risk based internal audit (rbia) experience sharing
DESCRIPTION
RISK BASED INTERNAL AUDIT (RBIA) EXPERIENCE SHARING. CA Nilesh Joshi. Contents. Meaning & Objectives Terms Used Advantages Types of Risks Nature of Risks RBIA Approach Risk Weightage Documentation Report. Risks are those uncertainties which impede the achievement of the objectives. - PowerPoint PPT PresentationTRANSCRIPT
RISK BASEDRISK BASEDINTERNAL AUDITINTERNAL AUDIT
(RBIA)(RBIA)EXPERIENCE SHARINGEXPERIENCE SHARING
CA Nilesh JoshiCA Nilesh Joshi
ContentsContents Meaning & ObjectivesMeaning & Objectives Terms UsedTerms Used AdvantagesAdvantages Types of RisksTypes of Risks Nature of RisksNature of Risks RBIA ApproachRBIA Approach Risk WeightageRisk Weightage DocumentationDocumentation ReportReport
20-02-2011 2Chokshi & Chokshi
MEANING of RISKSMEANING of RISKS
Risks are those uncertainties which impede Risks are those uncertainties which impede the achievement of the objectives.the achievement of the objectives.
OBJECTIVE of RBIAOBJECTIVE of RBIAProvide independent assurance to the Provide independent assurance to the Board that Risk Management Processes Board that Risk Management Processes which Management has put in place are of which Management has put in place are of sound design and operating as intended.sound design and operating as intended.
20-02-2011 3Chokshi & Chokshi
Terms UsedTerms Used Risk CapacityRisk Capacity
How much Risk can organisation absorb.How much Risk can organisation absorb.
Risk AppetiteRisk Appetite
How much Risk is Management willing to accept.How much Risk is Management willing to accept.
Risk ResponseRisk Response
The purpose of assessing and addressing risks is to constrain them to acceptable The purpose of assessing and addressing risks is to constrain them to acceptable level.level.
Tolerate Tolerate : Exposure is tolerable without any further action.: Exposure is tolerable without any further action. Transfer Transfer : Transfer risk by conventional insurance or : Transfer risk by conventional insurance or
outsourcing. outsourcing. TerminateTerminate: Terminate the activity itself.: Terminate the activity itself. Treat Treat : Action is taken to constrain risk to acceptable : Action is taken to constrain risk to acceptable
level. level.
20-02-2011 4Chokshi & Chokshi
Advantages Advantages Risk-based auditing is more efficient, because Risk-based auditing is more efficient, because
it directs audits at the high-risk areas, as it directs audits at the high-risk areas, as opposed to financial areas, which may not opposed to financial areas, which may not represent such a great risk.represent such a great risk.
Ensures that resources are directed towards Ensures that resources are directed towards checking the management of the most checking the management of the most significant risks.significant risks.
RBIA involves the whole organisation and its RBIA involves the whole organisation and its processes – so no need to define which processes – so no need to define which functions Internal Auditing should involve.functions Internal Auditing should involve.
…….cont….cont…
20-02-2011 5Chokshi & Chokshi
We can rank recommendations, to provide the greatest We can rank recommendations, to provide the greatest value added in terms of the risks mitigated.value added in terms of the risks mitigated.
RBIA provides an ‘audit trail’ from an individual audit RBIA provides an ‘audit trail’ from an individual audit report back through tests, controls and risks to objectives, report back through tests, controls and risks to objectives, and forward to the audit committee report on whether and forward to the audit committee report on whether those objectives are threatened. (The recommendations those objectives are threatened. (The recommendations made can be traced back through controls, risks and made can be traced back through controls, risks and processes to the organisation's objectives.)processes to the organisation's objectives.)
Advantages ..Advantages ..
20-02-2011 6Chokshi & Chokshi
Types of RisksTypes of Risks
Business RisksBusiness Risks
Operational RisksOperational Risks
Financial RisksFinancial Risks
Regulatory RisksRegulatory Risks
Reputation RisksReputation Risks
Credit RisksCredit Risks
20-02-2011 7Chokshi & Chokshi
Major Risks At Glance…Major Risks At Glance…
Business RiskBusiness Risk
Business Risks impede the achievement of the organisation’s goals Business Risks impede the achievement of the organisation’s goals and objectives. and objectives.
OperationalOperational Risk Risk
The risk that the entity will experience problems in the performance The risk that the entity will experience problems in the performance of business functions or processesof business functions or processes
FinancialFinancial Risk Risk
Risk that the financial statement reported by the entity may be Risk that the financial statement reported by the entity may be incorrect and not reconciled to accounting records.incorrect and not reconciled to accounting records.
RegulatoryRegulatory Risk Risk
Risk of non-compliance with regulatory requirements leading to Risk of non-compliance with regulatory requirements leading to censure and/or penalties.censure and/or penalties.
20-02-2011 8Chokshi & Chokshi
Nature of RisksNature of Risks
Internal vs. ExternalInternal vs. External(HUMAN, TECHNOLOGICAL FACTOR VS. (HUMAN, TECHNOLOGICAL FACTOR VS.
ECONOMIC, NATURAL FACTOR)ECONOMIC, NATURAL FACTOR)
Controllable vs. Non-Controllable vs. Non-controllablecontrollable
(FIRE, THEFTH VS. RECESSION, NEW (FIRE, THEFTH VS. RECESSION, NEW COMPETITOR)COMPETITOR)
20-02-2011 9Chokshi & Chokshi
RBIA ApproachRBIA Approach
1.1. Understanding ProcessUnderstanding Process
2.2. Identification of RiskIdentification of Risk
3.3. Identification of ControlsIdentification of Controls
4.4. Verification of Effectiveness Verification of Effectiveness
of Controlsof Controls
5.5. ReportingReporting20-02-2011 10Chokshi & Chokshi
Understand Organisation and
Business Line Priorities
Understand Org Unit’s Key
Objectives, Value Drivers and
Auditable Units
Discuss, Challenge and Classify Key
Risks
Assessment of Auditable
Units
(Initial prioritisation using 3-factor
approach)
Review and Completeness
Test
Create first draft Org Unit Audit
Plan
Aggregate and Challenge
Proposed Plans
Prepare Final Audit Plans
Overall Process ReviewOverall Process Review
20-02-2011 11Chokshi & Chokshi
Identify risksIdentify risks Assess inherent risk by evaluating impact Assess inherent risk by evaluating impact
and likelihoodand likelihood Identify existing controlsIdentify existing controls Assess controls designAssess controls design If the risk is not mitigated sufficiently If the risk is not mitigated sufficiently
propose additional controlspropose additional controls Test operating effectiveness controlsTest operating effectiveness controls Assessment of residual risk.Assessment of residual risk.
Risk RegisterRisk Register
20-02-2011 12Chokshi & Chokshi
Audit Schedule for Audit Schedule for Manufacturing UnitManufacturing Unit
Sr. No.
Process Risk
Frequency(in
months)
1 Purchases & Related Payments High 12
2 Manufacturing High 12
3 Accounting High 12
4 Salary Processing Medium 18
5 Secretarial Matter Medium 18
6 Vendor Payments -Others Low 24
20-02-2011 13Chokshi & Chokshi
Audit Schedule for BankAudit Schedule for Bank
20-02-2011 14Chokshi & Chokshi
Sr. No.
Process Risk
Frequency(in
months)
1Branches with Advances > 500 crores
High 12
2Branches with Advances < 500 crores & >100 crores
Medium 16
3Branches with Advances < 100 crores
Low 18
4 Treasury High 12
5 Trade Finance High 12
6 Branch Operations Low 18
Understanding Process - Understanding Process - Mfg.Mfg.
ManufacturingDepartment
Stores Accounts
GatherQuotations
and selects Vendor
GoodsReceived
QualityControl
Stores
AccountsPayment to
Vendor
20-02-2011 15Chokshi & Chokshi
Stores Accounts
GatherQuotations
and selects Vendor
GoodsReceived
QualityControl
Stores
AccountsPayment to
Vendor
RC1
RC2RC3
ManufacturingDepartment
Identification of RisksIdentification of Risks
RC4
RC5
20-02-2011 16Chokshi & Chokshi
Stores Accounts
GatherQuotations
and selects Vendor
GoodsReceived
QualityControl
Stores
AccountsPayment to
Vendor
RC1
RC2RC3
ManufacturingDepartment
C 1
C 2C 3
C 4
Identification of ControlsIdentification of Controls
RC4
RC5
C 5
20-02-2011 17Chokshi & Chokshi
Risk RegisterRisk Register
Particular Check pointNature of
RiskRisk Level
ControlsDetails of control
Selecting Vendor
OperationalRisk
HighDetailed Bidding
ReceivingGoods
OperationalRisk
Low
Embossing Officer Name on Inwarding note.
QualityCheck
Operational Risk
MediumEmploying at least two checker
Correct Accounting
FinancialRisk
HighEmploying maker-checker control
PaymentFinancial
RiskHigh
Payments to be supported with various bills.
RC1
RC2
RC3
RC4
RC5
C 1
C 2
C 3
C 4
C 5
20-02-2011 18Chokshi & Chokshi
Understanding Process - Understanding Process - BankBank
Rcpt .of Application for
OD agst FD
Sending Application
to Sanctioning Authority
Approval from
Sanctioning Authority
Execution of Documents
Obtaining discharged
FD
Marking lien in the System
Disbursing of Advances
20-02-2011 19Chokshi & Chokshi
Identification of RisksIdentification of Risks
Rcpt .of Application for
OD agst FD
Sending Application
to Sanctioning Authority
Approval from
Sanctioning Authority
Execution of Documents
Obtaining discharged
FD
Marking lien in the System
Disbursing of Advances
20-02-2011 20Chokshi & Chokshi
RC1
RC2RC3
RC4
Identification of ControlsIdentification of Controls
Rcpt .of Application for
OD agst FD
Sending Application
to Sanctioning Authority
Approval from
Sanctioning Authority
Execution of Documents
Obtaining discharged
FD
Marking lien in the System
Disbursing of Advances
20-02-2011 21Chokshi & Chokshi
RC1
C1
RC2
C2
RC3
C3
RC4 C4
Risk RegisterRisk RegisterParticular
Check point
Nature of Risk
Risk Level
ControlsDetails of control
ApplicationOperational
RiskMedium
Verification by other officer
Execution of Documents
CreditRisk
Low
Standardised Checklist prescribed by Head Office.
Discharged FD
Credit Risk
MediumVerification by other officer
Marking Lien
Credit Risk
High
Verification by other officer & Day end report by BH
RC1
RC2
RC3
RC4
C 1
C 2
C 3
C 4
20-02-2011 22Chokshi & Chokshi
Risk Weightage (Unit)Risk Weightage (Unit)
Risks Type
DescriptionRisk
Weights
HighRisks are significant. Management should take steps to mitigate the risks as soon as possible.
6
MediumRisks are not significant. However, management should take steps that will ensure timely mitigation of the risks.
4
LowRisks are immaterial. However, management should monitor the risks and take appropriate action to prevent Risk becoming material.
2
20-02-2011 23Chokshi & Chokshi
Terms of EngagementTerms of Engagement Risk RegisterRisk Register Audit PlanAudit Plan Test Work SheetTest Work Sheet Audit Closure FormAudit Closure Form
DocumentationDocumentation
20-02-2011 24Chokshi & Chokshi
Audit PlanAudit Plan
Process code
Process Name
Risk Sample Size
Time to be Taken
Name of Team Member
Name of Reviewer
Actual Time Taken
P -1 Vendor Payments
High 40% 22-02-2011 Mr. X Mr.Y
P-2 Sales High 40% 22-02-2011 Mr.A Mr.Y
20-02-2011 25Chokshi & Chokshi
Test Work SheetTest Work Sheet
20-02-2011 26Chokshi & Chokshi
Audit Closure FormAudit Closure Form
20-02-2011 27Chokshi & Chokshi
ReportReport
Style:Style: Concise ReportingConcise Reporting Solution Oriented ReportingSolution Oriented Reporting Connecting to audienceConnecting to audience
Define:Define: CriteriaCriteria ConditionCondition
20-02-2011 28Chokshi & Chokshi
Report - ContentsReport - Contents Auditee ProfileAuditee Profile Processes CoveredProcesses Covered Period CoveredPeriod Covered Executive SummaryExecutive Summary OpinionOpinion Detailed ObservationsDetailed Observations
BackgroundBackground Detailed FindingsDetailed Findings Risk- Nature & LevelRisk- Nature & Level RecommendationRecommendation
20-02-2011 29Chokshi & Chokshi
Audit OpinionAudit Opinion
Strong:Strong:The impact of identified control weaknesses exposes the area in The impact of identified control weaknesses exposes the area in scope to scope to
minimal level of risk. Management action not required.minimal level of risk. Management action not required.
Sufficient:Sufficient:The impact of identified control weaknesses exposes the area in The impact of identified control weaknesses exposes the area in scope to scope to
limited level of risk. Management action is required to limited level of risk. Management action is required to mitigate identified mitigate identified risks.risks.
Insufficient:Insufficient:The impact of identified control weaknesses exposes the area in The impact of identified control weaknesses exposes the area in scope to a scope to a
serious level of risk. Significant steps are required to mitigate identified serious level of risk. Significant steps are required to mitigate identified risks as soon as possible.risks as soon as possible.
Critical:Critical:The impact of identified control weaknesses exposes the area in The impact of identified control weaknesses exposes the area in scope to scope to
an unacceptable level of risk. Major steps required to an unacceptable level of risk. Major steps required to mitigate identified mitigate identified risks.risks.
20-02-2011 30Chokshi & Chokshi
Basis for Audit OpinionBasis for Audit Opinion Strong Strong (Total Risk Wgt. < 6)(Total Risk Wgt. < 6)Consisting of only Low risk findings.Consisting of only Low risk findings.
Sufficient Sufficient (Total Risk Wgt. >6 & <=18)(Total Risk Wgt. >6 & <=18)High category risks are not more than one and Medium category risks are not more than High category risks are not more than one and Medium category risks are not more than
three.three.
Insufficient Insufficient (Total Risk Wgt. >18 & <=48)(Total Risk Wgt. >18 & <=48)High category risks are not more than four and Medium category risks are not more than High category risks are not more than four and Medium category risks are not more than
six.six.
Critical Critical (Total Risk Wgt. >48)(Total Risk Wgt. >48)High category risks are more than four and Medium category risks are more than six. High category risks are more than four and Medium category risks are more than six.
20-02-2011 31Chokshi & Chokshi
ExampleExample
Risks FindingsTotal Risk
wgt.
High * 6 Medium * 4 Low * 2
No. of Obs. (4)
No. of Obs. (0)No. of Obs.
(1)26
Audit Conclusion – Insufficient
20-02-2011 32Chokshi & Chokshi
20-02-2011 33Chokshi & Chokshi
Financial InclusionFinancial Inclusion
20-02-2011 Chokshi & Chokshi 34
20-02-2011 35Chokshi & Chokshi