board of directors audit committee - asian development bank · board of directors audit committee...
TRANSCRIPT
Board of Directors Audit Committee
ANNUAL REPORT
OF THE
AUDIT COMMITTEE OF THE BOARD
2008–2009
18 September 2009
I. BACKGROUND AND OVERVIEW
1. In line with Article 31 of the Agreement Establishing the Asian Development Bank (ADB) and Section 12 of the By-Laws, the Audit Committee of the Board (ACB) assists the Board of Directors in carrying out its responsibilities as they relate to the oversight of ADB’s financial reporting and audits, including internal controls.
2. During the period covered by this report (1 July 2008 to 30 June 2009), the ACB continued to operate under the terms of reference approved by the Board of Directors in April 2005 (Appendix 1). The ACB agreed with the findings of ADB’s outside auditor, which concluded that the financial statements present fairly, in all material aspects, the financial position of ADB.
3. The ACB identified a range of issues, which formed the basis of its work program for the reporting period (Appendix 2). Key activities completed by the ACB were as follows:
(i) reviewing the annual financial statements and Management's discussion and analysis with ADB’s outside auditor, and reviewing the quarterly financial statements;
(ii) monitoring the implementation status of audit recommendations and reviewing of audit issues;
(iii) monitoring the selection process for the outside auditor; (iv) monitoring progress towards the adoption of principles for the selection of
outside auditors; (v) reviewing Management’s assertion and the outside auditor’s attestation
concerning the adequacy of internal controls over external financial reporting; (vi) monitoring progress on the implementation of the Information Systems and
Technology Strategy (ISTS II) and other information technology (IT)-related activities;
(vii) monitoring the work of the Risk Management Unit (RMU), including reviewing ADB’s risk management capability and monitoring of progress on integrating risk management in ADB, and the recommendations made by the outside auditor on the RMU; and
(viii) monitoring progress towards a whistleblower protection policy.
A. Composition of the Audit Committee of the Board 4. From 1 July 2008 to 30 June 2009, the ACB membership comprised the following six members of the Board of Directors:
(i) Executive Director Kyung-Hoh Kim (from 22 October 2008, replacing Patrick Pillon as chair);
(ii) Executive Director Curtis S. Chin; (iii) Executive Director Michele Miari Fulcis (from 22 October 2008, replacing
Patrick Pillon as member); (iv) Alternate Executive Director Richard Edwards (from 18 August 2008,
replacing Ugur Salih Ucar); (v) Alternate Executive Director C J (Stan) Vandersyp; and (vi) Alternate Executive Director Md. Aminul Islam Bhuiyan (from 3 November
2008, replacing Nima Wangdi). B. ACB Meetings 5. From 1 July 2008 to 30 June 2009, the ACB held 10 meetings. Other executive directors, alternate directors, directors’ advisors, and staff also attended the meetings as
2
observers. In addition, the ACB met with staff from the Controller’s Department (CTL), the Office of the Auditor General (OAG), the RMU, the Office of Information Systems and Technology (OIST), the Central and West Asia Department (CWRD), and ADB’s outside auditor—formerly PricewaterhouseCoopers LLP, Singapore, (PwC) and currently Deloitte & Touche LLP, Singapore. The ACB met with Deloitte independently as well as jointly with ADB staff. The selected issues were discussed openly and frankly, and on many occasions were supplemented with audiovisual presentations, written handouts, and/or written explanations, as requested. Staff from the Office of The Secretary (OSEC) and the Office of the General Counsel (OGC) were also present in ACB meetings. The ACB appreciates the support provided by staff from these departments and offices in implementing its work program, as well as the inputs and explanations provided by the members of the outside auditor’s team.
II. AUDIT-RELATED WORK REVIEWED BY THE COMMITTEE
A. Review of the 2008 Outside Auditor’s Audit Strategy Memorandum
6. The ACB reviewed three key areas of focus of the outside auditor, in addition to the statutory audit work carried out by PwC:
(i) The possible conversion from Generally Accepted Accounting Principles in the United States (US GAAP)—the current accounting principles used by ADB—to International Financial Reporting Standards (IFRS), in line with blue chip companies and some other multilateral development banks (MDBs) that have already started the conversion process. The anticipated time frame for conversion is from 2012 to 2017. PwC indicated that the conversion exercise may take 3–4 years, and ADB could finalize the process between 2012 and 2015, if ADB chooses to convert. The ACB noted that IFRS requires a higher degree of judgmental components compared with US GAAP, which is more rules based. Therefore, the ACB will need to understand those areas that involve judgment, and how ADB’s Management would exercise such judgment.
(ii) IT governance, particularly monitoring any risks to ADB from an IT perspective.
(iii) ADB's liquidity and valuation of its assets and liabilities, including derivatives and loans, and possible risks, and whether the risks are adequately disclosed.
7. The ACB referred to the main recommendations included in a 2007 PwC Report on the Risk Management Function. The committee requested a review of the implementation of these recommendations as part of the 2008 statutory audit. B. Review of the Outside Auditor’s Management Letter Recommendations
Implementation Report as of 30 June 2008
8. The ACB reviewed the biannual report produced by the Office of the Auditor General, Audit Division (OAGA), in which audit-related recommendations made by the outside auditor are followed up. The ACB also had an opportunity to hold executive sessions with PwC. 9. The ACB is aware that a decision to implement or not to implement an audit recommendation is up to Management, and that the outside auditor provides impartial advice in this regard. The ACB's role is to bring issues to the attention of Management,
3
and in this respect the ACB thanks the auditor general for transmitting its views and concerns to Management. 10. The ACB noted that several audit recommendations from previous years were still pending, including some high-risk recommendations and several IT-related recommendations. C. Review of the Audit Recommendations Semiannual Report as of 30 June
2008
11. The ACB reviewed the report prepared by OAGA, which provides the implementation status of high-risk audit recommendations in each of the functional areas: financial and administrative area, IT-related audits, and operational and resident mission audits. The ACB noted that the implementation rate is relatively high (55%) with 45 of 82 high risk recommendations implemented. This compares favorably with implementation rate in the previous report of 31 December 2007. The implementation status for high-risk audit recommendations is now being reported semiannually instead of annually. The ACB noted that 35% of the high-risk audit recommendations were in progress at the time of the review, while the implementation deadline had not been reached for 10% of the recommendations.
12. The ACB appreciated that the implementation rate for operational and resident mission audit recommendations is higher than the average, in part because of the implementation efforts by CWRD on recommendations with regard to the Tajikistan Resident Mission audit and by the Southeast Asia Department (SERD) on loan and technical assistance (TA) portfolios administered by the Indonesia Resident Mission. The ACB also reviewed treasury and risk management audits, as well as those high-risk audit recommendations that have been outstanding for more than 12 months, such as those related to the RMU, Pakistan Resident Mission, and IT. D. Selection of ADB's Outside Auditor
13. Following the expiration of the contract with PwC at the end of 2008, the ACB requested a competitive process to be conducted for the selection of the outside auditor, and reviewed the selection process. In accordance with its terms of reference, the ACB nominated one of its members to participate in the selection process as an observer. The ACB is satisfied with the transparency of the selection process conducted by an evaluation committee appointed by ADB's President, as well as with the outcome of the selection. The evaluation committee recommended to the ACB that the highest-ranked firm of the four bidders be appointed as ADB's outside auditor for FY2009–2012. On 5 December 2008, the Board of Directors decided to appoint Deloitte as ADB's outside auditor upon the recommendation of the ACB. Negotiations on a contract with Deloitte were finalized and work on the transition between PwC and Deloitte started in early 2009. 14. The ACB notes that Deloitte has been the outside auditor for the World Bank and the African Development Bank, and is hopeful that the firm will bring valuable experience to ADB. The ACB highlighted the need to secure high-quality professional external auditors, especially those with audit experience at similar MDBs. The ACB discussed the need for the ADB to have a policy on principles for the appointment of the outside auditor.
4
E. Review of the 2009 Work Program of the Office of the Auditor General
15. The ACB was pleased that the OAG is fully staffed both in the audit (OAGA) and integrity (OAGI) divisions in terms of professional staff at the time of reporting. For OAGI, the ACB noted that investigations were being concluded on a timely basis, including sanctioning individuals and firms for breaches of the Anticorruption Policy (1998, as amended to date). The ACB noted the junior level of some professional staff in OAGI and supported the need to raise staff levels to bring them more in line with the demands and complexity of the work being conducted and with the practice at the World Bank. For 2009, the ACB supports OAGI's focus on more proactive work as opposed to reactive investigations, including spot-checks, supervision and implementation audits, and working together with executing agencies and regional departments in project design and implementation to help in prevention. The ACB recommends the following objectives for OAGI in 2009: (i) consolidating and updating whistleblower protection; and (ii) increasing cooperation with other MDBs on sanctions, prevention, and cooperation in anticorruption investigations. 16. With regard to OAGA, the ACB supported the audit work conducted in IT, finance, and administration, and also supported the work to be conducted in the operational areas in 2009. The ACB noted that if ADB continues to increase its private sector operations, more staffing resources would be required for nonsovereign operation audits. The ACB recommends the following objectives for OAGA in 2009: (i) finalizing the 2008 statutory audit with PwC and starting the transition with Deloitte; and (ii) assisting the ACB in drafting principles for the appointment of ADB's outside auditor. F. Review of the Internal Audit Division’s Status of Implementation of its 2008
Work Program and of the 2009 Audit Work Program
17. The ACB was satisfied with the audit completion ratio presented by OAGA for 2008, noting that several audits had been conducted in a challenging environment. The ACB supported OAGA's decision to increase the follow-up for high-risk audit recommendations from annually to semiannually. The ACB noted that 40% of audits had been scheduled in the operational areas for 2008, and a similar level was also planned for 2009. The ACB noted that the IT area accounts for about 40% of audit recommendations, because of the many new developments with the implementation of ISTS II and several IT systems going live. The ACB also noted that ADB's disaster recovery sites abroad and in the Philippines had moved locations, which has required OAGA to observe and report on the disaster recovery tests performed by ADB. 18. The ACB noted that a vacant treasury auditor position had been filled in November 2008. As such, treasury audits will resume their planned cycle for 2009. With regard to the audit of trust funds, which OAGA is mandated to do, the ACB noted that five certifications to donors were provided in 2008, and seven were expected to be completed in 2009. 19. The ACB also noted an unusually large number of outstanding audit recommendations (625) in 2008, in part because of the audits of resident missions. The ACB urged OAGA to follow up to confirm the implementation status of recommendations. The ACB supported OAGA's possible purchase of audit management software to help making the audit work, risk assessments, and follow-ups more efficient.
5
G. Review of the Integrity Division 2008 Annual Report
20. The ACB recognizes the importance of fighting fraud and corruption for ADB’s development mission. The ACB noted a slight decrease in the number of allegations in 2008 compared to 2007, and that 2008 closed with 151 open complaints or investigations. The ACB noted that from 1998 to 2008 ADB has sanctioned 552 firms and individuals—a number that was large compared to the World Bank—although ADB has a much smaller budget for investigations compared to the World Bank. 21. The ACB strongly supports the greater use of resources to build a culture of integrity throughout ADB. This would include regular consultations with departments, sharing information on allegations, and strengthening project implementation to prevent corruption, as well as the greater disclosure and wider dissemination of information on sanctions both at headquarters and in resident missions. The ACB emphasizes the need for OAGI to be provided with adequate resources to carry out its important activities. 22. The ACB supported ADB's efforts with the other international financial institutions (IFIs) to harmonize definitions of fraud and corruption and investigative guidelines and policies, and encouraged ADB to consider undertaking joint investigations with other MDBs and increasing the exchange of information. 23. The ACB noted that the names of first-time offenders are not published, but a list of second-time offenders is published and available to all departments. One committee member requested that the ADB’s list of debarred firms and individuals be made publicly available on ADB’s website. 24. With regard to project and program performance audit reports (PPARs), the ACB appreciated the work that OAGI has done in developing this anticorruption tool. Further, the ACB urges OAGI to adopt a whistleblower policy that reflects best practices, and also requests that the protection policy be at par with the best practices of its comparators.
25. The ACB supports the reorganization of OAG by separating the Integrity Division and the Internal Audit Division in terms of their reporting line—reporting directly to the President and to the ACB—in line with best practice.
H. Audit Issues Discussed Relating to the Afghanistan Resident Mission
26. The ACB noted the overall conclusion of OAGA's audit, which highlighted that risk management, governance, and control processes suffered from a considerable number of weaknesses and needed significant improvement. The ACB recognizes the difficult conditions in Afghanistan and appreciates the constructive approach taken by CWRD in implementing the recommendations resulting from the audit, and noted the improvements following the appointment of a new country director in 2008. However, the ACB notes that the tough conditions and weak capacity in Afghanistan are not an excuse for noncompliance with rules and procedures, poor coordination, insufficient oversight, and weak management. The ACB urged Management to accept responsibility for the situation, as well as for the measures that have now been put in place. Although the ACB received reassurance from OAGA that there was no indication of fraud or corruption on the part of ADB staff identified as a result of the audit, the committee urged Management to pay careful attention to resident mission audits, particularly since this was the first audit of the Afghanistan Resident Mission.
6
27. The ACB was pleased that previous audits of the Tajikistan and Azerbaijan resident missions had been generally satisfactory, but urged ADB to continue to invest in staff training in resident missions to prevent similar issues arising in them. The ACB supports the need for OAGA to focus on operations and resident mission audits, as well as the increased use of resources for these. However, the committee noted that, because of staff constraints, some resident mission audits need to be prioritized, especially in those resident missions with a higher risk assessment.
I. Review of the Outside Auditor's Report on the 2008 Audit of the Asian Development Bank and the Outside Auditor's Audit Recommendation and Implementation Report as of 31 December 2008 (PricewaterhouseCoopers)
28. The ACB joined the outside auditor in congratulating staff on the successful accomplishment of the assertion and attestation exercise, noting that attestation places ADB in a stronger position before its shareholders. The ACB noted that there was no material weakness and that two "significant" deficiencies were reported as part of the attestation: (i) observations on spreadsheet controls to ensure data accuracy by having adequate change management processes, validation checks, and security, given the significant number of spreadsheets in use; and (ii) access controls for IT applications, to enhance data protection and IT security.
29. The ACB also noted the progress made in risk management, but expressed concern on staffing in view of the new credit process and new nonsovereign initiatives in response to the ongoing global financial crisis (e.g., the expanded Trade Finance Facilitation Program).
30. The ACB urged Management not to delay the purchase of a system to continuously monitor value at risk (VaR), even if costly, since the risk function is not an area where ADB should be cutting costs.
31. The ACB thanked PwC for their close cooperation and dedication as ADB's external auditor for the past 12 years.
J. Review of the Outside Auditor's Strategy Document 2009 32. Since its appointment as ADB's outside auditor, Deloitte has started implementing a transition plan to take over from PwC. The ACB carefully reviewed the audit plan proposed by Deloitte for 2009, and supported the proposed focus on the following key areas: (i) procedures related to loans and guarantees, particularly in view of the current economic situation; (ii) any possible increase in nonperforming loans; (iii) the increase in capital stock in relation to the last general capital increase (GCI V) to ensure that it is properly accounted for; (iv) accounting estimates and fair value measurement, which has become a challenge for the accounting profession and a risk for many organizations; and (v) risks associated with assets and liabilities, ensuring these have been properly disclosed in the financial statements. 33. The ACB emphasizes the need for Deloitte's audit work to be conducted with strict independence. The ACB also supported the proposal that Deloitte conducts an information session for the Board on the latest changes in accounting standards that may impact ADB. 34. The ACB also asked Deloitte to consider areas where CTL could be strengthened, particularly in view of the need to annually validate attestation, as well as to review the IT
7
function in view of the audit implementation results showing IT falling behind in terms of the proportion of audit recommendations implemented. K. Review of OAGA's Audit Recommendations and Implementation Report as of
31 December 2008
35. The ACB reviewed this second annual report prepared under OAGA's new risk-based approach approved by the ACB in late 2007. The committee appreciated the improvements in the report's format with new sections added on accountability, as well as on ongoing 2009 audits in addition to those completed in 2008. 36. The ACB continued to express concern with the slow implementation rate of some IT recommendations. With regard to risks in ADB’s loan operations, the ACB supported OAGA's focus on resident missions and nonsovereign risk. 37. The ACB also expressed concern that the auditor general had requested two additional professional staff positions for OAGA and OAGI each for 2009 but had been given only one position. 38. The ACB reviewed the summary of a total of 722 audit recommendations, of which 125 were carried forward from previous years. The ACB noted that 64% of the recommendations relate to operational areas and resident missions, 26% to IT and IT security, and 10% to the area of Finance and Administration (F&A) including Treasury, CTL, Office of Administrative Services (OAS), RMU, and other administrative audit areas. 39. The ACB noted that as a result of OAGA's follow up (i) 423 of the 722 audit recommendations were implemented, resulting in an overall implementation rate of 59%; (ii) 344 of all implemented recommendations originated from audits undertaken in 2008, which translates to an implementation rate of 81%; and (iii) 117 (16%) of the 722 recommendations are in progress or are partly implemented, while a few recommendations were disposed of or deferred. 40. The ACB noted that a large proportion of the 2008 audit recommendations stem from a set of Afghanistan-related audits, which carry an implementation deadline of June 2009. The ACB will be reviewing implementation during its next reporting period. Partly because of the significant number of recommendations that are not yet due stemming from the Afghanistan-related audits, the ACB noted that the implementation rate of high-risk audit recommendations is 53%, slightly lower than the overall average of 59%. 41. The ACB was pleased with the satisfactory implementation rate in the areas of F&A, which did not have any outstanding high-risk recommendations, and in the area of operations and resident missions, which had only a few recommendations in progress. However, it expressed concern that IT is lagging with a higher number of recommendations in progress. 42. During 2007–2008, the audit approach has been refocused to include more audits of resident missions and operational areas. The ACB noted 222 recommendations on Afghanistan alone. The ACB supported the approach proposed by OAGA to continue to look at resident missions and prescreen loan portfolios in some countries. The ACB was pleased to observe fewer recommendations in the area of F&A because of the attestation exercise, which has forced staff to keep up controls, test them, and keep them up to date.
8
On the other hand, the ACB noted that the number of audits has increased with the implementation of ISTS II. 43. The ACB carefully reviewed the risk level of each audit recommendation presented by OAGA, noting that 63% of all recommendations made were classified as medium risk, 21% as high risk, and 16 % as low risk. The ACB highlighted that the percentage of high-risk recommendations is high compared to other MDBs, but it was noted that ADB follows a stringent audit methodology that assesses risk consistently and conservatively based on impact and likelihood. 44. The ACB also noted the importance of the aging analysis in OAGA's follow-up exercise, i.e., those recommendations that are beyond their implementation target dates by 1–6 months, 7 –12 months, or more than 1 year. The ACB noted two high-risk recommendations as well as eight medium-risk recommendations that are delayed for more than 12 months, and the ACB will be following up on their progress. 45. The ACB reviewed and agreed with OAGA's recommendations in several areas, such as the need for the implementation of measures in several operational areas and resident missions to enhance the accuracy, reliability, and realistic ratings of project performance reports (PPRs), as well as remedial action with regard to the monitoring of and compliance with loan and/or contract covenants. 46. To improve the administration of project loans, the ACB noted that OAGA has carefully reviewed processes and internal controls at the interfaces between ADB, the executing agencies, and the project management unit. OAGA recommended: (i) executing agencies complying with the timely submission, and ADB operations departments with the timely review, of the audited project accounts (APAs); (ii) following up with the executing agencies on remedial actions to rectify external audit recommendations; and (iii) obtaining all required management letters and audit opinions on financial loan covenants and special disbursement procedures from the external auditors. The ACB supports that, whenever possible, OAGA engage in a dialogue with the external audit firms or supreme audit institutions to establish a relationship and to convey improvements OAGA considers necessary to execute the audit process. 47. In light of the current financial crisis, the ACB strongly supports OAGA's focus on the implementation of Treasury and RMU recommendations. The ACB noted that many long-outstanding audit recommendations could be closed with the introduction of the treasury investment and risk management guidelines, which also include a new product process. The ACB noted that major benefits could be reaped from the introduction of a dedicated risk management system that would also reduce dependence on outside valuation agents. Several long-outstanding audit recommendations have been deferred as they depend on the introduction of this risk management system. The ACB continued to express concern over the long delay in the purchase of the risk management system, and will continue to follow up on the status of its procurement. 48. The ACB noted that overall OIST's ability to provide reliable and secure IT services has improved in recent years, with IT governance and project management structures set up and operating. However, OIST is still facing several challenges that have a significant impact on the security and availability of ADB's IT resources, as well as the ability of OIST to deliver quality IT projects on time and within budget. The ACB recommends that OIST continue to improve internal operational processes that have an impact on the operability of ADB's IT systems and security management practices, as well as ensuring that IT
9
services are available to users at ADB's headquarters and in resident missions. The ACB noted that incident monitoring and response activities require further strengthening to effectively fight computer and hacker attacks against ADB's network and IT resources. IT security governance needs to be prioritized in OIST to implement and run effective IT security and operations measures. Effective project management is another challenge observed by the ACB. Although IT committees meet regularly to exercise proper IT governance in ADB, the ACB noted that a more comprehensive IT benefit measurement and management approach is still to be achieved in ADB. The ACB noted the large IT expenditures under ISTS II and asked Deloitte to carefully review these expenditures in its 2009 audit.
III. FINANCIAL STATEMENTS AND ATTESTATION WORK REVIEWED BY THE AUDIT COMMITTEE
A. Review of the 2008 Annual Financial Statements
49. After reviewing the quarterly financial statement for the period ending 30 September 2008, the ACB noted that the results remained stable overall, despite the economic crisis. The ACB observed that net income had decreased by about 20% mostly because of unrealized losses resulting from fair valuation. The ACB considers net income before unrealized loss, or operating income, as a more relevant indicator, since it indicates allocable income. The committee noted that it has only marginally decreased as compared to 2007, after increases in 2006 and 2007. The ACB also noted that loan income decreased slightly in part because of lower market interest rates, while investment income increased slightly in part because of increased investments, with equity investments and guarantees and other sources of income showing some fluctuation. 50. The ACB noted that borrowing expenses decreased, mostly because of the market interest rate decline. Nonborrowing expenses increased, including increases in salaries and travel-related expenses. The ACB observed that the allocation of administrative expenses was larger for ordinary capital resources (OCR) than for the Asian Development Fund (ADF). 51. The ACB was reassured by the controller that the results did not reflect any significant concerns. The controller reiterated that, despite the financial crisis, ADB’s financial statements were not significantly affected, in part because a large portion of ADB’s investments are in time deposits and high-quality investments. The ACB urged the Treasury Department to continue to carefully monitor ADB’s financial market activities throughout the crisis, and supported the important role carried out by CTL in verifying the accounting treatment of ADB's investments, as well as fair valuation and loan loss provisioning and reserves. 52. The ACB also carefully reviewed ADB's financial statements for FY2008, noting the following distinguishing features: (i) operational volume continued to grow, as reflected in the increase in loan approvals, loan disbursement, and net resource transfers; (ii) operating income has decreased; and (iii) changes in accounting standards resulted in considerable gains in relation to fair valuation in OCR, as well as an increase in realized gains in ADF because of the conversion of currencies into special drawing rights. B. Assertion and Attestation on Internal Control Framework 53. The ACB has been reviewing ADB’s internal control framework over external financial reporting carefully since 2005, and is pleased with the progress made in 2008.
10
Activities reviewed included the review of business- and entity-level controls, focusing on the design and operating effectiveness of internal control systems. The ACB is pleased that Management’s assertion and the outside auditor’s attestation have been achieved, and that the Management’s assertion letter was included in ADB’s Annual Report. Likewise the ACB is pleased to note that the outside auditor's opinion incorporated a clean attestation on Management's assertion. The ACB noted the importance of ensuring the reliability of external financial reports, which serves to enhance ADB’s corporate governance.
54. The ACB reviewed the outside auditor’s assessment of ADB’s readiness for attestation for 1 January to 31 March 2008, and appreciated the support of PwC for the attestation exercise for FY2008. The ACB noted that PwC’s work included assisting ADB in assessing the design effectiveness and operating effectiveness of internal controls, and identifying documentation gaps and design and operating deficiencies. The committee supported PwC's recommendations as well as the staff training provided.
55. The ACB noted that some of PwC’s findings showed some gaps and deficiencies. Although no high-risk deficiencies were identified, the ACB urged Management to ensure that deficiencies are remediated and further subjected to compliance testing. The ACB supported internal testing approach since this increases staff awareness of internal controls, and helps improve documentation of processes and controls, which enhance governance. The ACB was reassured by CTL and OIST that the two significant deficiencies found—access controls and spreadsheet controls—did not have any material impact on financial reporting. The ACB noted that since attestation is an annual exercise, the progress on remediation of deficiencies would have to be carefully reviewed by the new outside auditor. The ACB will follow this up in its next reporting period.
IV. RISK MANAGEMENT ACTIVITIES REVIEWED BY THE AUDIT COMMITTEE
56. The ACB reviewed the activities of the RMU since June 2008, and the implementation by ADB of the recommendations provided by PwC for ADB to have an effective risk function, and noted that many had been implemented. These included the establishment of a risk committee in July 2008, chaired by the managing director general, and the institutionalization of quarterly reporting to the ACB. A few recommendations, however, still need to be implemented. 57. With regard to staffing in the RMU, the ACB noted that some vacancies at the time of reporting still remained unfilled, although the RMU had identified strong candidates. The ACB supports the provision of additional resources for the RMU, particularly in light of ADB’s increasing nonsovereign portfolio. The ACB was pleased with the significant increase in staff (30%) during 2009, although it expressed concern that the RMU was still not fully staffed. 58. The ACB noted that several specific technical recommendations made by PwC were progressing towards completion in 2009. With regard to risk processes and risk tools, the ACB noted that the review of the credit approval process had been completed, and the process was being improved and refined by a task force looking at private sector operations. The ACB supported the RMU's involvement in the credit approval process at the onset of each transaction, which addresses risk issues at an early stage in the process, in line with the practice of other MDBs. The ACB also noted (i) the development and implementation of a pricing tool that would be used to determine the required lending spread of nonsovereign loans to cover the risks; and (ii) the completion of the development of a risk-rating methodology for corporate, project finance, and banking transactions during the first quarter
11
of 2009. The ACB was pleased that, with the additional staff, the RMU could perform a portfolio monitoring function of existing transactions from 2009.
59. The ACB appreciates that the quarterly risk report has been revised to better present risk factors and any breaches in limits. With regard to the integrated risk management system and its procurement, the ACB noted that the RMU will present a business case and a capital budget in the second half of 2009, in coordination with OIST and others stakeholders. 60. The ACB noted other activities in which the RMU was involved, such as (i) the establishment of a long-term capital adequacy framework in September 2008, including the validation of ADB’s credit risk model; (ii) the conduct of a presentation to the Board, together with Treasury, on the impact of the financial crisis on ADB; (iii) a mission to Pakistan to review ADB’s nonsovereign transactions in the country in view of the crisis; (iv) enhanced monitoring of treasury risk after the collapse of Lehman Brothers, including the development of a watch list, together with Treasury, for ADB’s depositary and swap banks, as well as increasing the monitoring of limits for ADB’s external portfolio; and (v) undertaking of risk assessments for new nonsovereign transactions.
61. The ACB requested the RMU to inform the ACB of cases where Management may have overruled the RMU’s risk assessment for any transaction. A. Quarterly Presentation by the Risk Management Unit as of Q4 2008 62. In line with the outside auditor's recommendations on the ADB's risk management function, the RMU has to make quarterly presentations to the ACB. In its first presentation, the RMU presented key portfolio developments, RMU resources, proposed risk-related policies and methodologies, and the implementation status of the outside auditor's recommendations on the risk management function. 63. With regard to key developments in ADB's portfolio, the ACB noted the following:
(i) The sovereign portfolio is concentrated, with Indonesia, People’s Republic of China, and India representing more than 70%. Credit quality in the sovereign portfolio, which is 91% of the operations portfolio, was constant in the fourth quarter (Q4) of 2008.
(ii) The nonsovereign portfolio is more diversified, with nonsovereign credit quality having improved in Q4 2008 because of a large new transaction with a highly rated guarantor, although these ratings incorporate neither the economic downturn nor the transition to risk-based ratings. The nonsovereign portfolio is concentrated in the energy and finance sectors, which represented 75% of the portfolio at the end of 2008;
(iii) ADB is in compliance with all risk limits for nonsovereign operations, but the nonsovereign portfolio is nearing both the overall limit of $5 billion and the 25% country limit for India.
(iv) The RMU is working closely with the Private Sector Operations Department (PSOD) and other operations departments to maintain compliance, as well as planning to review these limits during 2009.
12
(v) ADB’s investments in several banks are under stress as a result of the global credit crisis. These banks are facing several major challenges, including flight of foreign capital, increasing loan defaults, and a funding squeeze. These banks have not defaulted on their ADB loans, mainly as a result of government support. RMU and PSOD will conduct a joint mission to undertake a detailed assessment of ADB’s exposures to these banks.
(vi) The RMU will work closely with PSOD to implement the new credit process to include annual reviews. Previously there was no formal requirement for this.
(vii) The expected loss as of the end of 2008 increased by $292 million to $502 million. The principal causes were a deterioration in sovereign credit quality in Q3 2008 and, to a lesser extent, loan growth.
(viii) In line with current provisioning policy for nonsovereign operations, the Board paper entitled Review of the Asian Development Bank's Loan Charges and Allocation of 2008 Net Income includes recommendations for (a) an increase in loan loss reserve of $298 million; and (b) allocation of 2008 net income in the same amount.
(ix) ADB faces two main risks in the Treasury portfolio: (a) market risk, which can be further divided between interest rate risk and foreign exchange risk; (b) credit risk, which can be broken down between default risk and counterparty risk. Credit quality in the Treasury portfolio is high with the weighted average credit rating of AA+. In addition, the portfolio is diversified between many debt issuers. ADB assumes counterparty risk when it deposits funds with banks. Despite the recent market turmoil, the RMU reassured the ACB that it is confident in the credit quality of its largest banking counterparties. ADB also assumes counterparty risk through its swap transactions. To reduce this risk, it requires institutions rated A-, A, or A+ to post collateral equal to the money it owes ADB—even institutions that are rated AA must post collateral if the money they owe ADB exceeds a certain threshold.
(x) As of Q4 2008, there were 11 outstanding breaches; all but four have been corrected, and they are not material as they result from ADB taking a more conservative position than the benchmark.
(xi) The annual assessment of capital adequacy shows that ADB has sufficient capital to absorb income losses from credit shocks as well as to ensure adequate post-shock equity to loan ratio (ELR) over the next 10 years to maintain a minimum loan growth of 3% per year. It was noted, however, that the ELR has declined from 41.3% at the end of Q3 2008 to 38.5% at the end of Q4 2008, mainly because of increased lending.
64. The ACB was pleased that the RMU has hired six professional staff in 2008, and noted that eight additional staff are allocated in the 2009 budget. 65. With regard to proposed policies and methodologies, the ACB was informed that ADB's Risk Committee has endorsed a new risk-rating methodology that was rolled out on 1 April 2009. The new methodology will allow for use of external default data, value
13
exposures based on credit risk, improve accuracy and consistency of risk assessment, and provide inputs to loan pricing. 66. The ACB was pleased that the major 2008 recommendations of the outside auditor have been implemented. The ACB noted that many of the detailed recommendations will be implemented soon as a result of the introduction of the new credit process, while some have been postponed. The ACB will follow up on these. 67. The ACB noted that ADB's portfolio is approaching the $5 billion limit and considered the pros and cons of country limits, acknowledging that ADB's current approach is to have enough capital to cover concentration risk. The ACB agrees that market participants, such as rating agencies, investors, and underwriters, have been comfortable with this approach, particularly because ADB's default experience has been negligible. The ACB emphasized the importance of running stress tests more frequently since country exposure can change rapidly, and supports the RMU's request for additional resources for this. The ACB supports regular assessment of ADB's capital, which can be included in the quarterly risk report. 68. The ACB recommends that the Board be informed of the RMU's assessment of projects before they go for Board consideration, in view of the Board's fiduciary responsibility to carefully assess all transactions. The ACB notes that the RMU's current mandate is limited to financial risk, and the committee emphasizes the importance of monitoring operational risk as well as reputational risk. 69. With regard to an outstanding external audit recommendation for a continuous (daily) system for monitoring VaR, which has been delayed until 2010, the ACB disagreed with Management's decision to defer the purchase of such software because of cost considerations. The ACB accepts the explanation that the current biweekly reporting frequency is adequate and that VaR is being monitored closely. However, it urged the RMU to move forward with the implementation of a risk management system that would provide daily VaR calculations before 2011, which is the date proposed by the RMU for implementation. The ACB believes that risk is not an area where ADB should be cutting costs for appropriate technology. B. Quarterly Presentation by Risk Management Unit as of Q1 2009
70. In the RMU's second quarterly presentation to the ACB, the ACB noted that the sovereign portfolio continued to be highly concentrated, with Indonesia, People's Republic of China, and India representing more than 70% of the portfolio. The nonsovereign portfolio is more diversified. One major change during the quarter was that Pakistan replaced Kazakhstan as the third-largest nonsovereign exposure. The ACB noted that credit quality in the sovereign portfolio did not materially change in Q1 2009. The ACB was pleased that ADB has introduced a new nonsovereign credit rating methodology that is modeled on the industry's best practice. The new methodology uses a rating scale of 14 categories instead of the previous 7, and is designed to analyze more effectively the probabilities of default. The ACB noted that the sovereign rating scale has also been expanded from 10 to 14 categories to ensure consistency with the new nonsovereign rating scale. The ACB noted that with the new rating scale, it is now possible to evaluate credit quality by sector. The concentration in energy and finance increased in Q1 to 79% following the expansion of the Trade Finance Facilitation Program (TFFP).
14
71. The ACB believes the exposure to the finance sector warrants additional monitoring given its greater correlation across countries compared to the energy sector, especially since PSOD is working on more projects in the finance sector. The RMU assured the ACB that this exposure is monitored closely, including through special review missions to Central Asia and other countries. The ACB noted that the Board has also discussed a working paper on prudential limits, which includes a proposal for new limits on finance sector exposure to ensure ADB is not overexposed. 72. The ACB supported the introduction of a watch list to monitor transactions with weaker counterparties that are at risk of default, noting that such transactions will receive quarterly instead of annual monitoring. 73. The ACB supported more frequent monitoring (rather than quarterly) and urged the RMU to inform the committee as soon as problems are detected. The ACB also requested to be kept informed on the development of ADB's portfolio in one DMC that is facing economic difficulty. The ACB proposed that a working group look at the key lessons of problem transactions and take them into account when processing new transactions. 74. In relation to the expansion of TFFP, the ACB cautioned that any significant expansion of a lending program carries implementation risks. PSOD, RMU, and OGC will need appropriate resources to ensure TFFP’s success. The ACB supported the requirement that the RMU assess and approve all new banks involved in TFFP as well as conduct an annual review of existing banks in the program. The ACB was reassured that PSOD will not be allowed to engage in any transactions unless such control measures are in place. The ACB supports additional resources for the RMU if necessary as the annual review volume increases in 2010. 75. In Q1, the weighted average risk rating of the Treasury portfolio remained AA+, while the percentage of the portfolio rated AAA fell from 66% to 57% following the downgrades of some sovereign issuers. The ACB noted the eight limit breaches as of the end of Q1 and that ADB has corrected only three, although the remaining breaches do not appear to pose any material risks to ADB. The ACB noted that, although capital still passed the income-based stress test, the excess ELR declined because of the more rapid projected loan growth and the deterioration of portfolio credit quality. 76. The ACB expressed concern over the increase in breaches because of the additional volatility. However, the RMU and Treasury reassured the committee that all breaches are closely monitored and that ADB's approach to investments remains conservative. 77. With regard to RMU staff, the ACB noted that there are five local staff vacancies to be filled in 2009 and three new professional staff vacancies, with one carried over from 2008. The ACB strongly encouraged that all vacancies be filled in the coming months, as recruitment took too long in 2008. The ACB also emphasized the need to look at staff retention issues since some recently recruited staff had left ADB. The ACB fully supports the upgrade of the RMU to an office in 2009, and the subsequent required increase in the experience and seniority of the staff. 78. The RMU explained that operational risk management activities will be carried out by each department and not by the RMU, whose role is to develop the overall operational risk framework and coordinate with other departments regarding the implementation and maintenance of this framework.
15
V. INFORMATION TECHNOLOGY-RELATED WORK REVIEWED BY THE AUDIT
COMMITTEE
A. Update on the Implementation of ISTS II and Other Information Technology-Related Activities as of 31 July 2008
79. The ACB reviewed the following items presented by OIST: (i) IT governance, (ii) ISTS II performance, (iii) internal controls with regard to attestation and security, (iv) IT-related audit activities, and (v) benchmarking of ADB against comparators. 80. The ACB expressed concern over the number of outstanding IT-related audit recommendations, including high-risk items, presented by OAG to the ACB, and for OIST lagging behind in implementation. The ACB also expressed concern that OIST is not focused on the cost–benefit analysis of IT investments despite the size of the planned investments under ISTS II, and requested that OIST update the ACB regularly on progress in this area. 81. Although discussed after the reporting period covered in this report, the ACB has been informed of an ongoing investigation by OAGI in the area of IT. The results and recommendation from OAGI have been provided for Management’s consideration. The ACB fully supports remedial action to avoid any such similar situations in future. The ACB noted that OIST was fully staffed with 21 professional staff positions. However, it encouraged the recruitment of higher-level IT professionals, noting that some OIST staff were leaving ADB. With regard to local staff, the ACB noted the talent drain to higher-paying jobs locally and abroad, and urged Management to develop measures to address this problem. 82. While the ACB noted that the Budget Committee of the Board was provided with detailed information on IT expenditures, the ACB requested that OIST provide the ACB with the metrics used by OIST to measure performance. 83. With regard to IT governance, the ACB urged continued rigorous oversight of IT projects and investments. The ACB also encouraged OIST to focus not only on headquarters and resident missions as clients, but also on ADB's DMCs in promoting IT development and governance.
VI. DISCLOSURE OF THE ACB ANNUAL REPORT
84. Previous annual reports of the ACB have been made available to the public. The ACB agrees that the 2008–2009 Annual Report does not contain information that is too sensitive or compromising for public disclosure and recommends that the Board approve its public release.
VII. AUDIT COMMITTEE RECOMMENDATIONS
85. For the ACB’s next reporting period from 1 July 2009 to 30 June 2010, the ACB recommends the following actions:
(i) Continue the periodic review of financial statements to ensure ADB’s strong financial position.
16
(ii) Continue to monitor ADB Management’s assertion and the outside auditor’s attestation on the adequacy of internal controls over external financial reporting.
(iii) Continue to review the risk profile of the ADB, particularly the activities of ADB’s private sector operations, and the financial and reporting implication of this.
(iv) Continue to review the implementation of outstanding IT-related audit recommendations and progress of OIST in addressing areas of concern, as well as IT governance issues in general.
(v) Monitor the finalization and implementation of the whistleblower protection policy.
(vi) Follow up on the separation of audit and integrity divisions currently under OAG into two separate units reporting to the President, and with a dotted line to the ACB.
(vii) Follow up and adopt principles for the appointment of ADB’s outside auditor.
(viii) Continue to review the progress towards the establishment of an integrated risk management framework in ADB under the RMU.
(ix) Review ADB's current policy of not publishing its sanctions list on the ADB’s external website.
(x) Review and, if needed, revise the ACB’s terms of reference.
Appendix 1
17
ASIAN DEVELOPMENT BANK
Audit Committee of the Board of Directors Terms of Reference
The Audit Committee is a committee of the Board of Directors established pursuant to Section 12 of By-Laws of the Asian Development Bank (ADB). Its function is to assist the Board of Directors in carrying out its responsibilities as they relate to ADB's financial reporting and audits, including internal controls, in line with Article 31 of the Agreement Establishing the Asian Development Bank. The Audit Committee shall periodically review the adequacy of the Terms of Reference for possible adjustments as conditions dictate, and recommend necessary amendments to the Board of Directors, for approval. 1. AUTHORITY 1.1 In discharging its oversight functions over matters within the scope of its responsibilities, the Audit Committee is authorized to:
(i) Perform activities within the scope of its terms of reference. (ii) Seek any pertinent information from the ADB as is necessary, and which
shall not be unreasonably withheld. (iii) Refer its requests for documents or information to the President. (iv) Seek briefings on relevant auditing, accounting, and financial matters it
has identified from staff member(s) designated by the President, including such staff that ACB has suggested, and request their participation in meetings.
(v) Meet with the outside auditor, as necessary. (vi) Advise the Board of Directors on the appointment of the outside auditor
and consider any question of the outside auditor's resignation and dismissal.
(vii) Consider the independence of the outside auditor, including the provision
of non-audit services by the outside auditor to the ADB. 2. COMPOSITION AND TENURE 2.1 The Audit Committee (the Committee) shall consist of not more than six members of the Board. The Chair and other members shall be appointed by the President in consultation with the Board. 2.2 The Committee members shall be free from any relationship that, in the opinion of the President, would interfere with the exercise of their independent judgment as members of the Audit Committee. The Committee members shall inform the President
Appendix 1 18
of any circumstances which reasonably may be perceived to interfere with the exercise of their independent judgment as members of the Committee. 2.3 The President shall, when appointing members of the Committee, appoint at least one member, having a background in accounting or related financial expertise, and who through education and/or experience would have a thorough understanding of financial, accounting and auditing functions1. In exceptional circumstances, where the Committee requires specific advice and assistance to be able to perform its functions and such advice and assistance is not available to the Committee members, including from within ADB, the Committee may request the President to engage such outside expertise and provide the necessary resources required for that purpose. 2.4 The Committee shall be appointed for a term of two years, commencing 1 July each year in which the election of Directors occurs. Members of the Committee may be reappointed. 2.5 If a member of the Committee ceases to be a member of the Board, the President, in consultation with the Board, shall appoint another Board member for the remaining term of the Committee. 3. MEETINGS 3.1 The Committee shall meet as often as it considers necessary, but not less than once per quarter. Other Board members may attend meetings of the Committee as observers. Directors' Advisors may attend the meetings of the Committee except as otherwise advised by the Chair of the Committee. 3.2 The Committee will meet at least once a year with the outside auditor without Management or ADB staff present. In addition, the Committee may meet with the outside auditor if requested by the Committee or by the outside auditor, as and when considered necessary. 3.3 The quorum for meetings of the Committee shall be three of its members. I f the Chair of the Committee is unable to be present in person at a meeting, the members of the Committee that are present shall select a member to preside. 4. RESPONSIBILITIES The Committee shall assess in its annual report the Committee's work and evaluate its performance annually relative to the Committee's purpose and responsibilities outlined herein. The Committee shall periodically review the adequacy of the Terms of Reference for possible adjustments. The Committee has an oversight function regarding current areas of financial risk and how these are being managed and satisfy itself that the ADB's financial reporting and audits, including internal controls, are adequate and efficient. In this regard, it shall in particular:
1 Section 10(a) of the Rules of Procedures of the Board of Directors states: "Membership of the Committees established pursuant to Section 12 of the By-Laws need not be limited to Directors or their Alternates. The President, in consultation with the Board, shall appoint the members of committees and shall designate the chairmen thereof."
Appendix 1
19
A. Financial Reporting 4.1 Review and if necessary discuss with the Controller the quarterly financial statements. 4.2 Review and discuss with the Controller, Auditor General and outside auditor the annual financial statements; major accounting and auditing issues and financial statements presentations, including any significant changes in the selection or application of accounting principles and auditing standards; and results of the audit by the outside auditor. 4.3 Review and discuss with the Controller, Auditor General, outside auditor and other ADB staff as required upon completion of the annual external audit before the financial statements are published, the draft annual financial statements and the related notes, the outside auditor's opinion and appropriateness of accounting principles, including disclosures under "Management's Discussion and Analysis of Financial Condition and Results of Operations". 4.4 Meet with the Controller and Auditor General on a periodic basis to discuss any matters of concern in the context of the disclosure of financial information and internal control. 4.5 Meet with the General Counsel to discuss any significant pending litigation that may have a material impact on ADB's financial condition. B. Outside Audit 4.6 Appoint an observer to the Evaluation Committee for the selection of outside auditor. 4.7 Review and discuss annually the scope of work and audit plan of the outside auditor and any material changes to the audit plan during the year. 4.8 Review and discuss the performance of the outside auditor and recommend to the Board of Directors for approval, the appointment, extension of services after the expiry of the contract period or termination of the engagement of the outside auditor. 4.9 Review and obtain a statement from the outside auditor to confirm annually the independence of the outside auditor. Consider non-audit services by the outside auditor, and if applicable, ensure that a framework for approval of non-audit services is in place. 4.10 Review and discuss the annual management letter from the outside auditor as a confidential document, and ensure that significant findings and recommendations made by the outside auditor and Management's responses thereon are reviewed, discussed, and appropriately acted upon. 4.11 Meet separately, as necessary, with the outside auditor to review and discuss any matters that the Committee or outside auditor believe should be reviewed and discussed.
Appendix 1 20
C. Internal Audit 4.12 Review and discuss annually the scope of work and audit plan of the Auditor General and any material changes to the audit plan during the year and, if necessary, request that specific audits be added to the work plan. 4.13 Review and discuss the effectiveness of the internal audit function. 4.14 Review and discuss the annual summary of the audit reports (Audit Recommendations Implementation Report) prepared by the Office of the Auditor General. Ensure that significant internal audit findings and recommendations and Management's responses are considered. 4.15 Meet separately with the Auditor General to review and discuss any matters that the Committee or Auditor General believe should be reviewed and discussed. 4.16 Be consulted prior to the engagement or appointment of, and on any intended removal of, the Auditor General. D. Internal Control 4.17 Review and discuss the effectiveness and integrity of the internal control system, including risk management, information technology security and control, and financial policies in such areas as trust fund administration, procurement policies and procedures, and financial management. 4.18 Review and discuss with the Controller, Auditor General and outside auditor issues with respect to financial systems, and review of internal controls over financial reporting, including significant findings and recommendations, and Management's responses thereon.
E. Anti-Fraud and Anticorruption Measures 4.19 Ensure that ADB has established and maintains appropriate, efficient and consistent procedures for the receipt, retention and treatment of complaints and anonymous submissions from internal and external complainants, including protection of "whistleblowers", in regard to fraud and corruption, or questionable accounting or auditing matters. 4.20 Meet annually with the Auditor General to discuss significant activities and outcomes of the anticorruption function. F. Reporting Responsibilities 4.21 The Committee reports to the Board of Directors through the President in his capacity as Chairman of the Board.
Appendix 1
21
4.22 The Committee shall:
(i) Report to the Board of Directors annually on its activities and submit conclusions and/or recommendations as the Committee deems appropriate.
(ii) Update the Board of Directors about the Committee activities, as
appropriate. (iii) Ensure the Board of Directors is aware of matters that may significantly
impact on the financial affairs of ADB. 5. ADMINISTRATIVE ARRANGEMENTS 5.1 The channel of communication between the Committee and ADB's Management and staff is through the Secretary of ADB. 5.2 The Office of the Secretary shall be responsible for providing the necessary administrative services for the functioning of the Committee including providing a secretariat for the Committee and maintaining its records.
Appendix 2 22 Audit Committee of the Board (ACB)
Work Program for 2008 – 2009
3 September 2008
Audit Strategy Memorandum (PwC) Outside Auditor’s Recommendation and Implementation Report (OAGF, PwC)
30 September 2008 Quarterly Financial Statements (period ending 30 June 2008) (CTL) Update on the Implementation of ISTS II and Other IT-Related activities (OIST)
4 November 2008
Outside Auditor Selection (OAGF) Audit Recommendation Semiannual Report as of 30 June 2008 (OAGF)
12 December 2008 Quarterly Financial Statements (period ending 30 September 2008) (CTL) Update on COSO Framework and Attestation (CTL) Update on RMU Activities (RMU)
13 February 2009 OAG’s Work Program for 2009 (OAG) Accomplishments for 2008 (OAGF) 2008 Annual Report of the Integrity Division (OAGI) Afghanistan Resident Mission Audit Issues (OAGF, CWRD)
3 March 2009 Working Session on MD&A and Financial Statements (CTL) 2008 Assertion and Attestation on Internal Control Framework (CTL) Whistleblower Protection (OAGI)
5 March 2009 Annual Financial Statements (CTL) Report on the 2008 Audit of the Asian Development Bank (PwC) Outside Auditor’s Audit Recommendation and Implementation Report as of 31 December 2008 (OAGF, PwC)
18 March 2009 Quarterly Risk Management Presentation (RMU)
27 May 2009 Outside Auditor’s Strategy Memorandum 2009 (Deloitte) Audit Recommendations and Implementation Report as of 31 December 2008 (OAGA)
26 June 2009 Risk Management Quarterly Presentation (RMU) Discussion on ACB Annual Report