policies, and it has not asked the external auditor to give opinions on those
                       internal controls.

                       Although the banks’ charters do not specifically call for a management
                       assertion or an external auditor opinion on internal control over operations
                       and compliance, they do state that the banks are to take the necessary
                       measures to ensure that the proceeds of any loan made, guaranteed, or


                       11
                         Private sector standards and guidance for financial statement audits do not require the
                       auditor to provide an opinion on the effectiveness of internal control when performing a
                       financial statement audit. Financial statement audits are not intended to provide a basis for
                       the evaluation of the overall quality of the entity’s system of internal control. Therefore, in a
                       typical financial statement audit, many controls designed to ensure the reliability of
                       financial reporting, effectiveness and efficiency of operations, and compliance with key
                       provisions of bank charters may not be tested.
                       12
                        COSO provides a framework designed to assist management in assessing its internal
                       control system against an established standard to help identify basic weaknesses in
                       operations, financial reporting, and legal/regulatory compliance controls and act to
                       strengthen them. See appendix I for a description of the five components of internal control
                       under the COSO framework.




                       Page 13                                                         GAO-03-366 World Bank Group
                         participated in by them are used only for the purposes for which the loan
                         was granted. Given the inherent risks in the banks’ activities, further
                         assurance on these additional categories of internal control—operations
                         and compliance—would provide an added level of assurance to the Bank
                         Group and its member countries that funds were used for their intended
                         purposes.



Bank Group Has Engaged   The Bank Group entities have acknowledged the importance of internal
an External Auditor to   control and have taken an important step in obtaining audit assurance over
                         internal control: They have engaged their external auditor to provide an
Provide Opinions on
                         opinion on management’s assertions on internal control over external
Internal Control over    financial reporting and have included those results in their 2002 annual
Financial Reporting      reports. This public reporting of the external auditor’s opinions on
                         management’s assertions provides a level of assurance on the Bank Group’s
                         ability to record, process, summarize and report financial data consistent
                         with the assertions in the financial statements as well as a level of
                         transparency to member countries and others outside the Bank Group.

                         The Bank Group—specifically through the controllers’ departments13—has
                         also taken steps internally to strengthen internal control. The World Bank,
                         beginning in 1995, adopted the internal control standards of COSO. The
                         Bank Group adopted the COSO framework to establish a common
                         definition of internal control and provide a standard that managers and
                         auditors can use to assess and measure progress in improving internal
                         control. Entities and their internal control needs differ dramatically by line
                         of business and size, and by culture and management philosophy. COSO
                         provides a framework for implementing a system of internal control, but
                         the specific internal controls put in place and monitored by management
                         depend on the type of operations to be managed and the associated risks.
                         See appendix I for a description of the five components of internal control
                         under the COSO framework.

                         Under the COSO framework, the effectiveness of internal control is
                         measured by an organization’s capacity to provide reasonable assurance in
                         the following three categories.



                         13
                          The controllers’ departments within IBRD, IDA, IFC, and MIGA oversee the internal
                         control framework and focus on financial integrity and control, financial reporting, and
                         monitoring.




                         Page 14                                                      GAO-03-366 World Bank Group
• Reliability of financial reporting: Financial reporting controls relate to
  an entity’s ability to prepare reliable financial statements.

• Effectiveness and efficiency of operations: Operations controls address
  the entity’s basic business objectives, including performance goals and
  the safeguarding of resources.

• Compliance with applicable laws and regulations: Compliance controls
  deal with the entity complying with those laws and regulations to which
  the entity is subject.

As shown in figure 3, under COSO, an organization is responsible for the
effectiveness of three categories of internal control.



Figure 3: Categories of Internal Control




                                                                                          Financial
                                                                                          reporting




             Internal control                     Categories of internal control         Operations




                                                                                         Compliance




Source: GAO analysis based on information from COSO.




Internal controls often serve to accomplish more than one objective.
Frequently, internal controls established primarily for operations or
compliance objectives may also accomplish financial reporting objectives.
Internal controls directed at operations and compliance also may deal with




Page 15                                                                       GAO-03-366 World Bank Group
                                events, transactions, or other occurrences that must be reported in the
                                financial statements. Internal control is not one event, but a series of
                                actions and activities occurring throughout an entity’s operations and on an
                                ongoing basis. As entities strive to improve operational processes,
                                management should continually assess and evaluate its internal control.
                                Monitoring—a process that assesses the quality of an internal control
                                system’s performance over time—is an essential element of internal control
                                and is particularly relevant for carrying out the fiduciary responsibilities
                                that are integral to the Bank Group’s operations.

                                Although current financial statement auditing standards established in the
                                private sector do not require the auditor to report on internal control and
                                compliance when performing a financial statement audit, the auditor can
                                be engaged to provide a level of assurance—called an attestation—on
                                internal control over operations and compliance.14 The Bank Group also
                                has other options for providing assurance over internal control over
                                operations and compliance. For example, the Bank Group could request a
                                comprehensive evaluation of its internal controls over these functions,
                                which could be conducted by its internal auditor, its external auditor, an
                                outside consultant, or by another unit within the Bank Group.



World Bank Units’               In its anticorruption progress report15 and operations evaluation report,16
Responsibilities for Internal   the World Bank states that many units provide internal control and
                                oversight over the use of World Bank funds in lending operations, including
Control and Oversight of
                                those shown in table 4.
Operations




                                14
                                 Attestation standards apply whenever the auditor has been engaged to provide assurance
                                or report on a subject matter that is the responsibility of another party. Certain
                                engagements, such as a financial statement audit, are not subject to attestation standards.
                                15
                                 World Bank, Helping Countries Combat Corruption: Progress at the World Bank Since
                                1997 (Washington, D.C., June 2000).
                                16
                                 World Bank Operations Evaluation Department, 2002 Annual Report on Operations
                                Evaluation (Washington, D.C., 2002).




                                Page 16                                                      GAO-03-366 World Bank Group
Table 4: World Bank Units Responsible for Internal Control and Oversight of
Operations

World Bank units                                     Function
Internal Auditing Department                         Performs audits to assess the integrity of the internal
                                                     controls of business processes, including those
                                                     associated with the project cycle.
Operations Evaluation Department Assesses which projects and programs work, and
                                 which do not; how a borrower plans to operate and
                                 maintain a project; and the lasting contribution to a
                                 country’s overall development.
Inspection Panel                                     Receives and investigates claims from project-
                                                     affected people alleging that they have been harmed
                                                     by the World Bank’s violations of its own policies and
                                                     procedures.
Quality Assurance Group                              Conducts real time assessments of the quality of the
                                                     project portfolio, including supervision, financial
                                                     management, and monitoring and evaluation.
Quality Assurance and                                Seeks to improve compliance with safeguard
Compliance Unit                                      policies.
Loan Department                                      Reviews and signs off on the financial management
                                                     and disbursement aspects of loan agreements.
Legal Department                                     Drafts loan agreements; reviews and clears
                                                     compliance with legal aspects of World Bank
                                                     policies; and reviews the adequacy of the legal
                                                     framework for project implementation.
Operations Policy and Country                        Provides advice and support on preparing and
Services                                             implementing lending and nonlending operations
                                                     and managing portfolios, including oversight of the
                                                     World Bank’s procurement and financial
                                                     management functions and guidelines that govern
                                                     lending relationships and conditions.
Corporate Committee on Fraud                         Seeks to ensure that anticorruption policies and
and Corruption Policy                                implementation strategies are designed and effective
                                                     to help the Bank Group achieve its poverty reduction
                                                     goals.
Department of Institutional                          Investigates allegations of fraud and corruption in
Integrity                                            World Bank financed projects and allegations of staff
                                                     misconduct.
Source: World Bank’s reports on anticorruption, 2000, and operations, 2002.


The World Bank states that the above units have taken on new and
broadened functions for quality assurance and evaluation over the past
several years and have strengthened its ability to supervise the fiduciary
aspects of its loans and help borrowers—some perceived to have the worst
corruption problems in the world as shown in appendix II—strengthen



Page 17                                                                       GAO-03-366 World Bank Group
                            their own capacities. The above units are an important part of the World
                            Bank’s internal control over operations and compliance. Although it was
                            not part of our scope to evaluate the effectiveness of these units, or any
                            similar units in IFC and MIGA, they have the potential of providing the
                            basis for the Bank Group to offer further assurance and transparency on its
                            internal controls. For example, the Bank Group’s internal or external
                            auditor, or other group or entity, internal or external to the Bank Group,
                            could provide a comprehensive evaluation of the Bank Group’s control
                            over operations and compliance to determine whether they are working as
                            designed to ensure that funds are spent as intended. In 1995, the World
                            Bank established a 5-year timeline to ensure that, by the end of fiscal year
                            2000, management would be able to express assurance that adequate
                            controls were in place, not only for financial reporting purposes, but also
                            for efficiency and effectiveness of operations. The World Bank has not yet
                            met that goal. During our review, we were told that the Bank Group does
                            not yet have plans to have a comprehensive assessment of these controls.



Bank Group Could Benefit    Because the Bank Group entities operate in a difficult and risky control
from Additional Assurance   environment, the member countries could benefit from additional
                            assurance over the Bank Group entities’ internal control over operations
on Internal Control over
                            and compliance with key provisions of their charters. The Bank Group
Operations and Compliance   operates in countries where transparency and accountability are often
                            lacking, and corruption—broadly defined as the abuse of public office for
                            private gain—sometimes flourishes. The Bank Group must satisfy its dual
                            mandate of providing development assistance in these environments and
                            exercising its fiduciary responsibility, including ensuring that corruption is
                            minimized in the projects it finances.

                            The World Bank acknowledged in an anticorruption progress report17 that
                            corruption undermines public support for development assistance by
                            creating an erroneous perception that all assistance is affected by
                            corruption. In this report, the World Bank stated that it would make every
                            effort to prevent corruption in the projects and programs it finances in
                            borrower countries. The report also showed the control and oversight units
                            the World Bank established to improve the operational effectiveness of its
                            procurement and financial management practices. However, the Bank
                            Group has not taken steps to provide additional assurance and


                            17
                                 See Helping Countries Combat Corruption.




                            Page 18                                             GAO-03-366 World Bank Group
transparency that its funds are being used as intended by requiring a
comprehensive assessment of controls over operations and compliance.

In addition, the World Bank in its report Clean Government and Public
Financial Accountability18 acknowledged that borrower countries’
government and external auditors are unable to give the World Bank
sufficient assurance that World Bank funds were exclusively used for
intended purposes. Risks that Bank Group funds are used for purposes
other than those for which loans were granted—whether for concessional
or market-based loans—could be mitigated through effective
implementation and evaluation of internal controls over operations and
compliance.

The Bank Group’s system of internal control, adopted under the COSO
framework, could facilitate a comprehensive assessment of internal
controls over operations and compliance designed to uncover any material
internal control weaknesses in operations and compliance that need to be
corrected. A comprehensive evaluation of these controls could also
provide additional credibility to the Bank Group’s (1) internal evaluation
reporting system and (2) commitment to provide funds only to those who
use the funds for intended purposes. Such an assessment would provide
additional assurance to both the Bank Group and its member countries
over the use of funds and could be accomplished in one of several ways: (1)
through the Bank Group’s internal audit function, (2) by the external
auditor, in conjunction with its financial statement audit, giving an opinion
on whether management’s assertions on internal controls over operations
and compliance are fairly stated, (3) by another entity within the Bank
Group, or (4) by another external entity, such as a consultant.

Such an assessment would include identifying the specific elements of the
COSO criteria that are objective, measurable, and relevant to use in
assessing the reasonableness of internal control over operations and key
charter provisions to be included in a review of compliance controls and to
define what would constitute compliance with those key provisions of
bank charters. After these significant issues are addressed, Bank Group
management would be able to comprehensively document and assess the
key controls identified and subsequently provide its assertions on the
effectiveness of those controls.


18
 World Bank Operations Evaluation Department, Clean Government and Public Financial
Accountability, OED Working Paper Series No. 17, (Washington, D.C., Summer 2000).




Page 19                                                GAO-03-366 World Bank Group
Bank Group Has          The Bank Group’s board of executive directors has appointed an audit
                        committee to provide, on its behalf, oversight on matters such as the
Established an Audit    effectiveness of financial policies and reporting; various aspects of
Committee That          financial, business, operating, and reputational risks; and internal control
                        in the Bank Group entities.19 The Bank Group’s audit committee has a
Provides Oversight of   purpose, scope, and operating principles congruent with those customarily
Financial Reporting     established for audit committees. A major function of the Bank Group’s
and Internal Control    audit committee is to nominate an external auditor to conduct audits of the
                        Bank Group’s financial statements and determine the scope of the auditors’
                        work and the reports to be submitted by the auditors.

                        The information provided by the Bank Group on the functions of its audit
                        committee indicated that the audit committee’s terms of reference included
                        responsibilities such as those listed in table 5.



                        Table 5: Audit Committee Responsibilities

                        Area                              Responsibility
                        Financial policies and reporting Reviewing financial policies and other matters having a
                                                         significant bearing on financial reporting including
                                                         policies on financial sustainability, credit risks, as well
                                                         as the integrity of financial reporting and risk
                                                         management processes.
                        Independent external audit        Submitting to the executive directors the nomination of
                                                          a firm of private independent internationally established
                                                          auditors to audit the Bank Group entities’ financial
                                                          statements; reviewing with the external auditors the
                                                          scope, design, and results of their examinations; and
                                                          discussing their opinion on the financial statements
                                                          prior to the release of the annual financial statements
                                                          and inviting the auditors’ recommendations regarding
                                                          internal control and other matters.




                        19
                         In addition to the audit committee, the Bank Group has a Multilateral Audit Advisory
                        Group that is tasked with advising the audit committee on audit requests by Supreme Audit
                        Institutions, such as GAO, assessing compliance with the agreed terms of reference for the
                        audit, assessing adherence to the agreed ground rules, and providing objective comment on
                        the resulting audit reports.




                        Page 20                                                       GAO-03-366 World Bank Group
(Continued From Previous Page)
Area                                            Responsibility
Internal audit                                  Overseeing and assessing the effectiveness of the
                                                Bank Group entities’ internal control and satisfying itself
                                                that the Bank Group entities’ internal audit is adequate,
                                                effective, and efficient. Periodically reviewing the
                                                guidelines, work programs, and budget for the office to
                                                help ensure a strong and independent audit function.
Risk management                                 Focusing primarily on financial and operational risks as
                                                it coordinates with other board committees that exercise
                                                oversight of other risks and consulting with various
                                                officers of the Bank Group.
Operating principles                            Advising the board on other issues relating to the
                                                financial position, controls, and risk management
                                                environment, including reviewing the Bank Group’s
                                                mechanisms for avoiding fraud.
Source: Audit Committee’s Terms of Reference.


Information provided to us by the Bank Group indicates that the Bank
Group entities’ audit committee was actively involved with the external
auditor during its financial statement audits. Audit committee activities
with the external auditor included communications about internal control
recommendations, discussions on management’s COSO assertion on
internal control over external financial reporting, the external auditor’s
opinion on management’s assertion, and considerations on the external
auditor’s conclusions on the appropriateness of accounting principles. The
information also showed that the audit committee kept current with the
work of the internal auditor.

The audit committee has a particularly important role to play in assuring
fair presentation and appropriate accountability in connection with
financial reporting, internal control, compliance and related matters. An
effective audit committee facilitates the successful performance of the
board of executive directors’ oversight responsibilities for financial
operations and is an independent safeguard on corporate management with
respect to its responsibilities for preparing financial statements and
implementing an internal control framework.

The Bank Group’s audit committee currently has the external auditor
provide an opinion on management’s assertion on the Bank Group’s
internal control over external financial reporting. The audit committee has
not asked the Bank Group entities’ external auditor to provide assurance
on internal control over operations or compliance. The audit committee
has the authority, as part of determining the scope of the auditor’s work, to
expand and strengthen the Bank Group entities’ internal control reporting



Page 21                                                                     GAO-03-366 World Bank Group
                      processes by requesting the external auditor to give an opinion on internal
                      control over operations and compliance matters once management decides
                      such reporting is appropriate. A key step in this process is for management
                      to first apply the scope of COSO to its controls over operations and
                      compliance and to develop the appropriate criteria to assert on internal
                      control over operations and compliance matters. The audit committee
                      could then have the external auditor to provide an opinion on
                      management’s assertions over those controls using the criteria specified by
                      management.

                      Alternatively, the audit committee could work with the internal and
                      external auditors, other entities within the Bank Group, or an external
                      party to conduct a comprehensive evaluation of internal controls over
                      operations and compliance to determine whether such controls are in place
                      and are functioning properly to prevent misuse of funds and to ensure
                      compliance with key provisions of bank charters and policies.



Conclusions           The Bank Group has taken important steps in strengthening its assessment
                      and reporting on internal control by performing the internal control
                      assessments necessary to provide an assertion on internal control over
                      external financial reporting and having its external auditor give an opinion
                      on that assertion. At the same time, Bank Group management does not
                      include in its assertion internal control over operations and compliance
                      with key charter provisions, and it has not asked the external auditor or
                      any other organization, internal or external, to provide a comprehensive
                      evaluation of its controls over these areas. The assurance that such an
                      assessment can provide through reporting on internal control over
                      operations and compliance is especially important given the operating risks
                      inherent in the Bank Group’s activities. The audit committee is well-
                      positioned to assign an internal party or provide an external entity the task
                      of providing a thorough assessment of such controls. This additional
                      assurance would strengthen the Bank Group’s accountability and enhance
                      member country assurance that funds are spent as intended.



Recommendations for   We recommend that the Secretary of the Treasury instruct the U.S.
                      Executive Director of the Bank Group to take the lead in working with the
Executive Action      other executive directors in developing a policy requiring the Bank Group
                      entities to enhance the audit function and reporting of their financial
                      operations. This would entail (1) conducting a comprehensive evaluation



                      Page 22                                            GAO-03-366 World Bank Group
                      of internal controls over operations and compliance to determine whether
                      such controls are in place and are functioning properly to prevent misuse
                      of funds and to ensure compliance with key provisions of bank charters
                      and policies and (2) reporting annually to the board of executive directors
                      through the audit committee on the progress made. This evaluation could
                      be carried out in any of several ways, including through the internal audit
                      function; by the external auditor, in conjunction with the financial
                      statement audit; by another entity within the Bank Group; or by an external
                      party, such as a consultant. These Bank Group entities should also provide
                      the results of the assessment to member countries annually.



Agency Comments and   We received written comments from the Office of the President of the
                      World Bank, which represented the official response of the World Bank
Our Evaluation        Group. We also received written comments from the Deputy Assistant
                      Secretary for Multilateral Development Banks and Specialized
                      Development Institutions at the Department of the Treasury, the agency
                      that represents the United States at the World Bank Group. These
                      comments are reprinted in their entirety in appendixes III and IV.

                      In its comments, the World Bank Group welcomed our recommendation
                      for a comprehensive assessment of internal controls over operations and
                      compliance with bank charters and policies but did not comment on our
                      recommendation that such evaluations be conducted annually. The Bank
                      Group stated that given the many reforms it has underway to strengthen its
                      control framework, an assessment of internal control over operations and
                      compliance would be most useful if undertaken once the range of changes
                      over those controls is substantially in place. We agree that effective timing
                      for implementing our recommendation would coincide with the Bank
                      Group’s implementation of reforms. It added that such changes are
                      expected to be complete in about 18 to 24 months.

                      While Treasury also agreed with our recommendation for a comprehensive
                      evaluation of internal controls over operations and compliance, it did not
                      agree that the Bank Group should follow this initial assessment with annual
                      evaluations. It acknowledged that periodic updates would be reasonable
                      but characterized annual evaluations as excessive and unnecessary based
                      on its view that the overall structure of internal controls changes
                      infrequently and usually only marginally.

                      Given the inherent risks in the Bank Group entities’ lending activities, we
                      remain convinced that the Bank Group should report annually on all three



                      Page 23                                            GAO-03-366 World Bank Group
categories of internal control—financial reporting, operations, and
compliance. Under the COSO framework, effective internal control is an
essential aspect of managing shifting environments and evolving demands
and priorities. Internal control is not one event, but a series of actions and
activities occurring throughout an entity’s operations and on an ongoing
basis. As entities strive to improve operational processes, management
should continually assess and evaluate its internal control. Monitoring—a
process that assesses the quality of an internal control system’s
performance over time—is an essential element of internal control and is
particularly relevant for carrying out the fiduciary responsibilities that are
integral to the Bank Group’s operations. Annual reporting on internal
control is now common practice both in the public and private sector and is
often performed in conjunction with annual financial statement audits.

Treasury pointed out that our draft report documents the sufficiency of the
Bank Group’s current external audits. Although our report provides
information about the results of the external financial statement audits at
the Bank Group, our report also makes it clear that, by design, the objective
of a financial statement audit is not to provide assurance on internal
control. The current financial statement audits cover only the banks’
financial position at a point in time and the financial results of operations
and cash flows for a given fiscal year. Given that the Bank Group’s external
auditor’s opinion on internal control extends only to management’s
assertions on the effectiveness of internal control over external financial
reporting, many facets of internal control would not be covered. The scope
of the financial statement audits of the Bank Group entities and the
separate assessment of controls over external financial reporting are not
intended to and do not provide specific assurance about the effectiveness
of the internal control over operations and compliance with bank charters
and key policies.

Considering the Bank Group’s reforms to strengthen internal control over
operations and compliance, we emphasize the need for annual assessments
of those controls. As acknowledged in comments from the Bank Group,
internal control is a “dynamic process,” and reforms are under way in the
Bank Group to strengthen its control framework. As the Bank Group
develops and institutes these reforms, monitoring is needed to help ensure
that controls are functioning as intended in preventing misuse of funds and
ensuring compliance with key provisions of bank charters and policies.
Annual reporting to provide accountability and transparency over lending,
equity investment, and guarantee operations carries additional importance
for the Bank Group because the international organization’s mission



Page 24                                             GAO-03-366 World Bank Group
requires it, as stated in its comments, “to be active in countries where
controls are weak.” As acknowledged by the Bank Group, “monitoring
exposure against defined benchmarks” is one of several changes that will
provide the banks with “significantly improved controls over lending,
equity investment, and guarantee operations.” As stated in our
recommendations, the evaluation and reporting on internal control over
operations and compliance could be carried out in several ways, including
through the internal audit function; by the external auditor, in conjunction
with the financial statement audit; by another entity within the Bank
Group; or by an external party, such as a consultant.


We are sending copies of this report to the Secretary of the Treasury, the
president of the World Bank Group, and other interested parties. Copies
will be made available to others upon request. In addition, the report will be
available at no charge on the GAO Web site at http://www.gao.gov.

Please contact me at (202) 512-9406 or by email at franzelj@gao.gov if you
or your staffs have any questions concerning this report. Key contributors
to this report were Charles Norfleet, Meg Mills, and Maxine Hattery.




Jeanette M. Franzel
Director
Financial Management and Assurance




Page 25                                             GAO-03-366 World Bank Group
Congressional Committees

The Honorable Richard G. Lugar
Chairman
The Honorable Joseph R. Biden, Jr.
Ranking Minority Member
Committee on Foreign Relations
United States Senate

The Honorable Ted Stevens
Chairman
The Honorable Robert C. Byrd
Ranking Minority Member
Committee on Appropriations
United States Senate

The Honorable Mitch McConnell
Chairman
The Honorable Patrick J. Leahy
Ranking Minority Member
Subcommittee on Foreign Operations
Committee on Appropriations
United States Senate

The Honorable Michael G. Oxley
Chairman
The Honorable Barney Frank
Ranking Minority Member
Committee on Financial Services
House of Representatives

The Honorable Peter T. King
Chairman
The Honorable Carolyn B. Maloney
Ranking Minority Member
Subcommittee on Domestic and International Monetary
 Policy, Trade and Technology
Committee on Financial Services
House of Representatives

The Honorable C.W. Bill Young
Chairman



Page 26                                      GAO-03-366 World Bank Group
The Honorable David Obey
Ranking Minority Member
Committee on Appropriations
House of Representatives

The Honorable Jim Kolbe
Chairman
The Honorable Nita M. Lowey
Ranking Minority Member
Subcommittee for Foreign Operations, Export
 Financing, and Related Programs
Committee on Appropriations
House of Representatives




Page 27                                       GAO-03-366 World Bank Group
Appendix I

Components of Internal Control under COSO                                                     A
                                                                                              A
                                                                                              ppp
                                                                                                enen
                                                                                                   d
                                                                                                   xIeis




              The World Bank, beginning in 1995, adopted the Committee of Sponsoring
              Organizations of the Treadway Commission (COSO) internal control
              framework. Under the COSO framework, there are five interrelated
              components of internal control that define the minimum level of quality
              acceptable for internal control in an organization and provide the basis
              against which internal control is to be evaluated. The five components are
              used as the criteria to evaluate the strengths and weaknesses of the internal
              controls and to identify actions that can be taken to improve controls. All
              five components must be present and effective in order for management to
              have reasonable assurance that risks are managed to ensure the
              achievement of the organization’s objectives. At the Bank Group,
              management is responsible for developing the detailed policies,
              procedures, and practices to fit its organization’s operations and to ensure
              that they are built into and are an integral part of its operations. The five
              internal control components, which apply to all aspects of an organization’s
              operations, including programmatic, financial, and compliance, include the
              following:

              Control environment. The control environment reflects management’s
              commitment and attitude to the implementation and maintenance of an
              effective internal control structure. The control environment which
              management promulgates through the organization will strongly influence
              the design and operation of control policies and procedures. It will also
              determine how effective they are in mitigating risks and achieving
              objectives.

              Risk assessment. All organizations, regardless of size or nature, encounter
              some form of risk that can adversely impact the achievement of its
              objectives. Assessing risk is a major component of an effective control
              structure. It involves the identification, analysis, assessment, and
              prioritization of risks that need to be treated by control activities.

              Control activities. Control activities are the tailored policies and
              procedures that ensure (1) the mitigation of risks, (2) irregularities are
              prevented or detected and corrected, (3) assets are safeguarded from
              unauthorized use or disposal, and (4) financial records and other relevant
              databases are complete and accurately reflect the entire operational
              activities of the organization, and assist in timely preparation of accurate
              financial statements.




              Page 28                                            GAO-03-366 World Bank Group
Appendix I
Components of Internal Control under COSO




Information and communication. Information and communication are
critical for performance reporting, decision making, both within the
organization and externally, and the achievement of strategic objectives.

Monitoring. Monitoring is the final component of an effective internal
control structure and is closely linked to information and communication.
In addition to performance monitoring, the effectiveness of the control
structure itself also needs to be monitored and reviewed. Control
monitoring can be undertaken in two ways, by ongoing monitoring and by
separate reviews and evaluations.




Page 29                                           GAO-03-366 World Bank Group
Appendix II

Transparency International’s 2002 Corruption
Perception Index                                                                             AppenIx
                                                                                                   di




               Transparency International is an organization dedicated to curbing both
               international and national corruption. Transparency International launched
               its Corruption Perception Index (CPI) in 1995. The CPI is a collection of
               polls, drawing on 15 surveys from 9 independent sources for its 2002
               results. The goal of the CPI is to provide data on extensive perceptions of
               corruption within countries. The 2002 CPI shows that the Bank Group
               entities function in environments that are perceived to have high levels of
               corruption, underscoring the importance of internal control over
               operations and compliance within the Bank Group entities that are
               providing loans to those countries.

               The CPI serves as an important indicator of the image a country conveys to
               investors and potential business partners. Because the CPI is derived from
               15 different surveys that garner the perceptions of both residents and
               expatriates, both business people and risk analysts, the index provides a
               snapshot of the views of the people who make key decisions on investment
               and trade. The CPI builds public awareness of the corruption issue, and it
               adds to pressure on governments to directly address the issue and the
               damaged image of their nation that low rankings in the CPI reflect.

               The CPI is a composite index that consists of credible sources using
               diverse sampling frames and different methodologies, including one used
               by the World Bank. The methodology is reviewed by a steering committee
               consisting of leading international experts in the fields of corruption,
               econometrics, and statistics. Members of the steering committee make
               suggestions to improve the CPI, but the management of Transparency
               International makes the final decisions on the methodology used. For the
               2002 CPI, data was included from the following organizations’ surveys and
               documents:

               • World Bank, World Business Environment Survey;

               • World Economic Forum, Africa Competitiveness and Global
                 Competitiveness Reports;

               • Institute for Management Development, World Competitiveness
                 Yearbook;

               • PricewaterhouseCoopers, Opacity Index;

               • Political & Economic Risk Consultancy, Asian Intelligence Issue;




               Page 30                                           GAO-03-366 World Bank Group
Appendix II
Transparency International’s 2002
Corruption Perception Index




• Economist Intelligence Unit, Country Risk Service and Country
  Forecast;

• Freedom House, Nations in Transit;

• Gallup International on behalf of Transparency International, Bribe
  Payers Index; and

• Columbia University, State Capacity Survey.

No country was included in the CPI without results from a minimum of
three surveys undertaken over the past 3 years. For this reason, not all
countries with high levels of corruption may have been added. Figure 4
includes the borrower countries by region.




Page 31                                           GAO-03-366 World Bank Group
Appendix II
Transparency International’s 2002
Corruption Perception Index




Figure 4: Countries Included in Transparency International’s 2002 CPI


                Africa                                  South Asia                                      Other
      Country              CPI                   Country                      CPI            Country            CPI
      Nigeria              1.6                   Bangladesh                   1.2            Greece             4.2
      Angola               1.7                   Pakistan                     2.6            Italy              5.2
      Madagascar           1.7                   India                        2.7            Taiwan             5.6
      Kenya                1.9                   Sri Lanka                    3.7            France             6.3
      Uganda               2.1                                                               Portugal           6.3
      Cameroon             2.2                     East Asia and Pacific                     Ireland            6.9
      Zambia               2.6                   Country                      CPI            Belgium            7.1
      Cote d'Ivoire        2.7                   Indonesia                    1.9            Japan              7.1
      Tanzania             2.7                   Vietnam                      2.4            Spain              7.1
      Zimbabwe             2.7                   Philippines                  2.6            Germany            7.3
      Malawi               2.9                   Thailand                     3.2            Israel             7.3
      Senegal              3.1                   China                        3.5            USA                7.7
      Ethiopia             3.5                   Korea, Republic of           4.5            Austria            7.8
      Ghana                3.9                   Malaysia                     4.9            Hong Kong          8.2
      Mauritius            4.5                                                               Norway             8.5
                                                 Europe and Central Asia
      South Africa         4.8                                                               Switzerland        8.5
      Namibia              5.7                   Country                      CPI            Austrailia         8.6
      Botswana             6.4                   Azerbaijan                   2.0            United Kingdom     8.7
            Middle East                          Moldova                      2.1            Canada             9.0
          and North Africa                       Kazakhstan                   2.3            Luxembourg         9.0
      Country              CPI                   Georgia                      2.4            Netherlands        9.0
      Egypt                3.4                   Ukraine                      2.4            Singapore          9.3
      Morocco              3.7                   Albania                      2.5            Sweden             9.3
      Jordan               4.5                   Romania                      2.6            Iceland            9.4
      Tunisia              4.8                   Russian Federation           2.7            Denmark            9.5
                                                 Uzbekistan                   2.9            New Zealand        9.5
       Latin America and the                     Turkey                       3.2            Finland            9.7
              Caribbean
                                                 Czech Republic               3.7
      Country                      CPI           Latvia                       3.7
      Paraguay                     1.7           Slovak Republic              3.7
      Bolivia                      2.2           Croatia                      3.8
      Ecuador                      2.2           Bulgaria                     4.0
      Haiti                        2.2           Poland                       4.0
      Guatemala                    2.5           Belarus                      4.8
      Nicaragua                    2.5           Lithuania                    4.8
      Venezuela                    2.5           Hungary                      4.9
      Honduras                     2.7           Estonia                      5.6
      Argentina                    2.8           Slovenia                     6.0
      Panama                       3.0
      El Salvador                  3.4
      Dominican Republic           3.5
      Colombia                     3.6                        Corruption Perception Index (CPI)
      Mexico                       3.6                           0                                     10
      Brazil                       4.0
      Jamaica                      4.0
      Peru                         4.0                       Corrupt                             Transparent
      Costa Rica                   4.5
      Trinidad and Tobago          4.9
      Uruguay                      5.1
      Chile                        7.5
Source: The World Bank's 2002 annual report and the countries' CPI score from Transparency International.




Page 32                                                                                 GAO-03-366 World Bank Group
Appendix III

Comments from the World Bank Group                       Appen
                                                             Ix
                                                              di




               Page 33         GAO-03-366 World Bank Group
Appendix III
Comments from the World Bank Group




Page 34                              GAO-03-366 World Bank Group
Appendix III
Comments from the World Bank Group




Page 35                              GAO-03-366 World Bank Group
Appendix IV

Comments from the Department of the
Treasury                                                  Appen
                                                              V
                                                              Ix
                                                               di




              Page 36           GAO-03-366 World Bank Group
Appendix IV
Comments from the Department of the
Treasury




Page 37                               GAO-03-366 World Bank Group
           Appendix IV
           Comments from the Department of the
           Treasury




(194069)   Page 38                               GAO-03-366 World Bank Group
GAO’s Mission            The General Accounting Office, the audit, evaluation and investigative arm of
                         Congress, exists to support Congress in meeting its constitutional responsibilities
                         and to help improve the performance and accountability of the federal government
                         for the American people. GAO examines the use of public funds; evaluates federal
                         programs and policies; and provides analyses, recommendations, and other
                         assistance to help Congress make informed oversight, policy, and funding
                         decisions. GAO’s commitment to good government is reflected in its core values of
                         accountability, integrity, and reliability.


Obtaining Copies of      The fastest and easiest way to obtain copies of GAO documents at no cost is
                         through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full-
GAO Reports and          text files of current reports and testimony and an expanding archive of older
                         products. The Web site features a search engine to help you locate documents
Testimony                using key words and phrases. You can print these documents in their entirety,
                         including charts and other graphics.
                         Each day, GAO issues a list of newly released reports, testimony, and
                         correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site
                         daily. The list contains links to the full-text document files. To have GAO e-mail this
                         list to you every afternoon, go to www.gao.gov and select “Subscribe to GAO
                         Mailing Lists” under “Order GAO Products” heading.


Order by Mail or Phone   The first copy of each printed report is free. Additional copies are $2 each. A check
                         or money order should be made out to the Superintendent of Documents. GAO
                         also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single
                         address are discounted 25 percent. Orders should be sent to:
                         U.S. General Accounting Office
                         441 G Street NW, Room LM
                         Washington, D.C. 20548
                         To order by Phone:     Voice: (202) 512-6000
                                                TDD: (202) 512-2537
                                                Fax: (202) 512-6061


To Report Fraud,         Contact:
                         Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470



Public Affairs           Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800
                         U.S. General Accounting Office, 441 G Street NW, Room 7149
                         Washington, D.C. 20548
United States                  Presorted Standard
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Service Requested