As per the risk based supervision (RBS) framework determined by RBI, every bank is expected to prepare a risk profile of its own, considering the various parameters and the risks to which bank is currently exposed. As be • • • • • • • • •

per the risk profile of the bank and the parameters laid down following surveillance activities may conducted: Off site surveillance On site inspections Process level inspections Product level inspections Demographic inspections Integrity inspections Structured meetings with other banks Meeting external auditors Specific supervisory directions and new policy actions

However the above list is illustrative in nature, RBI has also indicated other five areas wherein bank is expected to implement RBS framework: • Setting up of Risk management architecture • Adoption of risk focused Audit • Strengthening of management information system and information technology • Addressing Human Resource Department issues • Setting up of a Compliance unit As per the Standards and Guidance note issued by ICAI, internal audit is defined as: “Internal Audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system.” Also, para 8 of the Auditing and assurance Standard (AAS 6), Risk assessments and internal control clarifies that internal audit, “constitutes a separate component of internal control with the objective of determining whether other internal controls are well designed and properly operated.” Thus the scope of internal audit can be broadly classified as follows: • Independent functioning and evaluation of effectiveness of the internal control system of the organisation • Continuous evaluation of the organisation’s processes • Review of the application and effectiveness of the risk management procedures and risk assessment methodologies • Review of effective management accounting system and information technology of the organisation • Review of the means of safeguarding the assets • Review of management decisions and cost – benefit analysis of the applications • Review of various procedures and reduction in overall turn around time • Review of application used for regulatory reporting • Review of stand alone applications and other applications having interface with the core systems of the organisation Internal Audit Function in banks: Banking industry and need for internal audit: • Deals with public money (Borrowing, lending and investment) • Needs to be accurate • Proper checks and balances to be in place • Primary source of information for determining the effectiveness of existing internal control in the bank • Global presence of Indian banks • Use of modern information technology

Key audit decisions of a risk based internal audit: • Frequency of Audits • Categorisation of the risks (High, Low,Medium) • Determination of the frequency based on the risk profile • Optimal allocation of audit resources • Scope of Audit • Extent of audit based on risk profiles • Sampling technique as per the AAS 15, and to be approved by the Audit Committee • Timing of internal audit • Random and fixed timing policies for high and low risk audit units respectively • Surprise and snap audits for high risk profile • Conditional auditing for medium risk units • Size of the Internal Audit team • Depending on the risk profile • Preventive measure • Suggesting risk mitigants • Anticipating potential risk areas • Proactive approach – prevention Advantages of Risk based internal audit • Defining the scope of audit • Co – relation between risk factors and the management concerns • Priority classification • Appropriate risk format according to the classification • Synergy effect of high risk audit areas • Optimal utilisation of the resources • Process oriented audit Risk based internal audit vs Risk management function Risk based internal audit Continuous evaluation of various processes to determine well designed internal controls and effective overall governance of the organisation. There will be monitoring of inherent business risks

Risk management function Development of appropriate policies and procedures for effective risk management on a bank wide basis. Development of risk management policies

Formulation of risk based internal audit plan for proper allocation of resources Internal audit can audit risk management Risk management systems cannot asses department of the bank, the same being the risk of the internal audit department. an independent department Steps involved in risk based audit • Preparation ‫ ٭‬Planning ‫ ٭‬Resource planning ‫ ٭‬Role clarification ‫ ٭‬Assigning responsibilities ‫ ٭‬Cost planning ‫ ٭‬Date of completion ‫ ٭‬Clear assignment of roles and responsibilities •

Identification of units ‫ ٭‬Audit universe ‫ ٭‬Business Teams ‫ ٭‬Product teams ‫ ٭‬Individual product

‫٭‬ ‫٭‬

Tolerance level of the residual risk from non – audited units Scope of operational risk audit and risk based internal audit to be converged with each other( also to avoid duplication for Basel II Capital Adequacy requirement)

•

Conduct risk assessment ‫ ٭‬Categorisation of risks ‫ ٭‬Inherent risk ‫ ٭‬Credit risks ٠ Direct lending – repayment risk ٠ Guarantees or Letter of Credit – Insufficient funds on crystallization of liability ٠ Treasury operations – Ceasing payment from the parties for the forth coming contracts ٠ Securities trading business ٠ Cross border exposure ‫ ٭‬Market risks ‫ ٭‬Liquidity risk ‫ ٭‬Interest rate risk ‫ ٭‬Foreign exchange risk ‫ ٭‬Operational risks ٠ People risk ٠ Process risk ٠ System risk ٠ Legal and regulatory risk ٠ Reputation risk ٠ Event risk ‫ ٭‬Control risks

•

Control Environment “ the overall attitude, awareness and actions of the directors and management regarding the internal control system and its importance in the entity Factors related to control environment ‫ ٭‬Hierarchy Structure ‫ ٭‬Senior management role and decision making authority ‫ ٭‬Management’s philosophy and operating style ‫ ٭‬Management’s control system including internal audit, personnel policies and procedures Control Procedures “ those policies and procedures, in addition to control environment, which the management has established to achieve entity’s specific objectives” ‫ ٭‬Approving and controlling of documents ‫ ٭‬Segregation of duties and supervisory functions ‫ ٭‬Maker checker concept ‫ ٭‬Reporting and reviewing of exceptions ‫ ٭‬Comparison of internal data with the external information ‫ ٭‬Restricting direct access to assets, records and information ‫ ٭‬Information system controls Key factors to be considered by an internal auditor before performing internal audit function ‫ ٭‬Trend pattern of risks ‫ ٭‬Risk matrix ٠ Inherent risks ٠ High, Low & Medium ‫ ٭‬Control risks ٠ High, Low & Medium ٠ Prioritization based on the risk assessment ‫ ٭‬Previous internal audit reports and compliance ‫ ٭‬Proposed changes in business lines or change in focus ‫ ٭‬Significant change in management/ key personnel ‫ ٭‬Results of latest regulatory examination ‫ ٭‬Reports of external auditors ‫ ٭‬Industry trends and other environmental factors ‫ ٭‬Time lapsed since last audit

•

•

•

‫٭‬ ‫٭‬

Volume of business and complexities of activities Substantial performance variations from budget

‫٭‬

Risk based internal audit plan ٠ Final planning ٠ Scope ٠ Cost ٠ Resource ٠ Timing Approval from Audit Committee

‫٭‬

Internal Audit and Control risk • Understanding of the control environment by the internal auditor ‫ ٭‬Assess management’s attitude ‫ ٭‬Assess management’s awareness ‫ ٭‬Assess management’s actions • Two fold role of internal auditor ‫ ٭‬Ascertaining inherent risk and identifying areas wherein control procedures are not established ‫ ٭‬Evaluation of risk in existing control procedures • Preliminary assessment of control risk ‫ ٭‬Evaluation of effectiveness of entity’s control environment and control risks in managing inherent business risks ‫ ٭‬Assumption – controls are working effectively ‫ ٭‬Generally high control risk and if not the same has to be documented • Tests used for determining control checks ‫ ٭‬Inspection ‫ ٭‬Inquiries ‫ ٭‬Re-performance of internal controls ‫ ٭‬Testing on computerized applications • Obtain evidence through tests of control ‫ ٭‬Risk assessment and evidence are inversely proportional ٠ Lower the assessment of control risk, more is the evidence required for its effectiveness ‫ ٭‬Factors to be considered while obtaining audit evidence ٠ Application of existing controls ٠ Consistency of application of such controls ٠ Duration of the application ٠ Responsibility of the person for such controls ‫ ٭‬Deviations while application of effective controls ٠ Reasons for such deviations ✔ Changes in key personnel ✔ Fluctuation in volume of transactions ✔ Human error ‫ ٭‬Conclusion • Qualitative and Quantitative Approach ‫ ٭‬Quantum of credit, market, operational risk – Quantitative ‫ ٭‬Quality of Controls – Qualitative ‫ ٭‬Focus on areas of risk, following parameters to be considered ٠ Activity wise identification ٠ Location wise identification ‫ ٭‬Knowledge of Auditee's Business ٠ AAS 20 – Knowledge of Business “ In performing an audit of financial statement, the auditor should have or obtain knowledge of the business sufficient to enable the auditor to identify and understand the events, transactions and practices that, in the auditor's judgement, may have a significant effect on the financial statement or on the examination of audit report. Such knowledge is used by

auditor in assessing inherent and control risk in determining nature, timing and extent of audit procedures.” ‫ ٭‬Mapping of both the risks with each other so that they are at an acceptable level ‫ ٭‬Risk assessment matrix appears as below: Inherent Risk

High

A – High Risk

B – Very High Risk

C – Extremely High Risk

Medium

D – High Risk

E – Medium Risk

F – Very High Risk

Low

G – Low Risk

H – High Risk

I – High Risk

Low

Medium

High

Control Risk •

Risk Based internal audit plan ‫ ٭‬Scope ٠ Following matters to be reviewed ✔ Process for identification of risks ✔ Control environment ✔ Gaps leading to increase in probabilities of occurrence of frauds ✔ Report on data integrity, reliability and integrity of MIS ✔ Internal, regulatory and statutory compliance ✔ Budgetary control and performance reviews ✔ Transaction testing/ verification of assets to the extent considered necessary ✔ Monitoring compliance with the risk based internal audit report ✔ Variation, if any, in the assessment of risks under the audit plan vis – a vis the risk based internal audit ٠ Review of systems in place for ensuring compliance with money laundering controls ٠ Suggesting corrective measures ٠ Follow up reviews to monitor the action taken ‫ ٭‬Contents of Risk based audit plan ٠ Audit Universe ٠ Priority ✔ High magnitude high frequency ✔ High magnitude medium frequency ✔ Medium magnitude high frequency ✔ High magnitude low frequency ✔ Medium magnitude medium frequency ٠ Type of internal audit assignment ✔ Assurance ➢ Objective examination of evidences for risk assessment ✔ Consulting ➢ For assistance of senior management ٠ Frequency ✔ Interval between audits of auditable units ٠ Extent of testing ✔ Directly proportional to risk matrix ✔ Surprise testing ٠ Resource requirement ✔ Factors while planning the resource requirement ➢ Nature of internal audit assignment ➢ Scope ➢ Complexity of the business and the transactions ➢ Audit expertise ➢ Quality and quantity of documentation required ➢ Use of audit approach and audit techniques ٠ Submission of internal audit plan