risk based internal audit (rbia) experience sharing

RISK BASEDRISK BASEDINTERNAL AUDITINTERNAL AUDIT

(RBIA)(RBIA)EXPERIENCE SHARINGEXPERIENCE SHARING

CA Nilesh JoshiCA Nilesh Joshi

ContentsContents Meaning & ObjectivesMeaning & Objectives Terms UsedTerms Used AdvantagesAdvantages Types of RisksTypes of Risks Nature of RisksNature of Risks RBIA ApproachRBIA Approach Risk WeightageRisk Weightage DocumentationDocumentation ReportReport

20-02-2011 2Chokshi & Chokshi

MEANING of RISKSMEANING of RISKS

Risks are those uncertainties which impede Risks are those uncertainties which impede the achievement of the objectives.the achievement of the objectives.

OBJECTIVE of RBIAOBJECTIVE of RBIAProvide independent assurance to the Provide independent assurance to the Board that Risk Management Processes Board that Risk Management Processes which Management has put in place are of which Management has put in place are of sound design and operating as intended.sound design and operating as intended.


Terms UsedTerms Used Risk CapacityRisk Capacity

How much Risk can organisation absorb.How much Risk can organisation absorb.

Risk AppetiteRisk Appetite

How much Risk is Management willing to accept.How much Risk is Management willing to accept.

Risk ResponseRisk Response

The purpose of assessing and addressing risks is to constrain them to acceptable The purpose of assessing and addressing risks is to constrain them to acceptable level.level.

Tolerate Tolerate : Exposure is tolerable without any further action.: Exposure is tolerable without any further action. Transfer Transfer : Transfer risk by conventional insurance or : Transfer risk by conventional insurance or

outsourcing. outsourcing. TerminateTerminate: Terminate the activity itself.: Terminate the activity itself. Treat Treat : Action is taken to constrain risk to acceptable : Action is taken to constrain risk to acceptable

level. level.


Advantages Advantages Risk-based auditing is more efficient, because Risk-based auditing is more efficient, because

it directs audits at the high-risk areas, as it directs audits at the high-risk areas, as opposed to financial areas, which may not opposed to financial areas, which may not represent such a great risk.represent such a great risk.

Ensures that resources are directed towards Ensures that resources are directed towards checking the management of the most checking the management of the most significant risks.significant risks.

RBIA involves the whole organisation and its RBIA involves the whole organisation and its processes – so no need to define which processes – so no need to define which functions Internal Auditing should involve.functions Internal Auditing should involve.

…….cont….cont…


We can rank recommendations, to provide the greatest We can rank recommendations, to provide the greatest value added in terms of the risks mitigated.value added in terms of the risks mitigated.

RBIA provides an ‘audit trail’ from an individual audit RBIA provides an ‘audit trail’ from an individual audit report back through tests, controls and risks to objectives, report back through tests, controls and risks to objectives, and forward to the audit committee report on whether and forward to the audit committee report on whether those objectives are threatened. (The recommendations those objectives are threatened. (The recommendations made can be traced back through controls, risks and made can be traced back through controls, risks and processes to the organisation's objectives.)processes to the organisation's objectives.)

Advantages ..Advantages ..


Types of RisksTypes of Risks

Business RisksBusiness Risks

Operational RisksOperational Risks

Financial RisksFinancial Risks

Regulatory RisksRegulatory Risks

Reputation RisksReputation Risks

Credit RisksCredit Risks


Major Risks At Glance…Major Risks At Glance…

Business RiskBusiness Risk

Business Risks impede the achievement of the organisation’s goals Business Risks impede the achievement of the organisation’s goals and objectives. and objectives.

OperationalOperational Risk Risk

The risk that the entity will experience problems in the performance The risk that the entity will experience problems in the performance of business functions or processesof business functions or processes

FinancialFinancial Risk Risk

Risk that the financial statement reported by the entity may be Risk that the financial statement reported by the entity may be incorrect and not reconciled to accounting records.incorrect and not reconciled to accounting records.

RegulatoryRegulatory Risk Risk

Risk of non-compliance with regulatory requirements leading to Risk of non-compliance with regulatory requirements leading to censure and/or penalties.censure and/or penalties.


Nature of RisksNature of Risks

Internal vs. ExternalInternal vs. External(HUMAN, TECHNOLOGICAL FACTOR VS. (HUMAN, TECHNOLOGICAL FACTOR VS.

ECONOMIC, NATURAL FACTOR)ECONOMIC, NATURAL FACTOR)

Controllable vs. Non-Controllable vs. Non-controllablecontrollable

(FIRE, THEFTH VS. RECESSION, NEW (FIRE, THEFTH VS. RECESSION, NEW COMPETITOR)COMPETITOR)


RBIA ApproachRBIA Approach

1.1. Understanding ProcessUnderstanding Process

2.2. Identification of RiskIdentification of Risk

3.3. Identification of ControlsIdentification of Controls

4.4. Verification of Effectiveness Verification of Effectiveness

of Controlsof Controls

5.5. ReportingReporting20-02-2011 10Chokshi & Chokshi

Understand Organisation and

Business Line Priorities

Understand Org Unit’s Key

Objectives, Value Drivers and

Auditable Units

Discuss, Challenge and Classify Key

Risks

Assessment of Auditable

Units

(Initial prioritisation using 3-factor

approach)

Review and Completeness

Test

Create first draft Org Unit Audit

Plan

Aggregate and Challenge

Proposed Plans

Prepare Final Audit Plans

Overall Process ReviewOverall Process Review


Identify risksIdentify risks Assess inherent risk by evaluating impact Assess inherent risk by evaluating impact

and likelihoodand likelihood Identify existing controlsIdentify existing controls Assess controls designAssess controls design If the risk is not mitigated sufficiently If the risk is not mitigated sufficiently

propose additional controlspropose additional controls Test operating effectiveness controlsTest operating effectiveness controls Assessment of residual risk.Assessment of residual risk.

Risk RegisterRisk Register


Audit Schedule for Audit Schedule for Manufacturing UnitManufacturing Unit

Sr. No.

Process Risk

Frequency(in

months)

1 Purchases & Related Payments High 12

2 Manufacturing High 12

3 Accounting High 12

4 Salary Processing Medium 18

5 Secretarial Matter Medium 18

6 Vendor Payments -Others Low 24


Audit Schedule for BankAudit Schedule for Bank


Sr. No.

Process Risk

Frequency(in

months)

1Branches with Advances > 500 crores

High 12

2Branches with Advances < 500 crores & >100 crores

Medium 16

3Branches with Advances < 100 crores

Low 18

4 Treasury High 12

5 Trade Finance High 12

6 Branch Operations Low 18

Understanding Process - Understanding Process - Mfg.Mfg.

ManufacturingDepartment

Stores Accounts

GatherQuotations

and selects Vendor

GoodsReceived

QualityControl

Stores

AccountsPayment to

Vendor


Stores Accounts

GatherQuotations

and selects Vendor

GoodsReceived

QualityControl

Stores

AccountsPayment to

Vendor

RC1

RC2RC3


Identification of RisksIdentification of Risks

RC4

RC5


Stores Accounts

GatherQuotations

and selects Vendor

GoodsReceived

QualityControl

Stores

AccountsPayment to

Vendor

RC1

RC2RC3


C 1

C 2C 3

C 4

Identification of ControlsIdentification of Controls

RC4

RC5

C 5


Risk RegisterRisk Register

Particular Check pointNature of

RiskRisk Level

ControlsDetails of control

Selecting Vendor

OperationalRisk

HighDetailed Bidding

ReceivingGoods

OperationalRisk

Low

Embossing Officer Name on Inwarding note.

QualityCheck

Operational Risk

MediumEmploying at least two checker

Correct Accounting

FinancialRisk

HighEmploying maker-checker control

PaymentFinancial

RiskHigh

Payments to be supported with various bills.

RC1

RC2

RC3

RC4

RC5

C 1

C 2

C 3

C 4

C 5


Understanding Process - Understanding Process - BankBank

Rcpt .of Application for

OD agst FD

Sending Application

to Sanctioning Authority

Approval from

Sanctioning Authority

Execution of Documents

Obtaining discharged

FD

Marking lien in the System

Disbursing of Advances


Identification of RisksIdentification of Risks


OD agst FD

Sending Application


Approval from




FD




RC1

RC2RC3

RC4

Identification of ControlsIdentification of Controls


OD agst FD

Sending Application


Approval from




FD




RC1

C1

RC2

C2

RC3

C3

RC4 C4

Risk RegisterRisk RegisterParticular

Check point

Nature of Risk

Risk Level

ControlsDetails of control

ApplicationOperational

RiskMedium

Verification by other officer


CreditRisk

Low

Standardised Checklist prescribed by Head Office.

Discharged FD

Credit Risk

MediumVerification by other officer

Marking Lien

Credit Risk

High

Verification by other officer & Day end report by BH

RC1

RC2

RC3

RC4

C 1

C 2

C 3

C 4


Risk Weightage (Unit)Risk Weightage (Unit)

Risks Type

DescriptionRisk

Weights

HighRisks are significant. Management should take steps to mitigate the risks as soon as possible.

6

MediumRisks are not significant. However, management should take steps that will ensure timely mitigation of the risks.

4

LowRisks are immaterial. However, management should monitor the risks and take appropriate action to prevent Risk becoming material.

2


Terms of EngagementTerms of Engagement Risk RegisterRisk Register Audit PlanAudit Plan Test Work SheetTest Work Sheet Audit Closure FormAudit Closure Form

DocumentationDocumentation


Audit PlanAudit Plan

Process code

Process Name

Risk Sample Size

Time to be Taken

Name of Team Member

Name of Reviewer

Actual Time Taken

P -1 Vendor Payments

High 40% 22-02-2011 Mr. X Mr.Y

P-2 Sales High 40% 22-02-2011 Mr.A Mr.Y


Test Work SheetTest Work Sheet


Audit Closure FormAudit Closure Form


ReportReport

Style:Style: Concise ReportingConcise Reporting Solution Oriented ReportingSolution Oriented Reporting Connecting to audienceConnecting to audience

Define:Define: CriteriaCriteria ConditionCondition


Report - ContentsReport - Contents Auditee ProfileAuditee Profile Processes CoveredProcesses Covered Period CoveredPeriod Covered Executive SummaryExecutive Summary OpinionOpinion Detailed ObservationsDetailed Observations

BackgroundBackground Detailed FindingsDetailed Findings Risk- Nature & LevelRisk- Nature & Level RecommendationRecommendation


Audit OpinionAudit Opinion

Strong:Strong:The impact of identified control weaknesses exposes the area in The impact of identified control weaknesses exposes the area in scope to scope to

minimal level of risk. Management action not required.minimal level of risk. Management action not required.

Sufficient:Sufficient:The impact of identified control weaknesses exposes the area in The impact of identified control weaknesses exposes the area in scope to scope to

limited level of risk. Management action is required to limited level of risk. Management action is required to mitigate identified mitigate identified risks.risks.

Insufficient:Insufficient:The impact of identified control weaknesses exposes the area in The impact of identified control weaknesses exposes the area in scope to a scope to a

serious level of risk. Significant steps are required to mitigate identified serious level of risk. Significant steps are required to mitigate identified risks as soon as possible.risks as soon as possible.

Critical:Critical:The impact of identified control weaknesses exposes the area in The impact of identified control weaknesses exposes the area in scope to scope to

an unacceptable level of risk. Major steps required to an unacceptable level of risk. Major steps required to mitigate identified mitigate identified risks.risks.


Basis for Audit OpinionBasis for Audit Opinion Strong Strong (Total Risk Wgt. < 6)(Total Risk Wgt. < 6)Consisting of only Low risk findings.Consisting of only Low risk findings.

Sufficient Sufficient (Total Risk Wgt. >6 & <=18)(Total Risk Wgt. >6 & <=18)High category risks are not more than one and Medium category risks are not more than High category risks are not more than one and Medium category risks are not more than

three.three.

Insufficient Insufficient (Total Risk Wgt. >18 & <=48)(Total Risk Wgt. >18 & <=48)High category risks are not more than four and Medium category risks are not more than High category risks are not more than four and Medium category risks are not more than

six.six.

Critical Critical (Total Risk Wgt. >48)(Total Risk Wgt. >48)High category risks are more than four and Medium category risks are more than six. High category risks are more than four and Medium category risks are more than six.


ExampleExample

Risks FindingsTotal Risk

wgt.

High * 6 Medium * 4 Low * 2

No. of Obs. (4)

No. of Obs. (0)No. of Obs.

(1)26

Audit Conclusion – Insufficient


Financial InclusionFinancial Inclusion

20-02-2011 Chokshi & Chokshi 34

risk based internal audit (rbia) experience sharing

Documents

processesfinancial risk

transfer risk

risk appetitehow

great risk

risk management processes

risk responsethe purpose

operational riskthe

organisations objectives