regulatory audit - wirc-icai.org · pdf fileflow of presentation ... its investment...
TRANSCRIPT
Regulatory Audit Framework
T
Mushir Killedar
T
Regulatory Audit Framework
June 2012
Flow of Presentation
Types of Regulators and Audits
Objectives of Regulatory Audits
Key considerations for Regulatory Audit Framework
Regulatory Audit – a Snapshot
TJune 20122 Mushir Killedar
Key considerations for Regulatory Audit Framework
Approach for Regulatory Audit Framework
Role of Compliance in Regulatory Audit Framework
• comprehensive review of an organization's adherence to
regulatory guidelines
Regulatory Audit
TJune 20123 Mushir Killedar
Snapshot
TJune 20124 Mushir Killedar
Types of Regulators in Capital Markets
Chief
Regulators
Intermediary
TJune 20125 Mushir Killedar
Intermediary
regulators
Unrecognized
regulators
Types of Regulatory Audits
• SEBI Inspections of intermediaries in capital market
• Internal Audit for stock brokers/trading members/clearing members –October 21, 2008
TJune 20126 Mushir Killedar
• System Audit of Mutual Fund – Sep 16, 2009
• Internal Audit of Credit Rating Agencies – Jan 6, 2010
• Audit of Investment Risk Management Systems & Process, Internal / Concurrent Audit– AUM less than Rs.1000 crore: Audit of Investment functions on
quarterly basis– AUM more than Rs.1000 crore: Concurrent audit by a CA firm to have
Types of Regulatory Audits
TJune 20127 Mushir Killedar
– AUM more than Rs.1000 crore: Concurrent audit by a CA firm to have its Investment transactions and related Systems audited on a concurrent basis
• Exchange Inspections of stock brokers
• Half-yearly Internal Audit as mandated by SEBI covering all processes from client registration, operations, compliance and
Types of Regulatory Audits
TJune 20128 Mushir Killedar
processes from client registration, operations, compliance and PMLA.
• Yearly CTCL / IML System Audit
• Due Diligence of Mutual Fund Distributors as mandated by SEBI
Types of Regulatory Audits
+
TJune 20129 Mushir Killedar
• Due Diligence of Mutual Fund Distributors as mandated by SEBI vide Circular of August 2011.
Objective of Regulatory Audits
Expectation of Regulators
Responsibility of Firm
TJune 201210 Mushir Killedar
Adherence to Guidelines
issued
Understanding &Implementing
Guidelines
In best possible manner & within
prescribed timeline
How to achieve???
TJune 201211 Mushir Killedar
The key considerations for Regulatory Audit Framewo rk for a firm
Principles for establishing the need for audit
Frequency of audits
Deciding firms approach for audit and setting scope for same
TJune 201212 Mushir Killedar
Appointment of auditors Audit Framework
Continuous Reviews
Alerts Generation, Escalations & Resolutions in a time bound manner
Appointment of Auditors
Audit methodology & Reporting of Results
Identifying matters for audit
TJune 201213 Mushir Killedar
The Risk Control Assessment Approach
• Risk Control Matrix
• Control Self Assessment Plan
• Control Compliance Assessment
TJune 201214 Mushir Killedar
• Control Compliance Assessment
Methodology
Identification of
risks for existing
processes
Impact Assessme
nt
Identification of
probability of risk
occurrence
Derivation of CriticalityRisk
ControlsDesign /
documentationof suggestive /
prevalent controls
Bifurcation of Controls
in to Preventive /Detective controls
Bifurcation of Controls
in to Manual / IT controls
TJune 201215 Mushir Killedar
CSA
Matrix Preparation of process wiseRisk register
Computation of process-wise
weighted average criticality
Drawing of CSA plan
based on weighted average
Assessing effectiveness ofcontrol through
control compliance score
Risk Control Matrix Ratings assigned on basisof defined parameters
TJune 201216 Mushir Killedar
Classification Score
L Likely 3
U Un-likely 2
R Remote 1
Classification Score
F Financial 4
N Non-Compliance with SEBI/ Exchange 3
Parameters
Classification of probablity of occurrence of risk
Classification of Impact
TJune 201217 Mushir Killedar
N Non-Compliance with SEBI/ Exchange 3
C Customer Service / Reputation 2
D Deviation from SOP / Normal practice 1
Classification Score
VH Very High 10.1 - 12
H High 8.1 - 10
M Medium 4.1 - 8
L Low 2.1 - 4
VL Very Low 0 - 2
Classification of Criticality
Criticality Score = Probablity Score * Impact Score
Risk Control Matrix Criticality Score
TJune 201218 Mushir Killedar
Client Acquisition & Registration Collection of Margins
Compliance
Client Receipts
Exchange Pay-in & Pay-out
8.009.00
10.0011.0012.0013.0014.0015.00
Crit
ical
ity
Control Self Assessment Plan
TJune 201219 Mushir Killedar
Trade Processing - CashClient Payments
BOD Processes
EOD Processes
Trade Processing - F&O
0.001.002.003.004.005.006.007.008.00
0 2 4 6 8 10 12
Process
Crit
ical
ity
Frequency of review
Monthly
Quarterly
Bi-Annual
Annual
Plan for assessment
GRC tools
• Methodology for establishing risk framework across functions within a large corporate house or uses the standalone risk module to address specific risks such as credit risk, market risk etc.
• GRC (governance, risk management and compliance)
TJune 201220 Mushir Killedar
• GRC (governance, risk management and compliance) software allows companies to integrate and manage operations that are subject to regulation.
• Tool for Revenue Assurance
Appointment of Auditors
• skill and experience in compliance auditing
• skill and experience in, and where relevant, detailed knowledge of, the types of matters likely to be audited
TJune 201221 Mushir Killedar
• detailed knowledge of the relevant industry
Audit Methodology and reporting of Results
TJune 201222 Mushir Killedar
Role of Compliance in Regulatory Audit Framework
• Oversee the Framework
• Communication of Regulatory requirement from time-to-time
• Helping organisation understand and implement the
TJune 201223 Mushir Killedar
• Helping organisation understand and implement the regulatory expectations
•In best possible manner
•time-bound manner
•Reflecting expectation of regulator
THANK YOU
TJune 201224 Mushir Killedar
THANK YOU
Disclaimer: The views expressed in this document are of independent opinion. The presenter is not responsible to anyperson / party for any decisions they may take based on this information, it is suggested that due professional adviceis sought or care undertaken before acting on any recommendations / suggestions expressed herein.