Regulatory Audit Framework

T

Mushir Killedar

T

Regulatory Audit Framework

June 2012

Flow of Presentation

Types of Regulators and Audits

Objectives of Regulatory Audits

Key considerations for Regulatory Audit Framework

Regulatory Audit – a Snapshot

TJune 20122 Mushir Killedar

Key considerations for Regulatory Audit Framework

Approach for Regulatory Audit Framework

Role of Compliance in Regulatory Audit Framework

• comprehensive review of an organization's adherence to

regulatory guidelines

Regulatory Audit

TJune 20123 Mushir Killedar

Snapshot

TJune 20124 Mushir Killedar

Types of Regulators in Capital Markets

Chief

Regulators

Intermediary

TJune 20125 Mushir Killedar

Intermediary

regulators

Unrecognized

regulators

Types of Regulatory Audits

• SEBI Inspections of intermediaries in capital market

• Internal Audit for stock brokers/trading members/clearing members –October 21, 2008

TJune 20126 Mushir Killedar

• System Audit of Mutual Fund – Sep 16, 2009

• Internal Audit of Credit Rating Agencies – Jan 6, 2010

• Audit of Investment Risk Management Systems & Process, Internal / Concurrent Audit– AUM less than Rs.1000 crore: Audit of Investment functions on

quarterly basis– AUM more than Rs.1000 crore: Concurrent audit by a CA firm to have

Types of Regulatory Audits

TJune 20127 Mushir Killedar

– AUM more than Rs.1000 crore: Concurrent audit by a CA firm to have its Investment transactions and related Systems audited on a concurrent basis

• Exchange Inspections of stock brokers

• Half-yearly Internal Audit as mandated by SEBI covering all processes from client registration, operations, compliance and

Types of Regulatory Audits

TJune 20128 Mushir Killedar

processes from client registration, operations, compliance and PMLA.

• Yearly CTCL / IML System Audit

• Due Diligence of Mutual Fund Distributors as mandated by SEBI

Types of Regulatory Audits

+

TJune 20129 Mushir Killedar

• Due Diligence of Mutual Fund Distributors as mandated by SEBI vide Circular of August 2011.

Objective of Regulatory Audits

Expectation of Regulators

Responsibility of Firm

TJune 201210 Mushir Killedar

Adherence to Guidelines

issued

Understanding &Implementing

Guidelines

In best possible manner & within

prescribed timeline

How to achieve???

TJune 201211 Mushir Killedar

The key considerations for Regulatory Audit Framewo rk for a firm

Principles for establishing the need for audit

Frequency of audits

Deciding firms approach for audit and setting scope for same

TJune 201212 Mushir Killedar

Appointment of auditors Audit Framework

Continuous Reviews

Alerts Generation, Escalations & Resolutions in a time bound manner

Appointment of Auditors

Audit methodology & Reporting of Results

Identifying matters for audit

TJune 201213 Mushir Killedar

The Risk Control Assessment Approach

• Risk Control Matrix

• Control Self Assessment Plan

• Control Compliance Assessment

TJune 201214 Mushir Killedar

• Control Compliance Assessment

Methodology

Identification of

risks for existing

processes

Impact Assessme

nt

Identification of

probability of risk

occurrence

Derivation of CriticalityRisk

ControlsDesign /

documentationof suggestive /

prevalent controls

Bifurcation of Controls

in to Preventive /Detective controls

Bifurcation of Controls

in to Manual / IT controls

TJune 201215 Mushir Killedar

CSA

Matrix Preparation of process wiseRisk register

Computation of process-wise

weighted average criticality

Drawing of CSA plan

based on weighted average

Assessing effectiveness ofcontrol through

control compliance score

Risk Control Matrix Ratings assigned on basisof defined parameters

TJune 201216 Mushir Killedar

Classification Score

L Likely 3

U Un-likely 2

R Remote 1

Classification Score

F Financial 4

N Non-Compliance with SEBI/ Exchange 3

Parameters

Classification of probablity of occurrence of risk

Classification of Impact

TJune 201217 Mushir Killedar

N Non-Compliance with SEBI/ Exchange 3

C Customer Service / Reputation 2

D Deviation from SOP / Normal practice 1

Classification Score

VH Very High 10.1 - 12

H High 8.1 - 10

M Medium 4.1 - 8

L Low 2.1 - 4

VL Very Low 0 - 2

Classification of Criticality

Criticality Score = Probablity Score * Impact Score

Risk Control Matrix Criticality Score

TJune 201218 Mushir Killedar

Client Acquisition & Registration Collection of Margins

Compliance

Client Receipts

Exchange Pay-in & Pay-out

8.009.00

10.0011.0012.0013.0014.0015.00

Crit

ical

ity

Control Self Assessment Plan

TJune 201219 Mushir Killedar

Trade Processing - CashClient Payments

BOD Processes

EOD Processes

Trade Processing - F&O

0.001.002.003.004.005.006.007.008.00

0 2 4 6 8 10 12

Process

Crit

ical

ity

Frequency of review

Monthly

Quarterly

Bi-Annual

Annual

Plan for assessment

GRC tools

• Methodology for establishing risk framework across functions within a large corporate house or uses the standalone risk module to address specific risks such as credit risk, market risk etc.

• GRC (governance, risk management and compliance)

TJune 201220 Mushir Killedar

• GRC (governance, risk management and compliance) software allows companies to integrate and manage operations that are subject to regulation.

• Tool for Revenue Assurance

Appointment of Auditors

• skill and experience in compliance auditing

• skill and experience in, and where relevant, detailed knowledge of, the types of matters likely to be audited

TJune 201221 Mushir Killedar

• detailed knowledge of the relevant industry

Audit Methodology and reporting of Results

TJune 201222 Mushir Killedar

Role of Compliance in Regulatory Audit Framework

• Oversee the Framework

• Communication of Regulatory requirement from time-to-time

• Helping organisation understand and implement the

TJune 201223 Mushir Killedar

• Helping organisation understand and implement the regulatory expectations

•In best possible manner

•time-bound manner

•Reflecting expectation of regulator

THANK YOU

TJune 201224 Mushir Killedar

THANK YOU

Disclaimer: The views expressed in this document are of independent opinion. The presenter is not responsible to anyperson / party for any decisions they may take based on this information, it is suggested that due professional adviceis sought or care undertaken before acting on any recommendations / suggestions expressed herein.