World Bank Group
Important Steps Taken on Internal Control but Additional Assessments Should Be Made
Gao ID: GAO-03-366 June 16, 2003
The Congress passed Public Law 106-429 because it was concerned about the sufficiency of external audits of the financial operations of the World Bank Group, a set of multilateral development banks. This law provides that GAO report on the sufficiency of such audits of each Bank Group entity. GAO addressed (1) the extent that the external auditor was providing assurance on internal control over financial reporting, operations, and compliance with key provisions of bank charters and policies in conjunction with financial statement audits and (2) the role the Bank Group's audit committee plays in providing oversight of external financial statement audits and internal control.
The Bank Group has taken important steps in strengthening its assessment and reporting on internal control, including (1) implementing a structured internal control framework, (2) conducting the internal control assessments necessary to provide its external auditor with an assertion about the effectiveness of the Bank Group's internal control over external financial reporting, and (3) contracting with its external auditor to provide an opinion, in conjunction with the financial statement audit, on whether management's assertion on internal control over external financial reporting is fairly stated. However, Bank Group management does not include an assertion on internal control over operations and compliance matters, and it has not asked the external auditor to give an opinion on those internal controls. During our review, we were told that the Bank Group does not yet have plans to conduct a comprehensive assessment of those controls. The Bank Group's external financial statement audits do not, and are not intended to, provide specific assurance about the internal control over the Bank Group's operations and whether the funds are spent for their intended purposes. Given the inherent risks in the banks' activities, additional assurance on these other categories of internal control--operations and compliance--would provide an added level of assurance to the Bank Group and its member countries that funds were used for their intended purposes. The Bank Group has established an audit committee that provides oversight of external financial statement audits and internal control. A major function of the committee is to nominate an external auditor and determine the scope of the auditor's work and the reports to be submitted by the auditor. The audit committee also has the external auditor give an opinion, in conjunction with the financial statement audit, on management's assertion on the Bank Group's internal control over external financial reporting. The audit committee has the authority to expand the external audits to include the auditor giving opinions on internal control over operations and compliance matters. Alternatively, the audit committee is also well-positioned to assign to an internal party or provide an external party the task of providing a thorough assessment of such controls.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-03-366, World Bank Group: Important Steps Taken on Internal Control but Additional Assessments Should Be Made
This is the accessible text file for GAO report number GAO-03-366
entitled 'World Bank Group: Important Steps Taken on Internal Control
but Additional Assessments Should Be Made' which was released on June
16, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
June 2003:
World Bank Group:
Important Steps Taken on Internal Control but Additional Assessments
Should Be Made:
GAO-03-366:
GAO Highlights:
Highlights of GAO-03-366, a report to Congressional Committees
Why GAO Did This Study:
The Congress passed Public Law 106-429 because it was concerned about
the sufficiency of external audits of the financial operations of the
World Bank Group, a set of multilateral development banks. This law
provides that GAO report on the sufficiency of such audits of each
Bank Group entity. As agreed with your offices, GAO addressed (1) the
extent that the external auditor was providing assurance on internal
control over financial reporting, operations, and compliance with key
provisions of bank charters and policies in conjunction with financial
statement audits and (2) the role the Bank Group‘s audit committee
plays in providing oversight of external financial statement audits
and internal control.
What GAO Found:
The Bank Group has taken important steps in strengthening its
assessment and reporting on internal control, including (1)
implementing a structured internal control framework, (2) conducting
the internal control assessments necessary to provide its external
auditor with an assertion about the effectiveness of the Bank Group‘s
internal control over external financial reporting, and (3)
contracting with its external auditor to provide an opinion, in
conjunction with the financial statement audit, on whether
management‘s assertion on internal control over external financial
reporting is fairly stated. However, Bank Group management does not
include an assertion on internal control over operations and
compliance matters, and it has not asked the external auditor to give
an opinion on those internal controls. During our review, we were told
that the Bank Group does not yet have plans to conduct a comprehensive
assessment of those controls. The Bank Group‘s external financial
statement audits do not, and are not intended to, provide specific
assurance about the internal control over the Bank Group‘s operations
and whether the funds are spent for their intended purposes. Given the
inherent risks in the banks‘ activities, additional assurance on these
other categories of internal control”operations and compliance”would
provide an added level of assurance to the Bank Group and its member
countries that funds were used for their intended purposes.
The Bank Group has established an audit committee that provides
oversight of external financial statement audits and internal control.
A major function of the committee is to nominate an external auditor
and determine the scope of the auditor‘s work and the reports to be
submitted by the auditor. The audit committee also has the external
auditor give an opinion, in conjunction with the financial statement
audit, on management‘s assertion on the Bank Group‘s internal control
over external financial reporting. The audit committee has the
authority to expand the external audits to include the auditor giving
opinions on internal control over operations and compliance matters.
Alternatively, the audit committee is also well-positioned to assign
to an internal party or provide an external party the task of
providing a thorough assessment of such controls.
What GAO Recommends:
To provide greater assurance that the Bank Group‘s funds are spent as
intended, GAO is making recommendations for a comprehensive assessment
of internal control over operations and compliance matters and annual
evaluations of such controls.
The Bank Group and the U.S. Treasury Department agreed on the need for
a comprehensive assessment of those controls. Treasury did not agree
that annual evaluations should be done and the Bank Group, which has
reforms on those controls underway, made no comment on timing. We
continue to believe that such annual evaluations are necessary.
www.gao.gov/cgi-bin/getrpt?GAO-03-366.
To view the full report, including the scope and methodology, click on
the link above. For more information, contact Jeanette Franzel at
(202) 512-9406 or franzelj@gao.gov.
[End of section]
Letter:
Results in Brief:
Scope and Methodology:
Background:
Bank Group Has Taken Important Steps on Internal Control but Reporting
Could Be Expanded:
Bank Group Has Established an Audit Committee That Provides Oversight
of Financial Reporting and Internal Control:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Components of Internal Control under COSO:
Appendix II: Transparency International‘s 2002 Corruption Perception
Index:
Appendix III: Comments from the World Bank Group:
Appendix IV: Comments from the Department of the Treasury:
Tables:
Table 1: Bank Group‘s Development Assistance and New Projects in 2002:
Table 2: U.S. Resources Provided to the Bank Group through June 30,
2002:
Table 3: Bank Group Entities‘ Bases of Accounting and Auditing
Standards:
Table 4: World Bank Units Responsible for Internal Control and
Oversight of Operations:
Table 5: Audit Committee Responsibilities:
Figures:
Figure 1: Bank Group‘s Components and Functions:
Figure 2: Bank Group‘s Flow of Government Funding and External
Audit Reporting:
Figure 3: Categories of Internal Control:
Figure 4: Countries Included in Transparency International‘s 2002
CPI:
Abbreviations:
COSO: Committee of Sponsoring Organizations of the Treadway Commission:
CPI: Corruption Perception Index:
IAS: International Accounting Standards:
IBRD: International Bank for Reconstruction and Development:
IDA: International Development Association:
IFC: International Finance Corporation:
ISA: International Standards on Auditing :
MDB: Multilateral Development Bank:
MIGA: Multilateral Investment Guarantee Agency:
U.S. GAAP: U.S. generally accepted accounting principles:
U.S. GAAS: U.S. generally accepted auditing standards:
Letter June 16, 2003
Congressional Committees:
Multilateral Development Banks (MDBs) were established to provide
financial support for projects and programs designed to promote social
and economic progress in developing countries throughout the world. In
fiscal year 2002, the United States provided approximately $1.3 billion
to support the missions of the MDBs, with about $820 million going to
the World Bank Group (Bank Group) and about $460 million going to
regional MDBs.[Footnote 1] As a group, the MDBs are the largest source
of development aid for middle-and low-income countries.
Section 803(a) of the Foreign Operations, Export Financing, and Related
Programs Appropriations Act, 2001 (Public Law 106-429) provides that
GAO report annually on the sufficiency of audits of the financial
operations of each MDB conducted by the persons or entities outside the
bank. This is the third in a series of reports in response to Public
Law 106-429's reporting requirement.[Footnote 2] As agreed with your
offices, this report covers the following MDBs, which are all part of
the World Bank Group:[Footnote 3]
* International Bank for Reconstruction and Development,
* International Development Association,
* International Finance Corporation, and:
* Multilateral Investment Guarantee Agency.
The International Bank for Reconstruction and Development and the
International Development Association, which accounted for 80 percent
of the development assistance the Bank Group provided to developing
countries in 2002, are referred to as the "World Bank." Financial
statement audits and the related assurance on internal control provided
by the external auditor are important for the Bank Group entities
because they:
* have missions that emphasize distributing funds for development and
accountability for the use of those funds;
* operate in countries where transparency and accountability are ranked
among the lowest in the world; and:
* are multilateral entities not subject to oversight by any single
national government.
Because borrowing countries often lack the transparency and
accountability needed to prevent and detect corruption, the Bank Group
entities that provide loans risk having the funds used for purposes
other than those intended. The United States and other donors have
indicated that they are concerned about these risks. Donors want to be
assured that the funds they provide are used only for the intended
purpose, and the Bank Group's lending entities need to assure donors
that the standard of care over those funds meets donor expectations.
Representatives from the United States and the European Union[Footnote
4] have recently stated that they plan to increase contributions to the
world's poorest countries if they have assurance that the funds they
are providing are used as intended in developing countries and have
measurable results.
As agreed with your offices, this report addresses the following two
specific areas related to the World Bank Group's external financial
statement audit process:
1. the extent to which the Bank Group entities are obtaining assurance
from their external auditor on internal control[Footnote 5] over
financial reporting, operations, and compliance with key provisions of
their charters and policies in conjunction with their financial
statement audits and:
2. the role the Bank Group's audit committee plays in providing
oversight of financial statement audits and internal control.
Results in Brief:
The Bank Group has taken important steps in strengthening its
assessment and reporting on internal control, such as (1) implementing
a structured internal control framework, (2) conducting the internal
control assessments necessary to provide its external auditor with an
assertion on the effectiveness of the Bank Group's internal control
over external financial reporting, and (3) contracting with its
external auditor to provide an opinion, in conjunction with the
financial statement audit, on whether management's assertion on
internal control over external financial reporting is fairly stated.
However, Bank Group management does not include an assertion on
internal control over operations and compliance with key provisions of
its bank charters and policies, and it has not asked the external
auditor to give an opinion on those internal controls. Although the
banks' charters do not specifically call for an assertion or external
review of internal control over operations and compliance, they do
state that the banks are to take the necessary measures to ensure that
the proceeds of any loan made, guaranteed, or participated in by them
are used only for the purposes for which the loan was granted. The Bank
Group's external financial statement audits do not, and are not
intended to, provide specific assurance about the internal control over
the Bank Group's operations and whether the funds are spent for their
intended purposes. Given the inherent risks in the banks' activities,
additional assurance on these other categories of internal control--
operations and compliance--would provide an added level of assurance to
the Bank Group and its member countries that funds were used for their
intended purposes.
The Bank Group has established an audit committee that provides
oversight of financial statement audits and internal control. A major
function of this committee, a subgroup appointed by the board of
executive directors at the Bank Group entities, is to nominate an
external auditor for external audits and determine the scope of the
auditor's work and the reports to be submitted by the auditor. The Bank
Group's audit committee also has the external auditor provide an
opinion, in conjunction with the financial statement audit, on
management's assertion on the Bank Group's internal control over
external financial reporting. The audit committee has the authority, as
part of determining the scope of the auditor's work, to expand the
external audits to include the auditor giving opinions on internal
control over operations and compliance with bank charters and
provisions. Alternatively, the audit committee is also well-positioned
to assign an internal party or provide an external entity the task of
providing a thorough assessment of such controls. However, during our
review, we were told that the Bank Group does not yet have plans to
provide a comprehensive assessment of its controls.
We recommend that the Secretary of the Treasury--who is responsible for
the federal government's interactions with the Bank Group entities--
instruct the U.S. Executive Director for the Bank Group to take the
lead in working with other executive directors in developing a policy
requiring these Bank Group entities to enhance the audit function and
reporting of their financial operations. This would entail conducting a
comprehensive evaluation of internal controls over operations and
compliance to determine whether such controls are in place and are
functioning properly to prevent misuse of funds and to ensure
compliance with key provisions of bank charters and policies. This
group of executive directors would report annually to the Board of
Executive Directors, through the audit committee, on the progress made.
This evaluation could be carried out in any of several ways, including
through the internal audit function; by the external auditor, in
conjunction with the financial statement audit; by another entity
within the Bank Group; or by an external party, such as a consultant.
These Bank Group entities should also provide the results of the
assessment to member countries annually.
In its comments, the World Bank Group welcomed our recommendation for a
comprehensive assessment of internal controls over operations and
compliance with bank charters and policies but did not comment on our
recommendation that such evaluations be conducted annually. The Bank
Group stated that given the many reforms it has underway to strengthen
its control framework, an assessment of internal control over
operations and compliance would be most useful if undertaken once the
range of changes over those controls is substantially in place. We
agree that effective timing for implementing our recommendation would
coincide with the Bank Group's implementation of reforms. It added that
such changes are expected to be complete in about 18 to 24 months.
In its comments, the Department of the Treasury agreed with our
recommendation for a comprehensive evaluation of internal controls over
operations and compliance but not with our recommendation for annual
evaluations because it contends that the overall structure of internal
controls changes infrequently and usually only marginally. It suggests
a one time comprehensive evaluation with periodic updates. We remain
convinced that the Bank Group should report annually on those controls
given the inherent risks in the Bank Group entities' lending
activities.
Scope and Methodology:
Public Law 106-429, Appendix A, Title VIII, identifies 10 MDBs to be
included in the scope of our work. In prior work, we addressed 6 of the
MDBs listed in the law--the African Development Bank, African
Development Fund, Asian Development Bank, European Bank for
Reconstruction and Development, Inter-American Development Bank, and
the Inter-American Investment Corporation. As agreed with your offices,
this report focuses on the external financial statement audit and
internal control reporting process of the remaining four MDBs--which
are all part of the Bank Group--listed in the law:
* International Bank for Reconstruction and Development (IBRD),
* International Development Association (IDA),
* International Finance Corporation (IFC), and:
* Multilateral Investment Guarantee Agency (MIGA).
To meet our objectives, we met with Department of the Treasury
officials and a representative of the office of the U.S. Executive
Director for the Bank Group. We also:
* reviewed the Bank Group entities' 2002 and 2001 audited financial
statements and the external auditors' opinions on the financial
statements and identified the accounting principles and auditing
standards used,
* inquired of World Bank management and obtained information on the
audit committee, external audits, and the extent of the external
auditor giving opinions on internal control over financial reporting,
operations, and compliance matters,
* analyzed and compiled relevant financial information from the Bank
Group entities' annual reports and their audited financial statements,
* reviewed the banks' terms of reference to identify the scope of the
audit committee's oversight and compared them to relevant guidance on
widely accepted internal control frameworks,
* reviewed widely accepted internal control frameworks, such as
Internal Control--Integrated Framework issued by the Committee of
Sponsoring Organizations of the Treadway Commission and Guidelines for
Internal Control Standards developed by the International Organization
of Supreme Audit Institutions, and:
* discussed various options for reporting on internal control with
representatives from the international accounting firm responsible for
the financial statement audits of the Bank Group entities.
The Bank Group entities are multilateral, international entities that
are autonomous, and the United States, as an individual member country,
generally does not have audit authority over their operations. Thus, it
was not part of our scope to evaluate the components of the Bank Group
entities' internal control governance structure, nor did we evaluate
the quality of the external auditor's work on their financial statement
audits and internal control examinations over external financial
reporting. Moreover, it was not part of our scope to determine whether
the audit committee members were independent of the Bank Group entities
they served.
It was also not part of our scope to make any site visits to review any
Bank Group entities' projects or programs. In accordance with GAO's
agreement with the Bank Group and the Department of the Treasury on
this assignment, our interaction with officials from the Bank Group was
limited to the designated representative from the office of the U.S.
Executive Director for the Bank Group. The articles of agreement
establishing the Bank Group entities require the United States to deal
with those organizations only through the Department of the Treasury.
Therefore, we used Treasury officials as a conduit for obtaining
information to conduct our work.
We conducted our work in Washington, D.C., from May 2002 through March
2003 in accordance with U.S. generally accepted government auditing
standards. In May 2003, we received comments from the World Bank Group
and the Department of the Treasury, which are reproduced in their
entirety in appendixes III and IV. In addition, the Bank Group also
provided a number of suggested technical changes to our report, which
we incorporated as appropriate.
Background:
The Bank Group entities included in this report--IBRD, IDA, IFC, and
MIGA--are multilateral, international entities with a mission to fight
poverty and improve the living standards of people in developing
countries throughout the world by providing development assistance in
the form of loans, equity investments, loan and equity guarantees, and
technical assistance. National governments are the shareholders--
referred to as members--of the Bank Group. These members include
developing countries[Footnote 6] that borrow from the Bank Group as
well as industrialized member countries. All members, including
borrowing members, contribute to the capital of the Bank Group and
participate in oversight and in setting operating policies through
their participation on the boards of governors and executive boards.
See figure 1 for a summary of the components of the Bank Group and
their functions.
Figure 1: Bank Group's Components and Functions:
[See PDF for image]
[End of figure]
The lending activities of the Bank Group can be grouped primarily into
the following two types: market-based lending primarily done by IBRD
and concessional lending primarily done by IDA.[Footnote 7] IBRD
provides loans with market-based rates that are financed primarily
through borrowings from world capital markets, members' paid-in
capital, and retained earnings. Members also provide support through
subscriptions of callable capital.[Footnote 8] Because of the
significant proportion of callable capital that is subscribed by
members with strong credit ratings, including the United States, IBRD
is able to use callable capital as backing to obtain more favorable
financing terms when borrowing from world capital markets than would
otherwise be available. To date, IBRD has never made a call on this
capital.
IDA provides concessional loans to the poorest of the developing
countries--those meeting certain eligibility requirements--and is
financed through contributions from member countries and borrower
repayments of outstanding loans. These loans are called "concessional"
because they are provided with below-market interest rates and extended
repayment terms.
Due to the nature of concessional lending and the credit risks[Footnote
9] of borrower countries, the concessional lending arms do not have
callable capital subscriptions and do not borrow from world capital
markets to finance their operations. Unlike IBRD, which borrows from
world capital markets to fund lending, IDA relies on capital
replenishments or periodic contributions by members in addition to
repayments from loans and transfers of net income from IBRD. As of June
30, 2002, the Bank Group had outstanding loans of about $230 billion,
and concessional loans constituted 42 percent, or about $96 billion, of
that total.
In 2002, the Bank Group entities approved about $24.4 billion of
development assistance consisting of loans, loan guarantees, and equity
investments for 466 new economic and social development operations and
projects. Loans with market-based interest rates, equity investments,
and loan guarantees accounted for about $16.3 billion of the total
financial support provided by the Bank Group during 2002, while
concessional lending amounted to about $8.1 billion. See table 1 for a
summary of development assistance in 2002 and number of new projects,
by Bank Group entity.
Table 1: Bank Group's Development Assistance and New Projects in 2002:
Dollars in millions:
Bank Group entity: International Bank for
Reconstruction and Development; Development assistance: $11,500; New
projects: 96.
Bank Group entity: International Development
Association; Development assistance: 8,100; New projects: 133.
Bank Group entity: International Finance
Corporation; Development assistance: 3,600; New projects: 204.
Bank Group entity: Multilateral Investment
Guarantee Agency; Development assistance: 1,200; New projects: 33.
Bank Group entity: Total; Development assistance:
$24,400; New projects: 466.
Source: The World Bank Annual Report, 2002.
[End of table]
The Bank Group entities' activities are overseen through a board of
governors, with a governor from each member country. In general, a
board of governors is responsible for admitting new members,
authorizing agreements for cooperation with other international
organizations, deciding about the board of executive directors,
approving the Bank Group entities' financial statements, determining
the reserves and the distribution of profits, and deciding the scope of
operations. Each Bank Group entity also has a board of executive
directors, which is responsible for, among other things, overseeing the
banks' daily operations, ensuring the implementation of the decisions
of the board of governors, and approving the budgets of the banks. The
Bank Group entities' own management and staff of international civil
servants carry out the daily operations.
The United States is a member in all the Bank Group entities discussed
in this report, contributing significant amounts to support their
missions and subscribing to a significant amount of their callable
capital. The Congress appropriates funds for U.S. contributions and
capital subscriptions to the Bank Group. In fiscal year 2002, the
Congress appropriated about $800 million in U.S. contributions and
approved about $20 million of new subscriptions to callable capital for
the Bank Group. The Department of the Treasury oversees U.S. interests
in the Bank Group. See table 2 for a summary of U.S. support of about
$58.7 billion provided to the components of the Bank Group entities
from their inception through June 30, 2002.
Table 2: U.S. Resources Provided to the Bank Group through June 30,
2002:
Dollars in millions:
Bank Group entity: International Bank for
Reconstruction and Development; U.S. paid-in capital or contributions:
$1,998; U.S. callable capital: $29,966.
Bank Group entity: International Development
Association; U.S. paid-in capital or contributions: 25,842; U.S.
callable capital: -.
Bank Group entity: International Finance
Corporation; U.S. paid-in capital or contributions: 569; U.S. callable
capital: -.
Bank Group entity: Multilateral Investment
Guarantee Agency; U.S. paid-in capital or contributions: 63; U.S.
callable capital: 266.
Bank Group entity: Total; U.S. paid-in capital or
contributions: $28,472; U.S. callable capital: $30,232.
Source: Bank Group entities' 2002 annual reports.
[End of table]
The Bank Group entities prepare their financial statements to comply
with different bases of accounting. They present their financial
statements using U.S. generally accepted accounting principles (U.S.
GAAP), international accounting standards (IAS), and special purpose
basis of accounting, as shown in table 3. According to the Bank Group,
due to the special nature and organization of the IDA, the concessional
lending arm of the Bank Group, it prepares special purpose financial
statements that are meant to show the sources and uses of resources to
comply with its articles of agreement.[Footnote 10]
Table 3: Bank Group Entities' Bases of Accounting and Auditing
Standards:
Bank Group entity: International Bank for Reconstruction and
Development; Accounting standards used to prepare financial statements:
U.S. GAAP and IAS; Auditing standards used to perform audit work: U.S.
Generally Accepted Auditing Standards (U.S. GAAS) and International
Standards on Auditing (ISA).
Bank Group entity: International Development Association; Accounting
standards used to prepare financial statements: Special Purpose Basis
of Accounting; Auditing standards used to perform audit work: U.S. GAAS
and ISA.
Bank Group entity: International Finance Corporation; Accounting
standards used to prepare financial statements: U.S. GAAP; Auditing
standards used to perform audit work: U.S. GAAS.
Bank Group entity: Multilateral Investment Guarantee Agency; Accounting
standards used to prepare financial statements: U.S. GAAP and IAS;
Auditing standards used to perform audit work: U.S. GAAS and ISA.
Source: Bank Group entities' 2002 annual reports.
[End of table]
The Bank Group's external auditor has audited the annual financial
statements of all the entities of the Bank Group. Each entity has
received an unqualified or "clean" audit opinion on its financial
statements for the 3 most recent years. The Bank Group's external
financial statement audits, performed by an international accounting
firm, provide assurance over its reported financial position at a
particular time and the financial results of its operations and cash
flows for a given fiscal year. However, the Bank Group's external
financial statement audits do not, and are not intended to, provide
specific assurance about the internal control over the Bank Group's
operations and whether the funds are spent for their intended purposes.
Figure 2 shows the relationship between the Bank Group's flow of
government funding and its external audit and reporting.
Figure 2: Bank Group's Flow of Government Funding and External Audit
Reporting:
[See PDF for image]
[End of figure]
The Bank Group's external auditor performs its audits based on U.S.
GAAS and ISA. These standards require the independent auditor to obtain
a sufficient understanding of internal control to plan the audit and
determine the nature, timing, and extent of tests to be performed. As
part of the audits of the Bank Group entities, the auditor communicates
to the audit committee any internal control material weaknesses and
reportable conditions that were noted during the course of the audit.
As is common practice, the auditor issues a written document known as a
management letter to communicate these weaknesses. The management
letter addresses issues detected as part of the financial statement
audit work and
it is not meant to be a comprehensive examination of the sufficiency of
the Bank Group's internal control.[Footnote 11]
Bank Group Has Taken Important Steps on Internal Control but Reporting
Could Be Expanded:
Management of the Bank Group entities has acknowledged the importance
of internal control and has (1) implemented a structured internal
control framework, (2) conducted the internal control assessments
necessary to provide its external auditor with a formal assertion on
the effectiveness of the Bank Group's internal control over external
financial reporting, and (3) contracted with its external auditor to
provide an opinion, in conjunction with the financial statement audits,
on whether managements' assertions on internal control over external
financial reporting are fairly stated.
For fiscal year 2002, the four Bank Group entities included in their
annual reports both management's assertion that it met the Committee of
Sponsoring Organizations of the Treadway Commission (COSO)[Footnote 12]
criteria on internal control over external financial reporting as of
June 30, 2002, and the external auditor's opinion that management's
assertion on internal control over external financial reporting was
fairly stated. However, Bank Group management does not include in its
assertion internal control over operations and compliance with key
provisions of bank charters and policies, and it has not asked the
external auditor to give opinions on those internal controls.
Although the banks' charters do not specifically call for a management
assertion or an external auditor opinion on internal control over
operations and compliance, they do state that the banks are to take the
necessary measures to ensure that the proceeds of any loan made,
guaranteed, or participated in by them are used only for the purposes
for which the loan was granted. Given the inherent risks in the banks'
activities, further assurance on these additional categories of
internal control--operations and compliance--would provide an added
level of assurance to the Bank Group and its member countries that
funds were used for their intended purposes.
Bank Group Has Engaged an External Auditor to Provide Opinions on
Internal Control over Financial Reporting:
The Bank Group entities have acknowledged the importance of internal
control and have taken an important step in obtaining audit assurance
over internal control: They have engaged their external auditor to
provide an opinion on management's assertions on internal control over
external financial reporting and have included those results in their
2002 annual reports. This public reporting of the external auditor's
opinions on management's assertions provides a level of assurance on
the Bank Group's ability to record, process, summarize and report
financial data consistent with the assertions in the financial
statements as well as a level of transparency to member countries and
others outside the Bank Group.
The Bank Group--specifically through the controllers'
departments[Footnote 13]--has also taken steps internally to strengthen
internal control. The World Bank, beginning in 1995, adopted the
internal control standards of COSO. The Bank Group adopted the COSO
framework to establish a common definition of internal control and
provide a standard that managers and auditors can use to assess and
measure progress in improving internal control. Entities and their
internal control needs differ dramatically by line of business and
size, and by culture and management philosophy. COSO provides a
framework for implementing a system of internal control, but the
specific internal controls put in place and monitored by management
depend on the type of operations to be managed and the associated
risks. See appendix I for a description of the five components of
internal control under the COSO framework.
Under the COSO framework, the effectiveness of internal control is
measured by an organization's capacity to provide reasonable assurance
in the following three categories.
* Reliability of financial reporting: Financial reporting controls
relate to an entity's ability to prepare reliable financial statements.
* Effectiveness and efficiency of operations: Operations controls
address the entity's basic business objectives, including performance
goals and the safeguarding of resources.
* Compliance with applicable laws and regulations: Compliance controls
deal with the entity complying with those laws and regulations to which
the entity is subject.
As shown in figure 3, under COSO, an organization is responsible for
the effectiveness of three categories of internal control.
Figure 3: Categories of Internal Control:
[See PDF for image]
[End of figure]
Internal controls often serve to accomplish more than one objective.
Frequently, internal controls established primarily for operations or
compliance objectives may also accomplish financial reporting
objectives. Internal controls directed at operations and compliance
also may deal with events, transactions, or other occurrences that must
be reported in the financial statements. Internal control is not one
event, but a series of actions and activities occurring throughout an
entity's operations and on an ongoing basis. As entities strive to
improve operational processes, management should continually assess and
evaluate its internal control. Monitoring--a process that assesses the
quality of an internal control system's performance over time--is an
essential element of internal control and is particularly relevant for
carrying out the fiduciary responsibilities that are integral to the
Bank Group's operations.
Although current financial statement auditing standards established in
the private sector do not require the auditor to report on internal
control and compliance when performing a financial statement audit, the
auditor can be engaged to provide a level of assurance--called an
attestation--on internal control over operations and
compliance.[Footnote 14] The Bank Group also has other options for
providing assurance over internal control over operations and
compliance. For example, the Bank Group could request a comprehensive
evaluation of its internal controls over these functions, which could
be conducted by its internal auditor, its external auditor, an outside
consultant, or by another unit within the Bank Group.
World Bank Units' Responsibilities for Internal Control and Oversight
of Operations:
In its anticorruption progress report[Footnote 15] and operations
evaluation report,[Footnote 16] the World Bank states that many units
provide internal control and oversight over the use of World Bank funds
in lending operations, including those shown in table 4.
Table 4: World Bank Units Responsible for Internal Control and
Oversight of Operations:
World Bank units: Internal Auditing Department; Function: Performs
audits to assess the integrity of the internal controls of business
processes, including those associated with the project cycle.
World Bank units: Operations Evaluation Department; Function: Assesses
which projects and programs work, and which do not; how a borrower
plans to operate and maintain a project; and the lasting contribution
to a country's overall development.
World Bank units: Inspection Panel; Function: Receives and investigates
claims from project-affected people alleging that they have been harmed
by the World Bank's violations of its own policies and procedures.
World Bank units: Quality Assurance Group; Function: Conducts real time
assessments of the quality of the project portfolio, including
supervision, financial management, and monitoring and evaluation.
World Bank units: Quality Assurance and Compliance Unit; Function:
Seeks to improve compliance with safeguard policies.
World Bank units: Loan Department; Function: Reviews and signs off on
the financial management and disbursement aspects of loan agreements.
World Bank units: Legal Department; Function: Drafts loan agreements;
reviews and clears compliance with legal aspects of World Bank
policies; and reviews the adequacy of the legal framework for project
implementation.
World Bank units: Operations Policy and Country Services; Function:
Provides advice and support on preparing and implementing lending and
nonlending operations and managing portfolios, including oversight of
the World Bank's procurement and financial management functions and
guidelines that govern lending relationships and conditions.
World Bank units: Corporate Committee on Fraud and Corruption Policy;
Function: Seeks to ensure that anticorruption policies and
implementation strategies are designed and effective to help the Bank
Group achieve its poverty reduction goals.
World Bank units: Department of Institutional Integrity; Function:
Investigates allegations of fraud and corruption in World Bank financed
projects and allegations of staff misconduct.
Source: World Bank's reports on anticorruption, 2000, and operations,
2002.
[End of table]
The World Bank states that the above units have taken on new and
broadened functions for quality assurance and evaluation over the past
several years and have strengthened its ability to supervise the
fiduciary aspects of its loans and help borrowers--some perceived to
have the worst corruption problems in the world as shown in appendix
II--strengthen their own capacities. The above units are an important
part of the World Bank's internal control over operations and
compliance. Although it was not part of our scope to evaluate the
effectiveness of these units, or any similar units in IFC and MIGA,
they have the potential of providing the basis for the Bank Group to
offer further assurance and transparency on its internal controls. For
example, the Bank Group's internal or external auditor, or other group
or entity, internal or external to the Bank Group, could provide a
comprehensive evaluation of the Bank Group's control over operations
and compliance to determine whether they are working as designed to
ensure that funds are spent as intended. In 1995, the World Bank
established a 5-year timeline to ensure that, by the end of fiscal year
2000, management would be able to express assurance that adequate
controls were in place, not only for financial reporting purposes, but
also for efficiency and effectiveness of operations. The World Bank has
not yet met that goal. During our review, we were told that the Bank
Group does not yet have plans to have a comprehensive assessment of
these controls.
Bank Group Could Benefit from Additional Assurance on Internal Control
over Operations and Compliance:
Because the Bank Group entities operate in a difficult and risky
control environment, the member countries could benefit from additional
assurance over the Bank Group entities' internal control over
operations and compliance with key provisions of their charters. The
Bank Group operates in countries where transparency and accountability
are often lacking, and corruption--broadly defined as the abuse of
public office for private gain--sometimes flourishes. The Bank Group
must satisfy its dual mandate of providing development assistance in
these environments and exercising its fiduciary responsibility,
including ensuring that corruption is minimized in the projects it
finances.
The World Bank acknowledged in an anticorruption progress
report[Footnote 17] that corruption undermines public support for
development assistance by creating an erroneous perception that all
assistance is affected by corruption. In this report, the World Bank
stated that it would make every effort to prevent corruption in the
projects and programs it finances in borrower countries. The report
also showed the control and oversight units the World Bank established
to improve the operational effectiveness of its procurement and
financial management practices. However, the Bank Group has not taken
steps to provide additional assurance and transparency that its funds
are being used as intended by requiring a comprehensive assessment of
controls over operations and compliance.
In addition, the World Bank in its report Clean Government and Public
Financial Accountability[Footnote 18] acknowledged that borrower
countries' government and external auditors are unable to give the
World Bank sufficient assurance that World Bank funds were exclusively
used for intended purposes. Risks that Bank Group funds are used for
purposes other than those for which loans were granted--whether for
concessional or market-based loans--could be mitigated through
effective implementation and evaluation of internal controls over
operations and compliance.
The Bank Group's system of internal control, adopted under the COSO
framework, could facilitate a comprehensive assessment of internal
controls over operations and compliance designed to uncover any
material internal control weaknesses in operations and compliance that
need to be corrected. A comprehensive evaluation of these controls
could also provide additional credibility to the Bank Group's (1)
internal evaluation reporting system and (2) commitment to provide
funds only to those who use the funds for intended purposes. Such an
assessment would provide additional assurance to both the Bank Group
and its member countries over the use of funds and could be
accomplished in one of several ways: (1) through the Bank Group's
internal audit function, (2) by the external auditor, in conjunction
with its financial statement audit, giving an opinion on whether
management's assertions on internal controls over operations and
compliance are fairly stated, (3) by another entity within the Bank
Group, or (4) by another external entity, such as a consultant.
Such an assessment would include identifying the specific elements of
the COSO criteria that are objective, measurable, and relevant to use
in assessing the reasonableness of internal control over operations and
key charter provisions to be included in a review of compliance
controls and to define what would constitute compliance with those key
provisions of bank charters. After these significant issues are
addressed, Bank Group management would be able to comprehensively
document and assess the key controls identified and subsequently
provide its assertions on the effectiveness of those controls.
Bank Group Has Established an Audit Committee That Provides Oversight
of Financial Reporting and Internal Control:
The Bank Group's board of executive directors has appointed an audit
committee to provide, on its behalf, oversight on matters such as the
effectiveness of financial policies and reporting; various aspects of
financial, business, operating, and reputational risks; and internal
control in the Bank Group entities.[Footnote 19] The Bank Group's audit
committee has a purpose, scope, and operating principles congruent with
those customarily established for audit committees. A major function of
the Bank Group's audit committee is to nominate an external auditor to
conduct audits of the Bank Group's financial statements and determine
the scope of the auditors' work and the reports to be submitted by the
auditors.
The information provided by the Bank Group on the functions of its
audit committee indicated that the audit committee's terms of reference
included responsibilities such as those listed in table 5.
Table 5: Audit Committee Responsibilities:
Area: Financial policies and reporting; Responsibility: Reviewing
financial policies and other matters having a significant bearing on
financial reporting including policies on financial sustainability,
credit risks, as well as the integrity of financial reporting and risk
management processes.
Area: Independent external audit; Responsibility: Submitting to the
executive directors the nomination of a firm of private independent
internationally established auditors to audit the Bank Group entities'
financial statements; reviewing with the external auditors the scope,
design, and results of their examinations; and discussing their opinion
on the financial statements prior to the release of the annual
financial statements and inviting the auditors' recommendations
regarding internal control and other matters.
Area: Internal audit; Responsibility: Overseeing and assessing the
effectiveness of the Bank Group entities' internal control and
satisfying itself that the Bank Group entities' internal audit is
adequate, effective, and efficient. Periodically reviewing the
guidelines, work programs, and budget for the office to help ensure a
strong and independent audit function.
Area: Risk management; Responsibility: Focusing primarily on financial
and operational risks as it coordinates with other board committees
that exercise oversight of other risks and consulting with various
officers of the Bank Group.
Area: Operating principles; Responsibility: Advising the board on other
issues relating to the financial position, controls, and risk
management environment, including reviewing the Bank Group's mechanisms
for avoiding fraud.
Source: Audit Committee's Terms of Reference.
[End of table]
Information provided to us by the Bank Group indicates that the Bank
Group entities' audit committee was actively involved with the external
auditor during its financial statement audits. Audit committee
activities with the external auditor included communications about
internal control recommendations, discussions on management's COSO
assertion on internal control over external financial reporting, the
external auditor's opinion on management's assertion, and
considerations on the external auditor's conclusions on the
appropriateness of accounting principles. The information also showed
that the audit committee kept current with the work of the internal
auditor.
The audit committee has a particularly important role to play in
assuring fair presentation and appropriate accountability in connection
with financial reporting, internal control, compliance and related
matters. An effective audit committee facilitates the successful
performance of the board of executive directors' oversight
responsibilities for financial operations and is an independent
safeguard on corporate management with respect to its responsibilities
for preparing financial statements and implementing an internal control
framework.
The Bank Group's audit committee currently has the external auditor
provide an opinion on management's assertion on the Bank Group's
internal control over external financial reporting. The audit committee
has not asked the Bank Group entities' external auditor to provide
assurance on internal control over operations or compliance. The audit
committee has the authority, as part of determining the scope of the
auditor's work, to expand and strengthen the Bank Group entities'
internal control reporting processes by requesting the external auditor
to give an opinion on internal control over operations and compliance
matters once management decides such reporting is appropriate. A key
step in this process is for management to first apply the scope of COSO
to its controls over operations and compliance and to develop the
appropriate criteria to assert on internal control over operations and
compliance matters. The audit committee could then have the external
auditor to provide an opinion on management's assertions over those
controls using the criteria specified by management.
Alternatively, the audit committee could work with the internal and
external auditors, other entities within the Bank Group, or an external
party to conduct a comprehensive evaluation of internal controls over
operations and compliance to determine whether such controls are in
place and are functioning properly to prevent misuse of funds and to
ensure compliance with key provisions of bank charters and policies.
Conclusions:
The Bank Group has taken important steps in strengthening its
assessment and reporting on internal control by performing the internal
control assessments necessary to provide an assertion on internal
control over external financial reporting and having its external
auditor give an opinion on that assertion. At the same time, Bank Group
management does not include in its assertion internal control over
operations and compliance with key charter provisions, and it has not
asked the external auditor or any other organization, internal or
external, to provide a comprehensive evaluation of its controls over
these areas. The assurance that such an assessment can provide through
reporting on internal control over operations and compliance is
especially important given the operating risks inherent in the Bank
Group's activities. The audit committee is well-positioned to assign an
internal party or provide an external entity the task of providing a
thorough assessment of such controls. This additional assurance would
strengthen the Bank Group's accountability and enhance member country
assurance that funds are spent as intended.
Recommendations for Executive Action:
We recommend that the Secretary of the Treasury instruct the U.S.
Executive Director of the Bank Group to take the lead in working with
the other executive directors in developing a policy requiring the Bank
Group entities to enhance the audit function and reporting of their
financial operations. This would entail (1) conducting a comprehensive
evaluation of internal controls over operations and compliance to
determine whether such controls are in place and are functioning
properly to prevent misuse of funds and to ensure compliance with key
provisions of bank charters and policies and (2) reporting annually to
the board of executive directors through the audit committee on the
progress made. This evaluation could be carried out in any of several
ways, including through the internal audit function; by the external
auditor, in conjunction with the financial statement audit; by another
entity within the Bank Group; or by an external party, such as a
consultant. These Bank Group entities should also provide the results
of the assessment to member countries annually.
Agency Comments and Our Evaluation:
We received written comments from the Office of the President of the
World Bank, which represented the official response of the World Bank
Group. We also received written comments from the Deputy Assistant
Secretary for Multilateral Development Banks and Specialized
Development Institutions at the Department of the Treasury, the agency
that represents the United States at the World Bank Group. These
comments are reprinted in their entirety in appendixes III and IV.
In its comments, the World Bank Group welcomed our recommendation for a
comprehensive assessment of internal controls over operations and
compliance with bank charters and policies but did not comment on our
recommendation that such evaluations be conducted annually. The Bank
Group stated that given the many reforms it has underway to strengthen
its control framework, an assessment of internal control over
operations and compliance would be most useful if undertaken once the
range of changes over those controls is substantially in place. We
agree that effective timing for implementing our recommendation would
coincide with the Bank Group's implementation of reforms. It added that
such changes are expected to be complete in about 18 to 24 months.
While Treasury also agreed with our recommendation for a comprehensive
evaluation of internal controls over operations and compliance, it did
not agree that the Bank Group should follow this initial assessment
with annual evaluations. It acknowledged that periodic updates would be
reasonable but characterized annual evaluations as excessive and
unnecessary based on its view that the overall structure of internal
controls changes infrequently and usually only marginally.
Given the inherent risks in the Bank Group entities' lending
activities, we remain convinced that the Bank Group should report
annually on all three categories of internal control--financial
reporting, operations, and compliance. Under the COSO framework,
effective internal control is an essential aspect of managing shifting
environments and evolving demands and priorities. Internal control is
not one event, but a series of actions and activities occurring
throughout an entity's operations and on an ongoing basis. As entities
strive to improve operational processes, management should continually
assess and evaluate its internal control. Monitoring--a process that
assesses the quality of an internal control system's performance over
time--is an essential element of internal control and is particularly
relevant for carrying out the fiduciary responsibilities that are
integral to the Bank Group's operations. Annual reporting on internal
control is now common practice both in the public and private sector
and is often performed in conjunction with annual financial statement
audits.
Treasury pointed out that our draft report documents the sufficiency of
the Bank Group's current external audits. Although our report provides
information about the results of the external financial statement
audits at the Bank Group, our report also makes it clear that, by
design, the objective of a financial statement audit is not to provide
assurance on internal control. The current financial statement audits
cover only the banks' financial position at a point in time and the
financial results of operations and cash flows for a given fiscal year.
Given that the Bank Group's external auditor's opinion on internal
control extends only to management's assertions on the effectiveness of
internal control over external financial reporting, many facets of
internal control would not be covered. The scope of the financial
statement audits of the Bank Group entities and the separate assessment
of controls over external financial reporting are not intended to and
do not provide specific assurance about the effectiveness of the
internal control over operations and compliance with bank charters and
key policies.
Considering the Bank Group's reforms to strengthen internal control
over operations and compliance, we emphasize the need for annual
assessments of those controls. As acknowledged in comments from the
Bank Group, internal control is a "dynamic process," and reforms are
under way in the Bank Group to strengthen its control framework. As the
Bank Group develops and institutes these reforms, monitoring is needed
to help ensure that controls are functioning as intended in preventing
misuse of funds and ensuring compliance with key provisions of bank
charters and policies. Annual reporting to provide accountability and
transparency over lending, equity investment, and guarantee operations
carries additional importance for the Bank Group because the
international organization's mission requires it, as stated in its
comments, "to be active in countries where controls are weak." As
acknowledged by the Bank Group, "monitoring exposure against defined
benchmarks" is one of several changes that will provide the banks with
"significantly improved controls over lending, equity investment, and
guarantee operations." As stated in our recommendations, the evaluation
and reporting on internal control over operations and compliance could
be carried out in several ways, including through the internal audit
function; by the external auditor, in conjunction with the financial
statement audit; by another entity within the Bank Group; or by an
external party, such as a consultant.
:
We are sending copies of this report to the Secretary of the Treasury,
the president of the World Bank Group, and other interested parties.
Copies will be made available to others upon request. In addition, the
report will be available at no charge on the GAO Web site at http://
www.gao.gov.
Please contact me at (202) 512-9406 or by email at franzelj@gao.gov if
you or your staffs have any questions concerning this report. Key
contributors to this report were Charles Norfleet, Meg Mills, and
Maxine Hattery.
Signed by:
Jeanette M. Franzel
Director
Financial Management and Assurance:
Congressional Committees:
The Honorable Richard G. Lugar
Chairman
The Honorable Joseph R. Biden, Jr.
Ranking Minority Member
Committee on Foreign Relations
United States Senate:
The Honorable Ted Stevens
Chairman
The Honorable Robert C. Byrd
Ranking Minority Member
Committee on Appropriations
United States Senate:
The Honorable Mitch McConnell
Chairman
The Honorable Patrick J. Leahy
Ranking Minority Member
Subcommittee on Foreign Operations
Committee on Appropriations
United States Senate:
The Honorable Michael G. Oxley
Chairman
The Honorable Barney Frank
Ranking Minority Member
Committee on Financial Services
House of Representatives:
The Honorable Peter T. King
Chairman
The Honorable Carolyn B. Maloney
Ranking Minority Member
Subcommittee on Domestic and International Monetary Policy,
Trade and Technology
Committee on Financial Services
House of Representatives:
The Honorable C.W. Bill Young
Chairman
The Honorable David Obey
Ranking Minority Member
Committee on Appropriations
House of Representatives:
The Honorable Jim Kolbe Chairman The Honorable Nita M. Lowey Ranking
Minority Member Subcommittee for Foreign Operations, Export Financing,
and Related Programs Committee on Appropriations House of
Representatives:
[End of section]
Appendixes:
Appendix I: Components of Internal Control under COSO:
The World Bank, beginning in 1995, adopted the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) internal control
framework. Under the COSO framework, there are five interrelated
components of internal control that define the minimum level of quality
acceptable for internal control in an organization and provide the
basis against which internal control is to be evaluated. The five
components are used as the criteria to evaluate the strengths and
weaknesses of the internal controls and to identify actions that can be
taken to improve controls. All five components must be present and
effective in order for management to have reasonable assurance that
risks are managed to ensure the achievement of the organization's
objectives. At the Bank Group, management is responsible for developing
the detailed policies, procedures, and practices to fit its
organization's operations and to ensure that they are built into and
are an integral part of its operations. The five internal control
components, which apply to all aspects of an organization's operations,
including programmatic, financial, and compliance, include the
following:
Control environment. The control environment reflects management's
commitment and attitude to the implementation and maintenance of an
effective internal control structure. The control environment which
management promulgates through the organization will strongly influence
the design and operation of control policies and procedures. It will
also determine how effective they are in mitigating risks and achieving
objectives.
Risk assessment. All organizations, regardless of size or nature,
encounter some form of risk that can adversely impact the achievement
of its objectives. Assessing risk is a major component of an effective
control structure. It involves the identification, analysis,
assessment, and prioritization of risks that need to be treated by
control activities.
Control activities. Control activities are the tailored policies and
procedures that ensure (1) the mitigation of risks, (2) irregularities
are prevented or detected and corrected, (3) assets are safeguarded
from unauthorized use or disposal, and (4) financial records and other
relevant databases are complete and accurately reflect the entire
operational activities of the organization, and assist in timely
preparation of accurate financial statements.
Information and communication. Information and communication are
critical for performance reporting, decision making, both within the
organization and externally, and the achievement of strategic
objectives.
Monitoring. Monitoring is the final component of an effective internal
control structure and is closely linked to information and
communication. In addition to performance monitoring, the effectiveness
of the control structure itself also needs to be monitored and
reviewed. Control monitoring can be undertaken in two ways, by ongoing
monitoring and by separate reviews and evaluations.
[End of section]
Appendix II: Transparency International's 2002 Corruption Perception
Index:
Transparency International is an organization dedicated to curbing both
international and national corruption. Transparency International
launched its Corruption Perception Index (CPI) in 1995. The CPI is a
collection of polls, drawing on 15 surveys from 9 independent sources
for its 2002 results. The goal of the CPI is to provide data on
extensive perceptions of corruption within countries. The 2002 CPI
shows that the Bank Group entities function in environments that are
perceived to have high levels of corruption, underscoring the
importance of internal control over operations and compliance within
the Bank Group entities that are providing loans to those countries.
The CPI serves as an important indicator of the image a country conveys
to investors and potential business partners. Because the CPI is
derived from 15 different surveys that garner the perceptions of both
residents and expatriates, both business people and risk analysts, the
index provides a snapshot of the views of the people who make key
decisions on investment and trade. The CPI builds public awareness of
the corruption issue, and it adds to pressure on governments to
directly address the issue and the damaged image of their nation that
low rankings in the CPI reflect.
The CPI is a composite index that consists of credible sources using
diverse sampling frames and different methodologies, including one used
by the World Bank. The methodology is reviewed by a steering committee
consisting of leading international experts in the fields of
corruption, econometrics, and statistics. Members of the steering
committee make suggestions to improve the CPI, but the management of
Transparency International makes the final decisions on the methodology
used. For the 2002 CPI, data was included from the following
organizations' surveys and documents:
* World Bank, World Business Environment Survey;
* World Economic Forum, Africa Competitiveness and Global
Competitiveness Reports;
* Institute for Management Development, World Competitiveness Yearbook;
* PricewaterhouseCoopers, Opacity Index;
* Political & Economic Risk Consultancy, Asian Intelligence Issue;
* Economist Intelligence Unit, Country Risk Service and Country
Forecast;
* Freedom House, Nations in Transit;
* Gallup International on behalf of Transparency International, Bribe
Payers Index; and:
* Columbia University, State Capacity Survey.
No country was included in the CPI without results from a minimum of
three surveys undertaken over the past 3 years. For this reason, not
all countries with high levels of corruption may have been added.
Figure 4 includes the borrower countries by region.
Figure 4: Countries Included in Transparency International's 2002 CPI:
[See PDF for image]
[End of figure]
[End of section]
Appendix III: Comments from the World Bank Group:
The World Bank Washington, D.C. 20433 U.S.A.
OFFICE OF THE PRESIDENT:
May 20, 2003:
Ms. Carole Brookins:
Executive Director for the United States of America The World Bank:
WASHINGTON, DC:
Dear Ms. Brookins,
The GAO has sent us their draft report on the sufficiency of audits of
the external financial statements of the World Bank Group for comments.
Please find attached the official response of the World Bank Group with
regard to this review. I would very much appreciate if you could
transmit this letter to the U.S. General Accounting Office.
Sincerely yours,
Shengman Zhang
Acting President:
Signed by Shengman Zhang:
The World Bank Washington, D.C. 20433 U.S.A.
OFFICE OF THE PRESIDENT:
May 20, 2003:
Ms. Jeanette M. Franzel Director:
Financial Management and Assurance U.S. General Accounting Office
Washington DC 20548:
Dear Ms. Franzel,
Thank you for the opportunity to comment on the General Accounting
Office's draft report, April 2003, "World Bank Group: Important Steps
Taken on Internal Control but Additional Assessments Should be Made,"
GAO-03-366.
We appreciate the GAO's acknowledgement that the World Bank Group has
taken important steps over the past years to further strengthen its
assessment and reporting on internal control. We have implemented an
internal control framework, and we are already conducting internal
control assessments. Bank Group Management annually provides the
external auditor with an assertion about the effectiveness of internal
control over external financial reporting. The external auditor
provides an attestation on whether that assertion is fairly stated.
Management's assertion, and the external auditor's attestation have
been published in the Annual Reports.
As acknowledged in your report, the Bank Group's external auditor, an
international accounting firm, has performed annual financial statement
audits on all of the entities of the Bank Group. Each entity has always
received an unqualified audit opinion on its financial statements.
These audits provide assurance over the reported financial position at
a given point in time and the financial results of our operations and
cash flows for a given fiscal year. However, the World Bank Group's
financial statement audits do not, and are not intended to, provide
assurance about the internal controls over the Bank Group's lending or
guarantee operations.
With respect to the latter issue, let me point out that the Bank Group
has in place various units which form an extensive network of
management controls and oversight that are responsible for operations
evaluation, internal control, oversight, and compliance with regard to
the use of funds in lending, equity investment operations, and
guarantee operations. Certain of these key units are independent from
Bank Group Management.
We are engaged in a series of change initiatives in our operational
work to better align our policies and procedures with our objective of
achieving greater development impact. We are simplifying our processes
and scaling up our activities as part of our agenda of better
measuring, monitoring, and managing for development results. We are
working on a simplification of investment lending, more focused
standard project documentation, reforms in procurement and financial
management, a new policy on external audits of projects, simplification
of eligibility of expenditure rules, modernization of disbursement
processes, enhancement of a framework for loan and equity investment
checks and balances including monitoring exposure against defined
benchmarks. Collectively these changes will provide significantly
improved controls over lending, equity investment, and guarantee
operations and, through the simplification component, will further
enhance efficient and effective compliance.
Your report stated, and we agree, that there are still challenges ahead
given the difficult environment with respect to capacity and
transparency in some of our client countries. Tackling corruption is
difficult and complex and our mission requires the Bank Group to be
active in countries where controls are weak. But we are committed to
being even more aggressive in our capacity building efforts, one of the
key elements of our anticorruption strategy.
Internal control over lending and guarantee operations, in the context
of working in developing countries, is a dynamic process. We are always
open to suggestions from our shareholders on how the Bank Group can
further improve its control framework. In this context, we welcome your
suggestion of conducting a comprehensive assessment of internal
controls over operations and compliance with charters and policies.
Given the many reforms underway to strengthen our control framework, we
believe that such an assessment would be most useful if it were
undertaken once the range of changes that we are currently planning and
implementing is substantially in place. We expect this work to be
completed in about 18 to 24 months.
Again, let me thank you for the opportunity to comment on your draft
report.
Sincerely yours,
Shengman Zhang
Acting President:
Signed by Shengman Zhang:
[End of section]
Appendix IV: Comments from the Department of the Treasury:
DEPARTMENT OF THE TREASURY WASHINGTON, D.C. 20220:
May 21, 2003:
Ms. Jeanette M. Franzel Director:
Financial Management and Assurance U.S. General Accounting Office
Washington, DC 20548:
Dear Ms. Franzel:
Thank you for the opportunity to comment on the General Accounting
Office's draft report, "World Bank Group: Important Steps Taken on
Internal Control but Additional Assessments Should be Made", on the
sufficiency of external audits of the financial operations of the World
Bank Group (WBG), prepared in response to section 803 of the Foreign
Operations Appropriations Act, FY2001. [NOTE 1]
The draft report:
* outlines what is, and what is not, covered by financial statement
audits of the external auditor;
* documents the active role of the Audit Committee of the WBG's
executive boards in overseeing the external audit process and
communicating about those audits with both the external auditors and
the WBG's boards of directors;
* emphasizes that the external auditor is not required by the charters
of the four respective entities of the WBG to audit or provide
assurances with respect to internal controls over operations and
compliance;
* affirms that the current external audits are sufficient;
* publicizes that the Fiscal Year 2002 annual reports of IBRD/IDA, IFC
and MIGA included for the first time two letters - 1) management's
assertion and 2) the external auditor's attestation regarding
management's assertion, with respect to internal controls relating to
external financial reporting;
* highlights that there are three categories of internal control: 1)
financial reporting; 2) operations; and 3) compliance; and:
* lists eleven units --including the Internal Auditing Department, the
Loan Department, the Quality Assurance Group, and the Operations
Evaluation Department--that currently are responsible for IBRD and IDA
internal controls.
The draft report recommends that Treasury instruct the U.S. Executive
Director of the WBG to take the lead in working with other Executive
Directors to develop a policy requiring the WBG entities to further
enhance the audit function and reporting of their financial operations.
GAO states that "this would entail conducting a comprehensive
evaluation of internal controls over
operations and compliance to determine whether such controls are in
place and are functioning properly... and report annually to the board
of executive directors through the audit committee on the progress
made." (pp. 24-25). GAO suggests several options for carrying out this
evaluation: 1) through the internal audit function; 2) by the external
auditor in conjunction with the financial statement audit; 3) by
another entity within the Bank Group; or 4) by an external party such
as a consultant.
As you know, the Treasury Department has given, and will continue to
give, strong support to oversight mechanisms to help assure productive
development assistance. An effective control environment is essential
for the World Bank Group - the International Bank for Reconstruction
and Development (IBRD), the International Development Association
(IDA), the International Finance Corporation (ITC), and the
Multilateral Investment Guarantee Agency (MIGA). We have worked with G-
7 partners and other member countries on a number of initiatives in
this area which aim to:
* strengthen the WBG's internal control mechanisms;
* assure compliance with safeguard and fiduciary policies;
* put in place independent operations evaluation units;
* ensure that operations and strategies are designed around results
measurement frameworks; and:
* enhance the development effectiveness of WBG project and non-project
assistance.
The WBG awards the external audit contract through a competitive
selection process. Recently, the Audit Committee and the Board, with
our active support, strengthened the principles for the appointment of
the external auditor of the WBG. As of Fiscal Year 2004, the following
practices will apply:
* audit firm tenure of "5 years plus 5 years" with the ability of the
incumbent to re-bid after the first 5 years;
* mandatory rotation of the audit firm after 10 years provided that the
Audit Committee may exceptionally recommend that circumstances are such
that the incumbent audit firm should be allowed to participate in the
re-bidding;
* audit firm senior partner rotation every 5 years;
* Audit Committee review of the audit firm's performance at mid-term (30
months);
* audit firm exclusion from being eligible to provide pure consulting
services (effective February 2003); and:
* audit firm eligible only to provide certain extremely and strictly
limited "audit-related"consulting services, to be approved on a case-
by-case basis by the Executive Directors or Directors of the respective
Boards with the Audit Committee's recommendation (effective February
2003).
The financial statement audits by external auditors are important
because they provide assurances to the entities of the WBG, their
bondholders and member country governments. We have worked with other
members of the executive boards of the WBG to strengthen the financial
statement audit process. We have also worked to assure that the Audit
Committee of the executive boards exercise oversight over and maintain
a dialogue with the external auditors.
Since the WBG has a number of units that have an internal control
function, we are pleased that Bank Group management's response, which
is published in this report, states that the WBG welcomes the GAO's
suggestion that the WBG conduct a comprehensive assessment of internal
controls over operations and compliance. We agree with GAO's
recommendation that it would be useful for the United States to work
with other chairs to develop a policy that would require the WBG to
conduct a comprehensive evaluation of internal controls over operations
and compliance and to report the results of the evaluation through the
Audit Committee to the Board of Executive Directors. Our view, however,
is that GAO's recommendation for annual evaluations of this nature is
excessive and unnecessary because the overall structure of internal
controls changes infrequently and usually marginally. We believe that a
one-time comprehensive evaluation with appropriate periodic updates is
a reasonable approach. We will be instructing the U.S. Executive
Director of the WBG to proceed on this basis.
We attach enormous importance to working to ensure strong internal
controls for all entities of the WBG. The GAO's draft report documents
the "sufficiency" of the external audits of the WBG. The draft report
states that "each entity has received an unqualified or `clean' audit
opinion on their financial statements for the three most recent years."
( p.12). We intend to continue to support appropriate and strong
internal control environments at the WBG, which are essential to
enhancing project quality and the effectiveness of development
resources.
Sincerely,
[See PDF for image]
[End of figure]
William E. Schuerch
Deputy Assistant Secretary
Multilateral Development
Banks and Specialized Development Institutions:
Signed by William E. Schuerch:
NOTES:
[1] Section 803(a). "ANNUAL REPORT ON FINANCIAL OPERATIONS. -Beginning 180
days after the date of enactment of this Act, or October 31, 2000,
whichever is later, and on October 31 of each year thereafter, the
Comptroller General of the United States shall submit to the
appropriate congressional committees a report on the sufficiency of
audits of the financial operations of each multilateral development
bank conducted by persons or entities outside such bank."
(P.L. 106-429).
[End of section]
(194069):
FOOTNOTES
[1] Foreign Operations, Export Financing, and Related Programs
Appropriations Act, 2002 (Public Law 107-115), which states that these
funds are available to the MDBs until expended.
[2] The first in this series was Multilateral Development Banks:
Profiles of Selected Multilateral Development Banks (GAO-01-665, May
18, 2001) and the second was Regional Multilateral Development Banks:
External Audit Reporting Could Be Expanded (GAO-02-27, December 14,
2001).
[3] The Bank Group actually consists of five closely associated
institutions but one of them--the International Centre for Settlement
of Investment Disputes--is not within the scope of our work required by
Public Law 106-429.
[4] The European Union consists of the following countries: Austria,
Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy,
Luxembourg, the Netherlands, Portugal, Spain, Sweden, and the United
Kingdom.
[5] Internal control comprises the plans, methods, and procedures used
to meet missions, goals, and objectives and, in doing so, supports
performance-based management. Internal control also serves as the first
line of defense in safeguarding assets and preventing and detecting
errors and fraud. In short, internal control, which is synonymous with
management control, helps program managers achieve desired results.
[6] Member countries that borrow from the Bank Group are generally low-
and middle-income countries in need of social or economic development.
[7] IBRD and IDA are separate entities, but the term "World Bank" is
commonly used to refer to them as one.
[8] Callable capital is a form of capital that is subscribed by members
and resembles promissory notes from members to honor Bank Group debts
if the Bank Group cannot meet its obligations through other available
resources.
[9] Credit risk refers to the risk of default by a borrower or
guarantor that may result from nonperformance under the terms of
lending agreements.
[10] Article VI, Section 11(a) of the Articles of Agreement of IDA.
[11] Private sector standards and guidance for financial statement
audits do not require the auditor to provide an opinion on the
effectiveness of internal control when performing a financial statement
audit. Financial statement audits are not intended to provide a basis
for the evaluation of the overall quality of the entity's system of
internal control. Therefore, in a typical financial statement audit,
many controls designed to ensure the reliability of financial
reporting, effectiveness and efficiency of operations, and compliance
with key provisions of bank charters may not be tested.
[12] COSO provides a framework designed to assist management in
assessing its internal control system against an established standard
to help identify basic weaknesses in operations, financial reporting,
and legal/regulatory compliance controls and act to strengthen them.
See appendix I for a description of the five components of internal
control under the COSO framework.
[13] The controllers' departments within IBRD, IDA, IFC, and MIGA
oversee the internal control framework and focus on financial integrity
and control, financial reporting, and monitoring.
[14] Attestation standards apply whenever the auditor has been engaged
to provide assurance or report on a subject matter that is the
responsibility of another party. Certain engagements, such as a
financial statement audit, are not subject to attestation standards.
[15] World Bank, Helping Countries Combat Corruption: Progress at the
World Bank Since 1997 (Washington, D.C., June 2000).
[16] World Bank Operations Evaluation Department, 2002 Annual Report on
Operations Evaluation (Washington, D.C., 2002).
[17] See Helping Countries Combat Corruption.
[18] World Bank Operations Evaluation Department, Clean Government and
Public Financial Accountability, OED Working Paper Series No. 17,
(Washington, D.C., Summer 2000).
[19] In addition to the audit committee, the Bank Group has a
Multilateral Audit Advisory Group that is tasked with advising the
audit committee on audit requests by Supreme Audit Institutions, such
as GAO, assessing compliance with the agreed terms of reference for the
audit, assessing adherence to the agreed ground rules, and providing
objective comment on the resulting audit reports.
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: