risk based auditing.pdf

7/29/2019 Risk Based Auditing.pdf

1/66

T he I ns ti tu te o f

C h a r te r e d A cc o u n ta n t s o f I n d ia

( Se t u p u nd er a n A ct o f P ar li am en t)

C o m m it t e e o n I nt e r n a l A u d i t

T ech ni ca l Gu id e o n

Internal AuditIn Banks

Risk-based


2/66

O 3 4 35 1 9

Internal Audit

in Banks

Risk-basedT ech n ic al G ui d e o n


3/66

T h e b a si c d r a ft o f t h is T e c h ni c al G u id e w a s p r ep a re d b y S h .N a ge s h D P i ng e a n d S h . S r in i va s Y a n am a nd a ra . T h e v i ew se x pr e ss e d i n Te c hn i ca l G u id e a r e t h os e o f t h e a u th o rs an d

m ay n ot n ec es sa ri ly b e t he v ie ws o f t h e o rg an iz at i on t he yrepresent.


4/66

T he I ns ti tu te o f C ha rt er ed Ac co un ta nt s o f I nd ia

Internal Audit

in Banks

Risk-basedT ech n ic al G ui d e o n


5/66

C T h e I n s t i t ut e o f C h a r te r e d A c c ou n t a nt s o f I n d i aA l l r i g h t s r e s er v e d

N o p a rt o f t h i s T e ch n ic a l G u id e m a y b e r e pr o du c ed , s t or e d i n a r e tr i ev a l s y st e m, o r t ra ns mi tt ed , i n an y f or m, o r b y a ny m ea ns , e le ct ro ni c, m ec ha ni ca l, p ho to co py in g,r e c or d i n g, o r o t h e rw i s e , w i t h o ut p r i o r p e r m is s i o n, i n w r i t i ng f r o m t h e p u b l i sh e r .

F i r s t E d i t i on : N o v e mb e r 2 0 0 5

ISBN: 81-88437-73-5

P r ic e : R s . 1 5 0

E - m a il : c i a @i c a i . or gWebsite: http://www.icai.org

Published byV I J A Y K A P U R AdditionalDirector (SpecialGrade)T h e I n s t i tu t e o f C h a rt e r e d A c c o un t a n ts o f I n d i a

' I C A I B h a w an '

Indraprastha Marg

N ew D el hi - 1 10 0 0 2

INDIA

C over & IllustrationsNarendra Bhola

Design & RealisationSterling Preferred Printing


6/66

Foreword

Th e b a n ki n g i n d u s tr y h a s a l wa y s t h r o w n u p n e w er o p p o r tu n i t ie s a n d ch a l l en ge s , b e i t t h e s t a t ut o r y

a ud i ts o r o th er a ss ig nm en ts s uc h a s c on cu r re nt a ud it s o r i nt er n al a ud it s e tc. T h e d yn am ic

e nv i r on m en t i n w h ic h t h is i n du s tr y o p e ra t es r e q ui r e s t h e m e m be r s t o n o t o n ly us e t h ei r e x is t in g

s ki ll s et s t o t he b es t o f t he i r a bi li ty bu t a ls o k ee p t he s am e s ha r p e no ug h a t a ll ti me s t o e ff ec ti ve ly tu r n

t h o s e c h al l e ng e s i n t o o p p o r t un i t i es . T h e i n t r o du c t i o n o f r i s k- b a s ed i n t e r n al a u d i t s y s t em i n b a n k s b y t h e

R e se r v e B a nk of I n d ia is o n e s u ch o p p or t un i ty in t h e f o rm o f a ch a ll e ng e f o r t h e m e m be r s t o c o nt r ib u te

t o wa r d s t h e r e s i l i en c e a n d s t a bi l i t y o f t h e b a n k in g i n du s t r y i n I n d i a .

T h e r i s k - ba s e d i n t e r na l a u d i t i n b a n k s, a s a ga i n s t t h e c o n ve n t i o na l c o n c ur r e n t a u d i t o r i n t e r na l a u d i t i nbanks, is focused at improving the risk management system in banks, necessitated on account of

inv ol ve me nt o f la rge a mo un t o f pu bl ic and gove rnm ent m on ie s. G ive n t he f ac t t hat eve n t he

i m p le m en t at i on a s pe c t o f t h e r i sk - ba s ed i n te r n al a u di t s y st e m i n t h e b a nk i ng i n du s tr y i s i n n a sc e nt a n d

l e a r n i ng s t ag e s, i t i s n e c e s sa r y t h a t o u r m e m b e r s t a k e a n i n i t i at i ve t o p r o p e r ly u n d e r s ta n d t h e i n t r ic a c i e s


7/66

K a m le s h S . V ik a m s e yPresident

2 7 t h O c t o be r, 2 0 0 5

New Delhi

o r t y p ic a li t ie s i n c a rr y i ng o u t a r i s k -b a se d i n t e rn a l a u di t a n d h e lp n o t o n l y t h e s y st e m t o t a ke f i r m r o o ts i n

t h e i n d u st r y b u t a l so t h e i n d u st r y t o d e r iv e m a xi m um b e ne f i t o u t o f t h e s y s t em .

I a m t h er e f or e , h a pp y t o n o te t h at t h e C o m m i tt e e o n I n te r na l A u d it h a s d e c i d e d t o b r in g o u t t h i s T e ch n ic a l

G ui de o n R is k-b ase d Int er na l Au di t i n B an ks fo r th e g ui da nc e o f t he m em be rs. I a m s ur e t hat t he

C o m m i tt e e w i l l c o n t in u e t o b r i ng ou t m o r e o f s u c h t o p i c a l p u b l i ca t i o ns f o r t h e b e n e f it o f t h e m e m b e r s.


8/66

Preface

Th e b an ki ng in du st ry in I nd ia is i n a st at e o f c on ti nu ou s g r ow th a nd ex p an si on , m ak ing i ts

p r es e nc e f el t i n a ll s ph er e s o f e co no mi c g r ow th , d o me st ic a s w el l a s g lo ba l. S uc h m ar ke d

p r e se n ce a t t h e d o m es t ic a s w e ll a s i n te r na t io n al f r o nt m a ke s i t q u in t es s en t ia l f o r t h e b a nk i ng

i nd us tr y t o b en ch ma rk w it h t he i nt er na ti on al s ta nd ar ds t o e ns ur e c re di bi li ty, r es il ie nc e a s a ls o

t r a n sp a r e n cy i n i t s w o r k in g i n b o t h d o m e s ti c a s w e l l a s i n t e r na t i o na l ar e n a . E s t a bl i s h m en t o f r i s k - b a se d

I nt er na l A ud it S ys te ms i s o ne s uch m ea su re r ec om me nd ed by t he B as el C om mi tt ee o n B an ki ng

Supervision.

T h e R es er v e B an k of I nd i a m ad e a b eg in ni ng i n t hi s d i re ct io n b y is su ing a c ir c ul ar i n A ug us t 2 00 1r e q ui r in g t h e b a nk s t o t a ke n e ce s sa r y s t e ps t o e s ta b li s h a r i s k - ba s ed i n te r n al a u di t s y st e m i n b a nk s. O v er

t h e p e r i o d , t h e r e g ul a t o r al s o b r o u g ht o u t d e t a il e d c i r c ul a r s, g u i d an c e n o t e s e t c. , d e a li n g w i t h t h e t o p i c of

R i sk - ba s ed s u pe r v i si o n o f b a n k s. I m p le m e nt a ti o n o f r i s k - ba s ed s u pe r v i si o n s y st e m i n b a nk s h a s t o t h e

n e e d f o r a sy s t e m o f r i s k - ba s e d i n t e r na l a u d i t i n b a n ks . T h e n e w s y s t em r e q u i r e s t h e c h ar t e r e d


9/66

a cc ou nt an ts n ot o nly t o h on e t he ir e xi st ing s ki ll s b ut a ls o a cq ui re n ew k no wl edg e a nd s ki ll s t o

a pp ro pr ia te ly u nd er st an d th e c om pl ex it ie s o f t h e s ys te m a nd m ake t he b es t p os si bl e u se o f t he irk n o w le d ge a n d e x p e r ti s e t o h e l p t h e b a n ki n g i n d u s tr y r ea p m a x i m um b e n e f it s o f t h e s y s t em .

I n v i ew o f t h e a b ov e, t h e C o m mi t te e o n I n te r n al A u di t h a s b r o ug h t o u t t h is p u bl i ca t io n , T e c hn i ca l G u i d e

o n R i sk - ba s ed I n te r n al A u d i t i n B a nk s t o h e lp t h e m e m be r s u n de r s ta n d t h e f un d am e nt a ls o f t h e s y st e m.

T h e T e ch n ic a l Gu i de i s d iv i d ed i n to f o ur c ha p te r s. C h ap t er 1 , I nt r od u c ti o n, d e al s w i th a s pe c ts s u ch a s

c o s t b e n e f it a n a ly s i s, k ey a u di t d e c i s io n s s u ch a s f r e q u e nc y, s c o pe , ti m i ng , si z e o f t e a m e t c. , a dv a n ta ge s ,

R i s k -b a s e d i n t er n a l a u d i t s y s t e m vis-a -vis r i sk m a nag e me n t f u nc t io n . C h ap t er 2 , S te p s i n R i sk - ba s ed

I n te r n al Au d it , i n cl u di ng ri s k m a tr i x a n d a ca s e s t ud y. C h ap t er 3 d e a ls w i th o t he r s ig n if i ca n t

c o n s id e r a t io n s r e l a t i ng to R i s k - ba s e d I n t e r na l Au d i t i n B a n k s a n d l a s t ly, T h e W ay A he a d . T h e T e c hn i c a l

G u i d e a l s o c o n t ai n s a p p e n di c e s c o n t ai n i ng t h e r e l e v an t c i r c u la r s o f t h e R e s e r v e B a n k o f I n d i a.

I m u s t , a t t h i s j u n c tu r e , e x p r e ss m y d e e p g r a t i tu d e t o S h r i N ag e s h D P i ng e , S e n i o r G e n e r a l M a n ag e r a n d

h i s c o ll e ag u e S h ri Sr i ni va s Y an a ma n da r a, I CI C I B a nk Li m it e d w h o v o lu n te e r ed to s q ue e ze t i me o u t o f

t h e i r p r e s s i ng p r e- o c c u pa t i o ns t o s h a r e t h e i r w e a l th o f k n o w l ed ge a n d e x p e r ie n c e w i t h u s a n d p r e p a r e d

t h e n e a r p e r f e ct b a s i c d r a f t o f t h e T e c hn i c a l G u i d e a t s u c h s h o r t n o t i ce . T h e p r a c t ic a l a n d c l e ar ap p r o a ch

o f th e T e ch n ic a l G u id e d e f in i te l y r e fl e ct s y e ar s o f ha n ds o n e x pe r ie n ce a n d g r as p o f th e a u th o r s i n t h e

a re a. F ur t he r, I a m a ls o t ha nk fu l t o m y c ol le ag ue s a t t he C o mm it te e o n I nt er na l Au d it f or p ro vi di ng

v al u ab l e g u i d an c e o n m a ki ng t h e T e c h ni c al G u id e m o r e u s e f ul . I a l so w i sh t o e x pr e s s m y a p pr e c ia t io n f o r

t h e s u p p o r t o f S h r i V i j ay K a p u r , A d d it i o n al D i r e c t o r ( B o a r d o f S t u d ie s ) , S m t . P u j a W ad h e r a , S e c r e ta r y,

C o m m i t te e o n I n t e r n al A u d i t a n d S h r i N i ti n S i ng h a l , E xe c u t iv e O f f i ce r i n f i n a li s a t io n o f t h e p u b l ic a t i on .

I a m s ur e t ha t t he m em be r s w ou ld f i nd t he T e ch ni ca l Gu id e i mm en se ly u se fu l in u nd e rs ta nd i ng a ndi m p l e m en t i ng t h e c o n c e pt o f R i s k -b a s e d I n t e r na l A u d i t i n B a n k s.

Amarjit ChopraChairman

C o mm i tt e e o n I n te r na l A u di t

2 7 t h O c t o be r, 2 0 0 5

New Delhi


10/66

Contents

Foreword

Chapter 1

Chapter 2

Chapter 3

Chapter 4

APPENDICES

v

Prefa ce vii

1Introduction

9

S t ep s i n R i sk - ba s ed I n t er n al A u di t o f B a nk s

27Other Considerations

30T h e Wa y A he a d

32I RBI's Discussion Paper

M ov e T ow ar d s R i sk - ba se d S u p e r vi s io n o f B a nk s 33

II RBI's Cir cular of December 2002Risk-based Internal Audit 45

III RBI's Cir cular of Febr uar y 2005I m p l e me n t at i o n o f R i s k- b a s ed I n t e r na l A u d i t i n B a n ks 54


11/66

Introduction

Background

1. 1 D ur ing th e r ec en t ye ar s, t he s up er vi so ry fu nc ti on o f t he R es er ve B an k of I nd ia (R BI ), t he

banking regulator in India, is increasingly getting risk focused and the RBI has expressed its

i nt en ti on t o m ov e t ow ar d s r is k- ba se d s up e rv is io n ( RB S) o f b an ks. T ow ar d s t hi s e nd , th e R BI

p u b l is h e d a d i s c u s s io n p a p e r i n A u g u st , 2 0 0 1 , ' M o ve T o w ar d s R i s k - ba s e d S u p e r v i si o n o f B a n k s' ,

d e sc ri bi ng t he s co p e o f th e R BS o f ba nk s. T h e d is cu ss io n p ap e r i s g iv en a s A pp e nd i x I t o t he

Technical Guide.

1 .2 U nd er t he R BS, t he R BI w ou ld f oc us i ts s up er vi so ry a tt en ti on o n t he b an ks i n a cc or da nc e w i th t he

r i s k p r o f i l e o f e a c h b a n k d e t e r m i ne d by R BI . E a c h b a n k u n d e r t h e p r o p o s e d R B S f r a m e wo r k o f

R B I i s e x pe c te d t o p r e pa r e a r i sk p r o fi l e o f i t s o w n, t a ki ng i n to a c co u nt t h e v a ri o us r i sk s t o w hi c h

t h e b a n k i s e x p o se d . T h e r i s k p r o f i l e o f t h e b a n k w o u l d d e t e r m i ne t h e s u p e r v i so r y pr o g r am m e

Chapter 1


12/66

c o m p r i si ng o f f - s it e s u r v e il l a n c e, t a r ge t e d o n - s i t e i n s p e ct i o n s, s t r u ct u r e d m e e t i ng s w i t h b a n ks ,

commissioned external audits, specific supervisory directions and new policy action, asw a rr a nt e d . T h u s, R BS r e qu i r es a d e qu a te p r e pa r at o r y s t ep s b o th a t t h e R B I l e ve l as w e ll a s a t t h e

level of individual commercial banks.

1.3 RBI has indicate d the follow ing five ar eas of bank level pr eparation for successful

i m p l e m en t a ti o n o f t h e R B S f r a m ew o r k :

Setting up of risk management architecture

Adoption of risk focused internal Audit

Strengthening of management information system and information technology

A d d r e s si n g H um a n R e s o u r ce s D e p a r t me n t ( H R D ) i s s u e s

S e t t in g up o f a c o m p l i a n c e u n i t .

1 .4 S ub se q ue nt ly, in D ec e mb er 20 02 , R BI i ss ue d a g ui d an ce n ot e o n t he r is k- ba se d i nt er n al a ud i t

f u n ct i o n i n t h e b a n k s, de t a i li n g t h e s t e p s r e q u i r e d t o b e a d o p t ed th e r e f o r. T h e s a i d g u i d a nc e n o t e

i s g iv e n a s A p pe n d ix I I t o t h e T e ch n ic a l G ui d e. F u rt h er, i n F e br u a ry 2 0 0 5, R B I i s su e d a c i r cu l ar

r e it er at ing t he i mp or t an ce o f t h e r i sk -b as e d in te r na l au di t i n b an ks. R BI , th r ou gh t he s ai d

c ir c ul ar, ha s a dv is e d t he b an ks a s t o p r ep ar at io n o f t he R is k A ud it M at ri x b as ed on t he r is k

f oc us ed a pp ro ac h, e na bl ing t he b an ks t o m ov e t ow ar ds t he a dv an ce d a pp ro ac he s f or

d e t e r m in i ng c a p i ta l c ha r g e f o r t h e o p e r a ti o n a l r is k u n d e r th e p r o p o s e d Ba s e l I I I n t e r n at i o n al

C a pi t al A d eq u ac y f r am e wo r k. T h e t ex t o f t h e c i r cu l ar i s g iv e n i n A p pe n di x I II t o t h is T e ch n ic a l

Guide.

1. 5 T he o bj ec tiv e o f th is T ech ni cal G ui de i s to p ro vi de g ui da nc e t o th e m em be rs o f t he I ns tit ute,

h a n d li n g th e i n t e r na l a u d i t f u n ct i o n , s p ec i f i c al l y i n b a n ki n g in d u s t r y, a s t o t h e s t e p s i n vo l v e d i n

t h e r i s k - ba s e d i n t e r na l a u d i t i n b a n k s.

1 .6 P re fa ce t o t he S ta nd ar ds an d G ui dan ce N ot es o n I nt er nal A ud it, i ss ue d by th e I ns ti tu te o f

C h a r t er e d A c c o u nt a n ts o f I n d i a d e f in e s t h e t e r m i n t e r na l a u d i t a s :

I nterna l a udit is a n indep endent ma na gement function, which involves a continuous a nd critica l

a p p ra isa l of the functioning of a n entity with a view to suggest imp rovements thereto a nd a dd va lue to a nd

strengthen the overa ll governa nce mecha nism of the entity, including the entity's stra tegic risk ma na gement

a nd interna l control system.

!

!

!

!

!

I n t e r na l A u d it - D e f in itio n , O bj e c tiv e s a n d S c o p e

T e ch n ic a l G u i de o n R i sk - ba s ed I n te r na l A u d it i n B a nk s2


13/66

1 .7 F ur th er, p ar ag ra ph 8 o f t he A ud it ing an d As su ra nc e S ta nd ar d (A AS ) 6 , Ri sk A ss es sm en ts a nd

I n t e r na l C o n t r o l, i s s u e d b y t h e I n s t it u t e o f C h a r t er e d A c c o u n ta n t s o f I n d i a , c la r i f ie s t h a t i n t e r n a l

audit constitutes a sep a ra te comp onent of interna l control with the objective of determining whether other

interna l controls a re well designed a nd p rop erly op era ted.

1 .8 A c ar e fu l a na ly si s o f t h e a bo ve r ev ea ls t ha t t h e s co pe o f t he i nt er n al au di t, o rd in ar il y, i nc lu de s :

E x am i na t io n a n d ev a lu a ti o n o f t h e a d eq u ac y a n d e f fe c ti ve n es s o f t h e i n te r n al c o nt r o l

systems

R ev i ew o f t he a pp li ca ti on a nd e f fe ct iv en es s o f r i s k m an ag em en t p r oc ed ur e s a nd r i sk

assessment methodologies

R e vi e w o f t h e m a nag e me n t a n d f i na n ci a l i n fo r m at i on s y st e ms , i n cl u di ng t h e e l e ct r on i c

i n f o r ma t i o n s y s t e m s

R e v i ew o f t h e a c c u r ac y a n d r e l i ab i l i ty o f t h e a c c o un t i ng r e c o r d s a n d f i n a nc i a l r e p o r ts

R e v i ew o f t h e m e a n s o f s a f eg u a r d i ng a s s e t s

A p p r a is a l o f t h e e c o n o my a n d e f f i c i e n cy o f t h e o p e r a ti o n s

Testing of both transactions and the functioning of specific internal control procedures

R ev ie w o f th e s ys te ms e st ab li sh ed t o e ns ur e c om pl ia nc e w i th l eg al a nd r eg ul at or y

r e q u i r e m en t s, c o d e ( s ) o f c o n d u c t a n d t h e i m p l e m e n t at i o n o f p o l i c i e s a n d p r o c ed u r e s

T e s t i ng o f t h e r e l i a bi l i t y a n d t i m e l i ne s s o f t h e r e g ul a t o r y r e p o r t in g.

1 .9 T he b an ki ng i nd us tr y i s s pe ci al a s i t i nv ol ve s d ea li ng w it h p ub li c m on ey. T he v er y n at ur e o f

banking business of dealing with money requires proper checks and balances in place to ensure

t h at t h e d e al i ng s a r e c l os e ly m o ni t or e d a n d t h e r i sk s a r is i ng o u t o f th e b a nk i ng b u s in e ss a r e

m in im iz ed . T owa rd s th is e nd , t he i nt er na l au di t fu nc ti on i n a ban k a ss is ts th e s eni or

m an ag em en t o f t he b an k i n p r ov id ing a n o bj ec ti ve a ss ur an ce t ha t a ll t he c on tr o ls a re w el l

d e s ig n ed a n d e f fe c ti ve ly o p e ra t ed . T h e b a nk ' s i n te r n al a u d it r e p or t s a r e t h e p r im a r y so u rc e o f

i n f o r ma t i o n a b o u t t h e e f f e c ti v en e s s o f t h e r i s k m a n ag e m e nt a n d i n t e r n al c o n t r o l s y s t em s i n t h e

bank. Thus, it can be seen that internal audit has a crucial role to play in a bank's existence and

growth and, therefore, needs to be effective. Towards this end, the Basel Committee on Banking

S u pe r v is i on o f t h e B a nk f o r I n te r n at i on a l S e tt l em e nt s h a s a l so p r o no u nc e d c e r t ai n p r in c ip l e s

r e q u i r e d to b e f o l l ow e d f or a n e f f e ct i ve i n t e r na l a u d it i n b a n k s.

1 .1 0 I n I nd ia , ea ch b an k, n or ma lly, h as a s ep ar at e i nt er na l au di t/ in sp ec ti on d ep ar tm en t t ha t

i n sp e ct s t h e b a nk ' s f u nc t io n in g p e ri o di c al ly a n d r e p o r t s t o t h e A u di t C o mm i tt e e o f t h e B o ar d o f

D ir e ct or s o f t he b an k. B an ks a re e xp e ct ed to h av e s uf fi ci en t r e so ur c es a nd i nv es t i n t ra in ing

t h e i r s t a f f t o c o n d u ct i n t e r na l in s p e c ti o n s. H o w ev e r, i t i s a l s o a c om m o n p r a c t ic e a m o ng b a n ks t o

!

!

!

!

!

!

!

!

!

I n t e r na l A u d it in B a n ks

Introduction 3


14/66

outsource the following internal audit/inspection activities:

T h o se w h ic h a r e r o u ti n e i n n a tu r e.T h o s e w h i ch a r e e x ce p t i o na l a n d / o r f o r w h i ch n o e x p e r ti s e i s a v ai l a b le w i t h in t h e b a n k .

T h os e w he r e c o st o f b e i ng c ar r ie d o ut i n- ho us e w ou ld e xc ee d t he b en ef it s t o b e d er iv ed

t h e r e f r o m p r o v i d ed th a t t h e c o s t o f o u t s ou r c i ng i s l e s s e r t h a n t h e f o r m e r c o s t .

A d d i t io n a l ly, b a nk s h a ve a l s o e i t h e r i n s t it u t e d i n - h ou s e d e p a r t me n t s f o r c a r r y i ng o u t " s y s te m s

a u d i ts " o r ha v e o u t s ou r c e d t h i s s p e c i al i z e d f i e l d . S y s t em s A u d i t f o c u se s o n w h e t he r th e i n t e r na l

p r o c e d u r es a n d c o n t r o ls a r e b e i ng ad h e r e d t o a t t h e o p e r a ti o n a l l e v e l a n d w h e th e r th e e x i st i ng

s ys te ms a re a de qu at e a nd c o mm en su ra te w it h t he r eq ui re me nt o f t he ch ang ing b u si ne ss

environment.

1 .1 1 T he e ff ec tiv en es s o f i nt er na l au di t f un ct io n o f b an ks i s a ss es se d du ri ng t he c ou rs e o f o n- si tei ns pe ct io n b y R BI . S up er v is or y c o nc er n s t hr ow n u p b y i nt er n al a u d it /i ns pe ct io n p r ov i de

p o i n te r s o r i n di c a t or s f o r o n- s i t e i n s p e ct i o n o f R B I .

1 .1 2 A s ou nd i n te rn al a u di t f un ct io n p lay s a n i mp or ta nt r ol e i n c on tr ib ut ing t o t he e ff ec tiv en es s o f

t he i nt er na l c on tr o l s ys te m. U nt il re c en tl y, th e i nt er n al au di t s ys te m i n b an ks h ad be e n

concentrating on transaction testing, testing of accuracy and reliability of accounting records

and financial reports, integrity, reliability and timeliness of control reports, and adherence to

l e ga l a n d r e g ul a t o r y r e q ui r e m e n ts . H o w ev e r, i n t h e c h a ng i ng s c e n a r i o, s u c h t e s t in g b y i t s e lf i s

n o t s u f f i ci e n t f o r t h e p u r p o s e o f p r o v i d in g a n o b j e c ti v e a s s u ra n c e o n t h e f u n ct i o n in g o f i n t e r n al

c o n t r ol s b y t h e i n t e r na l a u d i t f u n ct i o n .

1 .1 3 D ur ing re ce nt t im es, in a dd it io n t o th e t ra di ti on al ri sks t ha t t he ba nk s a re ex po se d t o, th e

i n cr e a si ng g l ob a l s c al e o p e ra t io n s o f b an k s, im p ac t o f t he i n fo r m at i on t e ch n ol og y o n t h e

banking systems and processes, have exposed the business of the banks to newer risks. The

m a nag e me n t o f t h es e r i sk s i s c r u ci a l f or t h e s u cc e ss o f a ny b a n ki ng o r ga n is a ti o n. T h i s r e q ui r e s

t he i nd ep e nd e nt f un ct io ns s uc h a s c om pl ia nc e a nd i nt er n al a ud i t t o b e m or e r is k fo cu se d to

e n s u r e t h a t t h e r i s k s a r e b e i ng i d e n t i f ie d , a s s e s se d a n d m a n ag e d e f f e ct i ve l y o n a b a n k - wi d e b a s i s.

T ow ar d s t hi s e nd , R BI f el t t ha t t he r e i s a ne e d f or wi de ni ng a s w el l a s r e di r ec ti ng t he s co pe o f

i n te r n al a u d it t o e v al u at e t h e a d eq u ac y a nd e f f ec t iv e ne s s o f r i sk m a nag e me n t p r o ce d ur e s a n d

i n t e r na l c o n t r o l s ys t e m s i n t h e b a n k s.

1 .1 4 T h e a rg um en t f or t h e r i sk -b as e d i nt er n al a u d it c an b e f ur t he r s u pp le me nt ed b y t h e c os t- be ne f it

!

!

!

R is k - ba se d I n t e r na l A u d it

Cost-benefit Analysis

4 T e ch n ic a l G u i de o n R i sk - ba s ed I n te r na l A u d it i n B a nk s


15/66

a n a ly s i s o f t h e i n t e r na l a u d i t f u n ct i o n . I n t h i s c o n n ec t i o n , i t s h o u l d b e n o t e d t h a t i n t e r na l a u d i t

i s i n va r i a bl y a c o s t c e n t e r i n a n y o r g a ni s a t io n . I t i s , t h e r e fo r e , ne c e s s ar y t ha t t h e i n t e r na l a ud i tf u n c ti o n d e v e lo p s a n d im p l e m e nt s a n e f f e ct i ve , l on g r a ng e i n t e r na l a ud i t p l a n s o t h a t t h e b e n e f it s

d e r i ve d t h e r e f r o m e f f e c ti v el y e x c ee d t h e c o s t s a l l o ca t e d t o t h e f u n ct i o n .

1 .1 5 T h e p r i ma r y ob je ct iv e o f i nt er na l a ud i t i s t o p r o vi de a n o b j ec ti ve a ss ur an ce o n t h e f un ct io ni ng o f

i n te r n al c o n t r ol s i n t h e b a nk . H o we v er, t h e r e i s a n i n he r e nt r i sk t h a t t h e i n te r n al a u d i t f u nc t io n

m a y n o t r e v e al al l t h e w e a k ne s s e s i n t h e i n t e r na l c o n t r ol s . T h i s m a y l e a d t o r i s k o f l o s s e s i n t e r m s

o f f r a u d , i n cl u d i ng e m b e z zl e m e n t, a n d m i s a p p r op r i a ti o n o f a s s e t s. T o m i n i m iz e t h e s e r i s k s, o n e

s ug ge st iv e a pp r oa ch i s t o m ak e t he i nt er n al a ud i t f un ct io n m o re c on ti nu ou s, i .e ., a ud it t he

d i f fe r e nt d e pa r t me n ts m o r e f r e qu e nt ly. F o r e xa m pl e , i nc r e as e i n f r e qu e nc y o f i n te r n al a u d it

m ay r e s ul t i n r e d uc t io n i n e x pe c te d l o ss e s b u t i n cr e as e s t h e c o st o f a u di t f un c ti o n. O n t h e o t he r

h a nd , d e c re a se i n f r e qu e nc y o f i n t er n al a u d it , t h ou g h m ay r e d uc e t h e c o st s o f a u d i t f un c ti o n,r e s ul t s i n r i sk o f f r au d s a n d e r r or s l e ad i ng to f i na n ci a l a n d o t he r lo s se s t o t h e b a nk . T h u s, th e

d e c is i on t o i n cr e a se t h e f r e qu e nc y o f i n te r n al a u d it s h ou l d b e b a se d o n a c a r e fu l a n al ys i s o f t h e

t r ad e -o f f b e t we e n t h e c o st a s so c ia t ed w i th c a r ry i ng o u t f r e qu e nt i n te r n al a ud i ts vis a vis the

e x p e ct e d l o s s e s a r i s in g o u t o f n o t c a r r y i ng ou t i n t e r na l a u d i t. T h i s t r a d e -o f f c a n b e b e s t a c hi e v e d

w i t h t h e r i s k - ba s e d i n t e r na l a ud i t , wh i c h a i m s a t o p t i m al u t il i z a ti o n o f i n t e r n a l a u d i t r e s o u r c e s

w i t h a n e n t e r p ri s e - w id e r i s k m a n ag e m e nt p e r s p e c ti v e.

1.16 In the above diag ram , the cur ve AB denotes the risk cur ve, which r epr esents that as the

f r e q u e n cy o f i n t e r n a l a ud i t i n c r e as e s , th e r i s k o f n o n - d e t ec t i o n o f i n e f fe c t iv e i n t e r na l c o n tr o l s

( a nd c o n s eq u en t ly t h e e x pe c te d l o s se s ) d e c re a se s. T h e c u r ve C D d e n ot e s t h e c o st c u r ve , w h ic h

T h i s c a n b e p i ct o ri a ll y de p i ct e d as f o ll o ws :

R i s k o f lo s s esd u e t o n o n- a ud i t/cost of internalaudit r eso ur ces

A E F D

C

G

B

F r e q u e nc y o f i n t er n a l a u d i t

5Introduction


16/66

r e p r es e nt s t h at a s t h e f r e qu e nc y o f i n te r n al a u d i t i n cr e a se s, t h e c o s ts a s so c ia t ed w i t h c a rr y i ng

o u t i n te r n al a u di t i n cr e a se . T h e c u r ve E F d e no t es t h e t o ta l c o st c u r ve ( w hi ch i n cl u de s t h e c o st o f n on -d e te ct io n o f in ef fe ct iv e i nt er n al c on tr o ls i n t er m s o f ex pe c te d l os se s a nd t he c os t o f

r e so ur c es a ll oc at ed t o i nt er n al a ud i t f un ct io n) , wh ic h d e cr e as es u pt o a ce r ta in l ev el an d

t h er e af t er i n c r ea s es . P o i n t G i s w h er e t h e t o ta l c o st i s a t i t s m i ni m um a n d i s i d e al f o r a r i sk - ba s ed

scenario.

1 .1 7 K ee pi ng t he a bo ve t he or et ic al b ackg ro un d in m in d, i t i s i mp or ta nt t o n ot e t ha t t he r is k- ba se d

i n t e r na l a u d i t i s a n i m p o r t an t t o o l i n a i d i ng t h e m a n ag e m e nt d e c i s io n i n r e l a t io n t o t h e f o l l ow i ng

a s p e c ts o f i n t e r na l a u d i t f u n ct i o n .

1 .1 8 T h e r is k- ba se d ap p ro ac h o f i n te r na l au d it a ss is ts t he m an ag em en t i n d e ci di ng t he f r eq ue nc y o f

t h e a u di t . A f te r u n d er t ak i ng t h e r i sk a s s e ss m e nt o f t h e a u di t ee u n it s i n t h e a u di t u n iv e r se , t h es e

u n it s c a n b e c a te go r i ze d o n t h e b a si s o f t he r i sk p a ra m et e r s a s h ig h , m e d iu m o r l o w r i sk u n it s.

T h e se u n it s c a n t h en b e s u bj e ct e d t o t h e i n te r n al a u d it a t a f r e q ue n cy s u i te d t o t h ei r r i s k p ro f il e .

T h is c an b e a ch ie ve d b y su bj ec ti ng t he u ni ts w it h a h ig h- ri sk p r of il e t o i nt er n al a u di t m or e

f r e qu e nt ly t ha n t h e u n it s t h at e x hi b it a l ow - ri s k pr o f il e. T h u s, r i sk a s se s sm e nt s o f a u d i t u n it s

d et er m in e t he f r eq ue nc y of t he i nt er n al a u di t a nd t h us a ss is t i n o pt im al a l lo ca ti on o f a u d it

resources.

1 .1 9 S co p e o f i n te r na l a ud it r e fe r s t o t he e xt en t t o w hi ch t he t es ti ng of i n te r na l c o nt r ol s i n a n i n t er n al

a u di t a s si gn m en t s h ou l d b e u n de r t ak e n. A s a g e ne r al p r i nc i p le , h ig h -r i sk a u di t u n it s s u ch a s

t r e a s ur y d i v i si o n o f t h e b a n k s ho u l d b e s u b j e ct t o 1 0 0 % t r an s a c ti o n s t e s t in g. H o w ev e r, u n i t s w i t h

a r el a ti ve l y l o w- r is k p r o fi l e a c ti vi t y s u ch a s a l lo c at i on o f t h e l o ck e rs t o t h e c u st o me r s m ay be

s u bj e ct t o a s am p l e t e st i ng . I n t h is c o nn e ct i on , m em b er s a r e a l so a d vi s ed t o r e f er t o t h e A u di t in g

a n d A ss u r a nc e S t a nd a r d ( A AS ) 1 5 , A ud i t S a m p l in g, f o r g u id a n c e o n u s i ng s t a ti s t i ca l s a mp l i ng

t e c hn i q u e s f o r u n d e r t a ki n g a u d i t a s s i g n me n t s. H o w ev e r, t h e s a m p l in g t e c hn i q u e p r o p o s e d t o b e

s o a d o p te d s h o u ld f i r s t b e p l a c e d fo r t h e a p p r o va l o f t h e a u d i t c o m m i t t e e, i f a n y.

1 .2 0 I t i s a k no wn f ac t t h at n o i n te rn al a ud it f un ct io n h a s t h e r e so ur ce s t o a ud it a ll t he a ud it ab le u ni ts

K e y A u d it D e cis io n s o f a R isk - ba s e d I n t e r na l A u d it

F r e q u e n cy o f A u d it

S c o p e o f A u dit

Timing of Internal Audit



17/66

s i m u lt a n e ou s l y. T h e r e f o r e, t h e t h i r d ke y d e c is i o n t h a t c a n b e t a k en u s i ng t h e r i s k - ba s e d i nt e r n a l

a u di t i s t o e n su r e t h at t h e r i s k ie r u ni t i s s u bj e ct t o a u di t s o on e r t h an t h e l e s s r i sk y au d it u n it s. T h i s

c a n b e a ch i ev e d by a d o pt i on o f a fix ed timing p olicy o f i n t e r n a l a u d i t w h e r e by t h e l e s s r i s k y u n i t s

a r e s u bj e c t t o i n te r n al a u d it a t k n ow n f i xe d i n t er v a ls . H o we v er, t h e h ig h -r i sk a u d i t u n it s c a n b e

s ub je ct t o a ra ndom timing p olicy ( w he r e t h e f r e qu e nc y a nd t i m in g o f a u d it s i s u n pr e d ic t ab l e t o

t h e a u di t ab l e u n it ) . S u r pr i se v i si t s a n d s n ap a u di t s, i n a d di t io n t o f u ll - sc a le i n te r na l au d it , ar e

c o m po n en t s o f r a nd o m t i mi ng p o l i cy. F o r a u d it a bl e u n it s w i th m e d iu m -r i sk p r o f i le , i n t er n al

a u d i t s h o u ld b e b a s e d on c o n d i ti o n a l t i m i ng p o l i cy, u n d e r w h i ch i n t e r na l a u d it s a r e s c h ed u l e d

w h en u n it s e x hi b it a d e t e r io r at i on o f c o nt r o ls o r p e r f or m a nc e a l on g w i th s o me k e y d i me n si o n.

T h e d e te r io r at i on c a n b e o b se r v ed o n t h e b a si s o f a n a ly s is a n d sc r u ti n y o f t h e k ey r e tu r ns o n t h e

p e r f o r ma n c e o f t he a u d i ta b l e u n i t .

1 . 21 R i sk - ba s ed i n te r n al a u di t a p pr o ac h a s si s ts t h e m a n ag e me n t ( w h e r e t h e i n te r n al a u di t f un c ti o n i s

i n -h o us e ) a n d t h e a u di t f i r m ( w he r e t h e i n te r n al a u di t f u nc t io n i s o u ts o ur c e d) i n d e te r m in a ti o n

o f t h e s i ze o f t h e i n te r n al a u d it t e am . I f r i s k f a ct o r s r e fl e ct t h e m a nag e me n t c o nc e r ns , th e n t h ey

c a n b e u s ed a s a b as i s f o r e s ta b li s hi ng t he s i ze o f t h e i n te r n al a ud i t t e am a p pr o p ri a te t o a d d re s s

t h e m o s t i m p o r t an t a u d i t u n i t s .

1 .2 2 T o e ns ur e t hat t he c os t f ac to rs ar e e ffe ctive ly f ac to re d in to a ud it d ec is io n a nd t he key a ud it

d e ci si on s, a s e xp la in ed a bo ve , ar e m or e r is k- ba se d, b an ks a r e a dv is ed b y t he R BI t o m ak e a

gradual move towards risk-based internal audit system which includes, in addition to selective

t r an s ac t io n t e st i ng , a n e v al u at i on o f t h e r i sk m an ag e me n t s y st e ms a n d c o nt r ol p ro c ed u r es

p r e va i li ng i n v a ri o us a r e as o f a b a nk ' s o p e ra t io n s. T h e i m pl e me n ta t io n o f r i sk - ba s ed i n t er n a l

a ud i t w ou ld m ea n t ha t g r ea te r e m p ha si s i s p la ce d o n t he i nt er na l a u di to r' s r o le i n m it ig at ing

r i sk s. W h il e f o cu s in g o n e f fe c ti ve r i sk ma n ag e me n t a n d c o nt r ol s, i n a d d it i on t o a p pr o p ri a te

t r a n sa c t i on t e s t in g, t h e r i s k - ba s e d i n t e r n a l a u d i t w o u l d n o t o n l y o f f e r s u g g e st i o n s f o r m i t i ga t i ng

c u r re n t r i sk s b u t a l so a n ti c ip a te a r e as o f p o te n ti a l r i s ks a n d p l ay a n i m po r t an t r o l e i n p r o te c ti ng

t h e b a n k f r o m v a r i ou s r i s k s.

1 .2 3 T h e a d va nt ag es o f r i s k- ba se d a pp r oa ch o f t h e i nt er n al a u di t f u nc ti on a r e a s f ol lo ws :I t a pp r op ri at el y de fi ne s t he a ud i t u ni ve r se a nd i d en ti fi es t he a ud it ab le u ni ts w it hi n t he

e n t i ty f or w hi c h t h e s e a n a l y s e s w o u l d b e c a r r i e d o u t .

I t as si st s t he m an age me nt i n i de nt if ic at io n o f a pp ro pr ia te r is k f ac to rs t o r efl ec t th e

management's concerns.

S iz e o f t h e I n t e r na l A u d it Te a m

A d va n t a g es o f R is k - ba se d I n t e r na l A u d it

!

!

fixed timing policyrandom timing policy

7Introduction


18/66

!

!

!

!

R i sk -b a se d I nt er na l A ud i t R i sk M an ag em en t F un ct io n

I t r e su lt s i n d ev el op me nt o f a n a pp r op r ia te f or m at f or ev al ua ti ng r is k f ac to r s s o t ha t t he

m o r e i m po r t an t r i sk f a c t or s p l ay a m o r e p r o mi n en t r o l e i n t h e r i sk a s s e ss m en t p r o ce s s t h anl e s s i m p o r t an t r i s k f a c t o r s.

I t d e ve l op s a c o m bi n at i on r u le f o r e ac h a u di t u n it , w h ic h w i l l pr o p er ly r e f le c t i t s r i sk i ne s s

o v e r s ev e r a l r i sk f a c t o r s t h a t h a ve b e e n i d e n t if i e d a n d a m e t ho d o f s e t t i ng u p a u d i t p r i o r i ti e s

f o r t he a u d i t u n i t s .

I t r esults in ap pr opriate aud it cove rage plan, w hich p rovide s a r oad map for t he

m an ag em en t o f i nt er n al a u di t s ta ff s ki ll s s o t ha t t he y a re a va il ab le t o c ar r y o ut a ud it s o f

a p pr o p ri a te s c op e w h en t h ey a r e n e ed e d t h e m o s t .

T h i s r i sk - ba s ed i n t er n a l a ud i t r e s ul t s i n a p r o c es s o r i en t ed a u d it w i th a r i s k m an ag e me n t

p e rs pe ct iv e, w hi ch g iv es a dv i ce t o m an ag em en t o n t he s te p s t o b e t ak en f or e ff ec ti ve r i sk

m a n ag e m e n t o n a b a n k - w i d e b a s i s .

1 .2 4 T h ou gh b ot h t he r is k m an ag em e nt a nd t he i nt er n al a ud it ( r is k- ba se d ) f un ct io ns d e al w it h t he

r i sk m a nag e me n t s y st e ms o f t h e b a nk , i t i s n e ce s sa r y to d i st i ng u is h b o th t h e f u nc t io n s. T h e r i sk

m an ag em en t f un ct io n o f a b a nk f o cu se s o n a re as s uch a s i de nt if ic at io n, m on it or ing a n d

m e a s ur e m e n t o f r i s k s, d e v e l op m e n t o f p o l i c ie s a n d p r o c e du r e s, u s e o f r i s k m a na ge m e n t m o d e l s,

e t c. T h u s , t h e e n d r e s u l t o f t h e r i s k m a n ag e m e n t f u n ct i o n i s d e v e lo p m e n t o f a p p r o pr i a t e p o l i c ie s

a n d p r o c e d u r e s f o r e f f e c t i ve r i s k m a n ag e m e nt o n a b a n k - w i de b a s i s.

1 .2 5 T he c on ce pt o f r is k i de nt if ic at io n a nd t h e a ss es sm en t i s a ls o u nd er ta ke n u nd er t h e r is k- ba se d

i n te r n al a u di t f r am e wo r k o f t h e b a nk s. H o we v er, u n li k e r i sk m a nag e me n t f u nc t io n , t h e r i sk -based internal audit, undertakes an independent risk assessment solely for the purpose of

f or mu la ti ng t he r is k- ba se d a ud it p la n ke ep ing i n v ie w th e i nh er en t b us in es s r is ks o f a n

a c ti vi t y/ l oc a ti o n a n d t he e f fe c ti ve n es s o f t h e c o nt r o l s ys t em s f o r m on i to r in g th o se i n he r e nt

business risks.

1 .2 6 T he p ri ma ry d if fe re nc e b e tw ee n t h e t w o f u nc ti on s viz ., r i s k m a n a ge m e n t a n d t h e i n t e r na l a u d i t ,

t he r ef or e, is t he p ur p os e f or w hi ch t he t oo l o f th e r is k a ss es sm e nt i s u se d. U nd er th e f or m er

f u n ct i o n , i t i s u s e d f o r d e v e lo p m e n t o f r i s k m a n ag e m e nt p o l i c ie s a n d p r o c e d u r es w h e r e as i n t h e

l a t e r f u n c ti o n , t he s a m e i s u s e d f or f o r m ul a t i on o f a p p r o p r i a t e r i s k - ba s e d a ud i t p l a n r e s u l ti n g i n

o p t i ma l u s ag e o f i n t e r na l a u d i t r e s o u r c e s o n a r i s k s e n si t i ve b a s i s.

1 .2 7 B ei ng a n i nd ep en de nt a nd k ey f un ct io n i n t he b an k, t h e r is k m an ag em en t d ep ar tm en t s ho ul d

a l so b e s u bj e ct e d t o r i sk as s es s me n t b y t h e r i sk - ba s ed in t er n al au d it p r o ce s s a n d s h ou l d b e

a u di t ed i n a c co r d an c e w i th t h e r i sk - ba s ed a u d i t p l an d u ly a p p r ov e d b y t h e A u di t C o m mi t te e o f

t h e B o a r d .

vs.



19/66

Introduction

S t ep 1 : P r ep a r at i on

2 .1 T he a do pt io n o f t he r is k- ba se d a pp ro ach t o t h e i nt er na l a ud it r eq ui re s t he f ol lo wi ng f o ur m a jo r

s t e p s t o b e a d o p t ed b y t h e i n t e r na l a ud i t o r s :

2 . 1. 1 T h e i n te r n al a u di t or s h ou l d t r e at t h e r i sk - ba s ed i n te r n al a u di t a s si gn m en t a s a s e p ar a te p r o je c t

s i nc e i t r e q ui r e s s ig n if i ca n t a u di t r e s ou r ce s a n d t im e . F o r t hi s p u r po s e, i t i s a b so l ut e ly e s s en t ia l

t ha t t he p r ep ar at io n f or t he p r oj ec t i s m et ic ul ou sl y p la nn ed s uc h t ha t t he r i sk a ss es sm en t

e xe r c is e s a r e p r o pe r ly u n de r ta k en a t a l a te r s t ag e. T h e o u tp u t u n de r t h is s t ep w o ul d n o t o n ly

d e fi ne t he s iz e a nd s t r uc tu r e o f t he i nt er n al a u d it f un ct io n i n t he b an k, w h er e t he b an k h as a n

i n - h ou s e i n t e r na l a u d i t f u n c t i o n o r t h e s i z e o f t h e i n t e r na l a u d i t t e a m w h e r e t h e i n t e r na l a u d i t

Inter nal A ud it in Bank s

Steps in Risk-based

Chapter 2


20/66

10

f u n c ti o n i s o u t s ou r c e d , bu t a l s o s e r v e s a s a b as i s f o r a s s ig n m e nt o f c l e a r r o l e s a n d r e s p o n si b i l i ti e s

t o t h e p a r t ic i p an t s i n t h e i n t e r na l a u d i t e x e r ci s e a n d c o m mu n ic a ti o n o f t h e s a m e t o t h em .

2 .1 .2 I d en ti fi ca ti on o f a ud i ta bl e u ni ts c on st it ut es t he s ec on d s te p i n t he r is k- ba se d i nt er n al a ud it .

I d en ti fi ca ti on o f au di ta bl e u ni ts i s r e le va nt t o u nd e rs ta nd t he e nt ir e a ud i t u ni ve r se c ov er e d

u nd er t he s co pe o f t h e r is k- ba se d in te rn al a ud it . I t, t hu s, l e ad s t o t he c on cl us io n o f t h e

u n c o ve r e d a ud i t a bl e u n i t s a n d t h e r e s u l t an t r e s i d u al r i s k o f n o n - au d i t o f t h o s e a u d i ta b l e u n i t s.

2 . 1. 3 F u rt h er, t he p r o po s e d n e w c a pi t al ad e q ua cy fr a me wo r k o f R B I ( b as e d o n t h e B a se l Co m m it t ee ' s

I n te r n at i on a l C a p it a l A d e q ua cy F r am e wo r k) a l so r e q ui r e s i d e nt i fi c at i on o f b u si n es s u n it s a s a

f i r st s t ep i n d e te r m in a ti o n o f t h e c a pi t al ch a rg e r e q ui r e d f o r t h e o p e ra t io n al r i sk . I t w o ul d be a

p r u de n t d e c is i on t o c o mb i ne b o th t h e c a pi t al a d eq u ac y a s si gn m en t ( f r om a n o p er a ti o na l r i sk

m an ag em en t p er sp ec tiv e) w it h t he r is k- ba se d i nt er na l a ud it a ss ig nm en t, a s b ot h a re

c o m p l e me n t a r y t o e a c h o t h e r .

2 .1 .4 T h e n ex t s te p i s t o i de nt if y t he r is ks a nd c a teg or iz e t he r is ks a s h ig h, m e di um a nd l o w, d e pe nd i ng

u po n t he n at ur e o f t he r is ks. R is ks i n t he c on te xt o f t he i nt er n al a u d it o f b an ks c an b e c la ss if ie d

a s i nh er e nt b an ki ng b us in es s r is ks s uc h a s c r ed i t a nd m ar ke t r i sk s. I n r e ce nt y ea rs, g iv en t he

s ig n if i ca n t v o lu m es o f t r an s ac t io n s i n t h e r e t ai l p o r tf o li o o f t he b a nk , a ne w r i sk , s t yl e d a s

o pe r at i on a l r i sk , ha s e m er g ed g r ad u al ly. T h e se r i sk s c a n b e m i ti ga t ed b y a d op t io n o f r i s k

m a n ag e m e nt a n d i n t e r na l c o n t r o l p o l i c i es a n d p r o c e d u r es , f o r m u la t e d b y t h e B o a r d o f

D i r e c t or s . H o w ev e r, a d o p t i on o f a p p r o p ri a t e p o l i c i es a n d p r o c e du r e s s t i l l c ar r i e s a r i s k c a ll e d a s

c on tr o l r is k t ha t i s t he r i sk o f fa il ur e o f c on tr o l p o li ci e s a nd p r oc ed ur e s i n d e te ct io n o f a

m a te r ia l ri s ky s it u at i on a n d a d d re s si ng i t a p pr o p ri a te ly. I n a d di t io n t o i d en t if i ca t io n o f t h e

q u an t um o f t h e r i sk s a t t h is s t ag e, t he t r e nd of t h e r i sk s ( i nc r e as i ng , s t ab l e, d ec r e as i ng ) i s a l so

i d e n t if i e d a t t h i s s t ag e .

2 .1 .5 O nc e t he r is ks a re cl as si fi ed u nd er i nh er en t b us in es s r is ks a nd t he c on tr ol r is ks, e ach o f t h e

a ud it ab le u ni ts i s t o b e a ss es se d w it h r ef er en ce t o t he i de nt if ie d ri sk p ar am et er s. F or t hi s

p u r po s e, i t i s n e ce s sa r y t o c a te go r iz e t h e e n ti r e b a nk i ng b u si n es s a s i d en t if i ab l e a u di t ab l e u n it s,

e a c h p r o n e t o a d if f e r e n t l e v e l of a r i s k.

2 .1 .6 T h e o b j ec ti ve o f t he r is k a ss es sm en t p r o c es s i s t o d r aw u p a r i s k- ma tr ix , t a ki ng i n to a cc ou nt b ot h

t h e f a ct o rs viz ., i n he r e nt b u si n es s r i sk s a n d co n tr o l r is k s i d e nt i fi e d in t h e e a rl i e r st e p. T h i s r i sk

m a tr i x a p pr o p ri a te ly p l ac e s a l l t h e a u di t ab l e u n it s i n to o n e a m on g t h e t h r ee c a te go r ie s o f r i sk

S t e p 2 : I d e n t ific a t ion o f a u d it a bl e u n it s

S t e p 3 : C o n d u ct r is k a s s e s s me n t

T e ch n ic a l G u i de o n R i sk - ba s ed I n te r na l A u d it i n B a nk s


21/66

11

profiles-high, medium or low.

2 .1 .7 T he i nt er na l au di t f un ct io n, w he th er i n- ho us e o r ou ts ou rc ed , sh ou ld h av e i n p la ce, a n

i n d e p en d e n t r i s k a ss e s s m en t s y s t em f o r f oc u s i ng o n t h e m a t e ri a l r i sk a r e a s a n d p r i or i t i zi n g t h e

a u di t w o rk . T h e m e th o do l og y m ay r a ng e f r o m a s i m pl e a n al ys i s o f w hy c e r ta i n a r e as s h ou l d b e

a u di t ed m or e f r e qu e nt ly th a n o t he r s i n t h e c a se o f s m a ll s iz e d b a nk s u n de r t ak i ng t r ad i ti o na l

banking business, to more sophisticated assessment systems in large sized banks undertaking

complex business activities.

2 .1 .8 O nc e t he r is k m at ri x i s p r ep ar e d, a r is k- ba se d a ud it p la n b as ed on t he r is k p r of il e o f t he a ud it

u n it s i s p r e pa r ed . T h i s i n v ol v es d e c is i on t o b e t a ke n o n t h e f r e q u e nc y, t i m i ng a n d t h e s c op e o f t h e

i n te r na l a u di t o f t h e a u d i ta b le u n it . T h e s e d e c i s io n s a r e b a se d o n t h e i n t e r na l a u di t p r io r it i es a n d

k e ep i ng i n v i ew th e o b je c ti ve o f i nt e r na l a u di t f u nc t io n a s a r i sk m a nag e me n t t o ol . T h e r i sk -

based internal audit plan as prepared by the internal audit function of the bank is duly approved

by the Audit Committee of the Board of Directors of the Bank.

2 .1 .9 T h e a b ov e p r o ce ss i s d i ag r am m at ic al ly r e pr e se nt ed a s f e l lo ws :

S t e p 4: R is k - ba s e d in t e r na l a u d it p l a n

S te p 1 :Pr epar atio n

S te p 2 : I d e n ti f i c at i o n o fA u d i ta b l e u n i t s

S te p 3 : Risk

Assessment

S te p 1 :

E s ta b li s h t h e P r o je c t

Specify Obectives

C r e at i on o f OrganisationStructure

S te p 2 :

Identify thea u d i ta b l e u n i t s

D e te r mi ne t he r is k o f n o n -a u di t o f unidentifiablea u d i ta b l e u n i t s

Categorizet h e r i sk s

S te p 3 :

Identify thea u d i ta b l e u n i t s

C o n du c t r i s k a s s e ss m e n t o f a u d it a b l e u n i t

C a t eg o r iz e t h ea u d it a b le u n i t

S te p 4 :

F i n a l iz a t i on o f t h e r i s k - ba s e di n t e r na l a ud i t p l a n

S u b m i ss i o n a n da p p r o va l f r o m t h e

A u d i t C o m m i tt e e

S te p 4 : R i s k - b a s e d

Inter nal AuditPlan

S t ep s i n R i sk - ba s ed I n t er n al A u d it o f B a nk s


22/66

2 .1 .1 0 E ac h o f t he a bo ve s te p s a r e d e s cr ib ed a s f o l lo ws :

2 .1 .1 1 T h e f ir s t s t ep i nv ol ve s t he i ni ti at io n o f t he r is k- ba se d i nt er n al a ud i t p r o ce ss a t t he b an k. T h e i d e a

a t t hi s s tag e i s t o t re at t he r is k- ba se d a ud it c on ce pt a s a d is ti nc t p ro je ct w it h a n o bj ec tiv e o f

f or m ul at io n o f a u di t p l an w it h m or e r is k fo cu s a t t he e nd o f t h e p r oj e ct . F or t hi s p ur po se , it i s

a b s o lu t e ly n e c e s s a r y a t t h i s s t ag e t o :

E s t a bl i s h t h e p r o j e c t t e a m

C l a r i fy th e r o l e s a n d r e s p o n si b i l i ti e s o f t h e p r o j e c t t e a m

S c h ed u l i ng t h e p r o j e c t t a s k s

Communication

2 . 1. 1 2 D e p en d in g u p on t h e s i ze o f t he b a nk , t h e r i sk - ba s ed i n te r n al a u di t p r o je c t c a n b e h a nd l e d b y a

s m al l t e a m o f a u di t p r o fe s si o na l s o r b y a n i n di v id u al . W h il e c ho o si ng t h e p r o fe s si o na l s f o r t hi s

a s s ig n m e n t, i t s h o u l d b e e n s u r ed t h at t h e y h a ve a d e q u at e i n t e r na l a ud i t a n d ri s k m a n ag e m e nt

e x p e r ti s e . F e w c r i t er i a fo r se l e c t io n o f p r o f e s s i on a l s f o r t h i s a s s ig n m e n t i n c lu d e , e x p e ri e n c e i n

c o n d u ct i ng r i s k a s s e s s me n t s, a u d i t p l a n ni n g ex p e r i e nc e a n d a b i l it y t o a n a ly z e a n d s y n th e s i z e a

w i d e r a ng e o f i n f o r m a ti o n .

2 . 1. 1 3 A f te r c ho o si ng ap p ro p r ia t e p r o fe s si o na l s f o r t h e a s si gn m en t , i t i s i m po r ta n t t o c la r if y t h e r o l es

a n d r e s po n si b il i ti e s o f th e t e am m e mb e r s o f th e r i sk - ba s ed i n te r n al a u di t a s si gn m en t . T h i s

i nv ol ve s d e si gn at io n o f a s en io r pr o fe ss io na l as t he p r oj ec t a ut ho r it y, h av ing ov er al l

r e s po n si b il i ty fo r t h e e n ti r e p r o je c t. T h e t e am l e ad e r w o ul d be a s si s te d b y t h e t e am m e mb e r sw h o w o u l d b e r e s p o n si b l e f o r pr o p o s i ng a n d e x ec u t i ng a n a p p r o ac h f o r im p l e m e nt a t io n o f t h e

p ro je ct . T he t ea m w ou ld hav e e xt en siv e i nt er ac ti on s w it h t he s en io r m an ag em en t o f th e

a u di t ab l e u n it s w h o w o ul d b e r e s po n si b le f o r p a r ti c ip a ti o n i n m e et i ng s f o r i d en t if i ca t io n a n d

a s s e ss i ng t h e k e y r i s k s f a c e d b y t h e a u d i ta b l e u n i t s.

2 .1 .1 4 A s t he p ro je ct ge ts s ta rt ed , i t i s i mp or ta nt t o e ns ur e t ha t t he p ro je ct i s a cc om pl is he d w it h t ig ht

d ea dl in es a nd re po r ti ng re sp o ns ib il it ie s. T h is r e qu ir e s f or m ul at io n o f a pr o je ct p l an a nd

p r ov i d in g t h e t e am m e m be r s w i th a p pr o p ri a te t o ol s s u ch a s p o li c ie s /p r o ce d ur e s, c he ck l is t s f o r

e va l ua t io n a n d t h e s o ft wa r e, i f a ny, n ec e ss a ry to e xe c ut e t h e p l an a n d d o c um e nt t h e r e s ul t s.

E f fe c ti ve p l an n in g d e m an d s c o mm u ni c at i on o f t h e e s ta b li s he d a p p r o ac h t o a l l t h e p a r ti c ip a nt

u n it s s u ch t h at a l l th e m e m be r s o f t h e t e am a r e a t t h e s a m e w av e le ng t h.

2 . 1. 1 5 T h e n ex t s t ep t ow a rd s r i s k- b as e d i nt e rn a l au d it i s t o i d e nt i fy a l l th e a c ti vi t ie s t h at a r e s u sc e p ti b le

Preparation

I d e n t ific a t ion o f a u d it a ble u n it s

!

!

!

!



23/66

t o t he i nh er en t r is k. I n l in e w it h t he p ro po se d Op er at io na l Ri sk M an ag em en t f ra me wo rk

e n un c ia t ed b y R B I, t h e i d e nt i fi c at i on o f a ud i ta b le u n it s c a n b e t a ke n a t t h re e d i ff e r en t l e ve l s a sfollows:

L ev el 1 - l is ts t he m ai n b us in es s g r ou ps s uc h a s c or p or at e f in an ce , t r ad ing a nd s al e s ( tr e as ur y

function), retail banking, commercial banking, etc.

L ev el 2 - l is ts t he p ro du ct t ea ms i n t he se b us in es s g ro up s s uch a s t ra ns ac ti on b an ki ng, t ra de

finance, general banking, cash management services, etc.

L ev el 3 - l is ts o ut t he p r od uc ts o ff er e d i n t he s e b us in es s g r ou ps s uc h a s i mp or t b il ls, l e tt er o f

credit, bank guarantee under trade finance, etc.

2 . 1. 1 6 I d e nt i fi c at i on o f th e a u di t ab l e u n it s a t t h e f i r st l e ve l i t se l f is r e q ui r e d f o r t h e p u rp o s e o f th e r i sk -

based audit plan. However, the sub-classification into further levels helps the internal audit

t e a m t o i d e n t if y a n d a s s e s s t h e a p p l i ca b l e r i s k s t o t h e a u d i t ab l e u n i t i n a m o r e s y s t em a t i c m a n n er .

2 .1 .1 7 I t s ho ul d be n ot ed t ha t t he re a re t wo t yp es o f r is ks i n b an ki ng b us in es s i n t he c on te xt o f r is k-

based internal audit. One that is inherent in the business operations of the bank itself, such as the

c r e di t , m a rk e t a n d op e ra t io n al r is k an d th e o t he r o ne i s t h e r i sk t ha t t h e c o nt r ol s d e si gn e d to

m i t ig a t e t h e s e r i s k s m a y no t b e e f f e c ti v e, t y p i c al l y t er m e d a s c o n t r ol r i s k . T h u s , i nh e r e n t b u s i n es s

r i s k s i n d i c at e t h e i n t r i ns i c r is k i n a p a r t i c u la r a r ea / a c ti v i ty o f t h e b a n k. C o n t r o l r i s k s a r i s e o u t o f i n ad e q ua t e c o nt r ol s y s t e ms , d e f ic i e nc i e s/ g ap s a n d/ o r l i ke l y f a il u r es i n t h e e x is t in g c o nt r o l

processes.

2 . 1 . 18 H e n c e, w h i l e u n d e r t ak i ng a r i s k i d e n t if i c a ti o n e x er c i s e u n d e r t h e r i s k - ba s e d a u d i t p r o g r am m e ,

o n e s h ou l d k ee p i n m i nd t h a t t h e r i sk a s s es s me n t o f a n a u di t ab l e u n it i s l a rg e ly b a s ed o n b o th t h e

i n h e r e nt a n d t h e c o n t r o l r i s k s a n d s h ou l d b e j u d ge d i n c o m b i na t i o n t h e r e o f .

2 .2 B ef or e u nd er s ta nd ing th e r is k a ss es sm en t e xe r ci se a s p e r t he s te p s e nu me ra te d s ub se q ue nt ly, it

s h o u ld b e b o r n e i n m i n d t h a t t h e r i s k a s s e s sm e n t i s l a r ge l y d e t e r m i ne d by f ac t o r s s u c h a s :

P r e v i o us i n t e r na l a u d i t r e p o r t s a n d c o m p l i an c e

P r o p o s e d c h an ge s i n b u s i n es s l i n e s o r c h an ge i n f o c u s

Significant change in management/key personnel

R e s u lt s o f l a t e s t r e g u l a to r y e x a m i na t i o n r e p o r t

C o n d u ct r is k a s s e s s me n t

K ey F a c to r s R e l ev a nt f o r R is k A s s e s s me n t

!

!

!

!

13S t ep s i n R i sk - ba s ed I n t er n al A u d it o f B a nk s


24/66

!

!

!

!

!

I n h e r en t B u s in es s R is k s

!

!

!

!

!

R e p o r t s o f e x t e r na l a u d i t o r s

Industry trends and other environmental factorsT i m e l a p s e d s i n c e l a s t a u d i t

V ol u m e o f b u s i n es s a n d c o m p l ex i t y o f a c t iv i t i e s

S u b s ta n t i al p e r f or m a n c e v a r i at i o n s f r o m t h e b u dg e t

K ee p ing t h e a bo ve f ac to r s i n m in d, t h e r is k a ss es sm en t e xe r ci se c an b e u nd e rt ak en u si ng t h e

following steps.

2.3 Banks ar e subj ect to w ide var iety of r isks in the ar eas of t heir operation. All of t he m can be

broadly categorized as credit, market and operational risks. Each of these risks are explained as

follows:

2 .3 .1 C r ed it r is k is d e fi ne d as t he p os si bi li ty o f l os se s a ss oc ia te d wi th d im i nu ti on i n t he c r ed it q ua li ty

o f b o r ro we r s o r c o un t er p ar t i es . I n a b a nk ' s p o r tf o li o, l o ss e s s t em f r o m o u tr ig h t d e fa u lt d u e t o

i n ab i li t y o r u nw i ll i ng n es s o f a c u s to m er o r c o u n te r p a r ty t o m e et c o mm i tm e n ts i n r e l at i on t o

l e n d i ng , t r a d i ng , s e t t l em e n t a n d o t h e r f i n a nc i a l t r a n sa c t i on s . A l t e r na t iv e l y, l o s s e s r e s u l t f r o m

r e d uc t io n i n p o r tf o li o v a lu e a r is i ng f r o m a c tu a l o r p e r ce iv e d d e te r i or a ti o n i n c r e di t q u al i ty.

C r e di t r i sk e m an a te s f r o m a b a nk ' s d e a li ng s w i th a n i n di v id u al , c o r po r at e, b a nk , f i na n ci a l

i n s t it u t i on o r a s o v e r ei g n. C r e d i t r i s k m a y t a k e o n e o r m or e o f t h e f o l l ow i ng f o r m s :

Direct lending: p r i n c ip a l a n d /o r i n t e r e st a m o u nt m a y no t b e r e p a i d

G u a r an t e e s o r l e t t e r s of c r e d it : f un ds m ay no t b e f or th co mi ng fr o m t he c on st it ue nt s u po n

c r y s t al l i z at i o n o f t h e l i a b il i t y

Trea sury op era tions: t he p ay me nt o r s e ri es o f p ay me nt s d ue f r om t he c ou nt er p ar ti e s u nd e r

t h e r e s p e c t iv e c o n t r ac t s m a y n o t b e f o r t h co m i ng o r c e a s e s

S ecurities tra ding businesses: f u n d s/ s e c u r i ti e s s e t t le m e n t m a y n ot b e e f f e c te d

C r o s s - bo r d er e x p o su r e : t h e a v ai l a b il i t y a nd f r e e t r a n sf e r o f f o r e ig n c u r r e n cy f u n d s m a y e i th e r

c e a s e o r t h e s o v er e i g n m a y i m p o s e r e s t r i c t i o ns

2 .3 .2 C r ed i t r i sk i s m o r e r e le va nt t o t h e a ud i ta bl e u ni ts w he r e c r e di t l e n di ng f un ct io n i s e xe r ci se d s u ch

a s t he c or po ra te /r et ai l l en di ng fu nc ti on o f t he b an ks. T he ex te nt o f c re di t r is k m ay al so

s ub st an ti al ly d if fe r fr o m t he u ni ts w hi ch a r e d e di ca te d to c r ed i t s an ct io ns s uc h a s t he C r ed i t

D ep ar tm en t w he re t he r is k i s h ig he r w he re as i n o th er fu nc ti on s w he re c re di t s an ct io n i s

1C r e d it R is k

Direct lending:G u a r a n te e s o r l e t t e r s of c r e d it :Tr e a s u ry o p e r a t io n s :Securities trading businesses:C r o s s - b o rd e r e x p o s u re :

1 . P l ea s e r e fe r R e se r ve B a nk o f I n di a G u id a nc e N o te o n C r ed i t R i sk M an a ge m en t O c to b er 1 2 , 2 0 02 .



25/66

i nc id e nt al to t he m ai n f un ct io n ( su ch a s i n b ra nc he s o f b an ks w he r e s an ct io n o f l o an ag ai ns t

d e p o s it s i s o n l y i n c i d e nt a l a s p e r t h e d e l eg a t io n o f f i n a nc i a l p o w e r s t o t h e b r a n ch m a n ag e r ) , t h ec r e d i t r i s k i m p a ct m i gh t b e l o w e r.

2 .3 .3 M ar ke t R is k m ay be d e fi ne d a s t he p o ss ib il it y o f l os s t o a ba nk c au se d b y c ha ng es i n t he m ar ke t

v a ri a bl e s. M a rk e t R i sk i s t h e r i sk t o t h e b a nk ' s e a r ni ng s a n d c a pi t al d ue t o c ha ng e s i n t h e m a rk e t

l e ve l o f i nt e r es t r a te s o r p r ic e s o f s ec u ri t ie s, f o re ig n e xc ha ng e a n d e q ui t ie s, a s w e ll a s t h e

v o la t il i ti e s o f t h o s e c ha ng e s. B e si d e s, i t i s e q ua l ly c o nc e r ne d a bo u t t h e b a nk ' s a b il i ty t o m e e t i t s

o b l ig a t io n s a s a n d w h e n t h e y f a l l d u e . M a r k et r i s k m a n i fe s t s i t s e l f i n to v a r i o us f o r m s s u c h a s :

! Liquidity risk: L i qu i di t y r is k i s t h e p o te n ti a l i na b il i ty o f t h e b a nk t o m e e t i t s l i ab i li t ie s a s a n d

w he n t he y b ec om e d ue . I t a ri se s w he n t he b an ks a re u na bl e t o g en er at e c as h t o c op e w it h a

d ec li ne i n d e po si ts o r i n cr e as e i n a ss et s. I t o r ig in at es f ro m t he m is ma tc he s i n t he m at ur it y

p a t te r n o f a s s e ts a n d l i a b il i t i e s.

! I nterest ra te risk: I t i s t h e r i sk w he r e c ha ng e s i n m a rk e t i n te r e st r a te s m ig h t a d ve r s el y a f fe c t a

bank's financial condition.

! Foreign Ex cha nge Risk: I t m ay b e d e f in e d as t h e r i sk t h at a b an k m ay s u ff e r lo s se s a s a r e su l t o f

a d ve r s e e xc ha ng e r a te m o ve m e nt s d u ri ng a p er i od i n w h ic h i t h a s a n o p en p o s it i on , e it h er

s p o t o r f o r w ar d , o r a c o m b i n at i o n o f t h e t w o, i n a n i n d iv i d u a l fo r e ig n c u r r e n cy.

2 .3 .4 O pe ra ti on al r i sk h a s b ee n d e fi ne d b y th e B as el C o mm it te e o n B an ki ng S up e rv is io n a s t he r is k o f

l o s s r e s u l ti n g fr o m i n a d e qu a t e o r f a i l ed i n t e r n al p r o c e s se s , p eo p l e a n d s y st e m s o r f r o m e x t er n a l

e v en t s. O p er a ti o na l r is k m ay m a ni f es t i t se l f i n a v ar i et y o f w a ys i n b a nk i ng i n du s tr y s uc h a s

internal/external fraud, client/product/business practices, damage to physical assets, business

d i s r u p ti o n a n d sy s t e m f a i l ur e e t c. E x a m p le s o f v a r i o u s c o n t r ib u t i ng f a c to r s f o r o pe r a t io n a l ri s k s

a r e a s f o ll o ws :

! Peop le risk: T h i s d e p en d s u p on t h e p l ac e m en t , c o mp e te n cy o f t h e e m p lo ye e s o f t h e b a nk a n d

t h e w o r k e n v i r o nm e n t , m o t i va t i o n a n d t u r n ov e r / r ot a t i on i n a b a n k .

! Process risk: R i sk a r i si ng o u t o f e xe c ut i on o f t r an s ac t io n s i nv o lv i ng v i o la t io n o f c o nt r o ls ,

operational disruptions, exceeding of limits, money laundering, non-observance of

contractual commitments, etc.

! S ystems risk: T h is i s t he c o mb in at io n o f b ot h t ec hn ol og y r i sk s r e su lt ing i n s ys te m f ai lu re ,

programming error, communication failure, etc., coupled with the MIS risk.

2Market Risk

Operational Risk

L i q u i d i ty r i s k :

Interest rate risk:F oreign Exchange Risk:

People risk:Process risk:

Systems risk:

2 . P l ea s e r e fe r R e se r ve B a nk o f I n di a G u id a nc e N o te o n M a rk e t R i sk M an a ge m en t O c to b er 1 2 , 2 0 02 .



26/66

!

!

!

!

!

!

!

Lega l a nd regula tory risk: R i s k o f f a i l in g t o c o m p ly w i t h l a w s a n d r e g ul a t i on s .

Rep uta tiona l risk: T h e r is k of l o s s o f t he r e pu ta ti on o f t he b an k i n t he g en er al p ub li c du e t o

t h e f a i l ur e t o c o nd u ct i t s b u s i ne s s u p t o t h e s t a n da r d s e x p e ct e d .

Event risk: R i sk o f u n an t ic i pa t ed c ha ng e s i n e x te r n al e nv i r on m en t o t he r th a n m a cr o

economic factors.

2 .4 .1 O nc e t he r is ks a re i de nt if ie d as a bo ve , it s ho ul d be e ns ur ed t ha t t he b an k ha s a pp ro pr ia te r is k

m a nag e me n t s y st e ms i n p l ac e , w h i ch d e f in e t h e c o nt r o l e n v ir o n me n t a n d p r e s c ri b e t h e c o nt r ol

p r oc e du r es f or mi tig at io n o f th e a bo ve r is ks. I n t hi s c on te xt , i t i s r e le va nt t o u nd er s ta nd th e

c o n c e pt o f t h e c o n t r ol e n v ir o n m e nt a n d t he c o n t r o l p r o c e d ur e s a s r i s k m an ag e m e nt t o o l s.

Control Environment

2 . 4. 2 T h e A u di t in g a n d A s su r an c e S t an d ar d 6 , Ri s k A s se s s me n ts a n d In t er n a l C o nt r o l d e f in e s t h e t e r m

' co nt r ol e nv ir o nm en t' a s th e o ve r al l a tt it ud e, a wa r en es s a nd a ct io ns o f di r ec to r s a nd

m an ag em e nt r eg ar d ing t he i nt er na l co nt r ol s ys te m a nd i ts i mp or t an ce i n t he e nt it y . T h e

c o nt r ol e nv i r on m en t h a s a n e f fe c t o n t h e e f fe c ti ve n e ss o f th e s p ec i fi c c o nt r o l p r o ce d ur e s a n d

p ro vi de s t he b ackg ro un d ag ai ns t w hi ch o th er c on tr ol s a re o pe ra te d. A s tr ong c on tr ol

e nv i r on m en t , f o r e xa m pl e, o n e w i th t ig h t b u dg e ta r y c o nt r o ls a n d a n e f fe c ti ve i n te r n al a u d i t

function, cansignificantly complement specific control procedures.

2 . 4. 3 I n a ba n ki ng o rg a ni s at i on , th e f a ct o rs r e fl e c te d in t h e c o n t ro l en vi r o nm e nt i n cl u de :

O r ga n iz a ti o na l s t ru c tu r e o f t h e b a nk an d t h e m e th o ds o f a s si gn i ng au t ho r it y a n d

responsibility including segregation of duties and supervisory functions

R o l e o f B o a r d o f D i r e c t or s a n d i t s c o m m i tt e e s i n d e f i n i ng c o n t r o l en v i r o nm e n t a n d a d o pt i ng

a p p r o p r ia t e c o n t r o l p r o c e d u r e s

Management's philosophy and operating style

M a n ag e m e nt ' s c o n t r o l s y st e m i n c lu d i ng t h e i n t e r na l a u d i t f u n ct i o n , p e r s o nn e l p o l i c i e s a n d

procedures

Control Procedures

2 . 4. 4 T h e A u di t in g a n d A s su r an c e S t an d ar d 6 , Ri s k A s se s sm e nt s a n d I n te r n al C o nt r o l d e f in e s t h e t e r m

' c on t r ol p r o c e d ur e s ' a s t ho s e p o li c ie s a n d p r o ce d u re s, i n a d di t io n t o t h e c o nt r o l e n vi r o nm e nt ,

w h ic h t h e m a nag e me n t h a s e s ta b li s he d t o a ch i ev e t h e e n ti t y' s s p e ci f ic o b je c ti ve s . I n t h e c o nt ex t

Control Risk

L e g a l a n d r e g u l a t or y r i s k :Reputational risk:Event risk:



27/66

of banking organisation, the specific control procedures include:

Approving and controlling of documentsS e g r eg a t io n o f d u t i e s a n d s u p e r v i s or y f u n c t i o ns

D e c is i on m a ki ng su b je c t t o t h e ' f ou r ey e s' ( t ho s e o f t h e m a ke r an d th e c he ck e r) c o nc e pt o f

management

Reporting and reviewing of exceptions

C o m p a ri n g t h e i n t e r na l d a t a w i t h e x t e r na l s o u r c e s o f i n f o r ma t i o n

R e s t r ic t i ng d i r e c t a c c e s s t o a s s e t s, r e c o r d s a n d i n f o r m at i o n

I n fo r m at i on s y st e m c o nt r ol s, w h ic h i n cl u de c o nt r o ls o v er c ha ng e s t o c o mp u te r p r og r a ms

a n d a cc e s s t o d a t a fi l e s

2 .4 .5 A s o bs er v ed a bo ve , wh il e t he e st ab li sh me nt o f t h e c on tr o l en vi r on me nt i s t he r e sp o ns ib il it y of

t h e t o p m a n ag e m e nt o f t h e b a n k, d e s ig n i ng o f a p p r o p ri a t e c o n t r o l p r o c e d ur e s f o r mi t ig a ti o n o f r i s k s i s t h e r e s p o n si b i l it y o f t h e r i s k ma n ag e m e n t d e p a r t m e n t . A n i n d e p e nd e n t r i s k ma n ag e m e nt

f u n c ti o n , o p e r a t in g i n a p r o a c t i ve c o n t r o l e nv i r o n m e nt , d e s i g ns t h e c o n t r ol p r o c e d u r e s, w h i c h

a r e t o b e i m p l e me n t e d o n a b a n k -w i d e b a s i s.

2 .4 .6 T h e i nt er n al au di to r, wh il e d ev el op ing a r is k- ba se d i nt er n al au di t p la n s ho ul d o bt ai n a n

u nd er s ta nd ing o f t he c on tr o l e nv ir o nm en t s uf fi ci en t t o a ss es s m an ag em en t' s a tt it ud es,

a wa r en es s a nd a c ti o ns r eg ar d ing i n te r na l c on tr o ls a nd t h ei r i mp or t an ce i n t he b an k. T h e

i n te r n al a u d it o r s ho u ld a l s o o b ta i n a n u n de r s ta n di ng o f t h e c o nt r o l p ro c ed u r es s u ff i ci e nt t o

d e v e lo p t h e r i s k - ba s e d au d i t p l a n .

2 .4 .7 F r om t he p o in t o f v i e w o f r i sk s, th e r o l e o f i nt er n al au di t a t t hi s j u n ct ur e i s t w o fo ld :

! A s c e r t ai n i ng t he i n h e r e nt r i s k o f t h e r i s k m a n ag e m e nt f u n ct i o n a n d id e n t i fy i ng t he e x t en t

o f t h e a r ea s w he r e t he c on tr o l p r oc e du r es a r e n ot e s ta bl is he d by t he r is k ma nag em en t

function

! E v a l ua t i ng t h e r i s k i n v ol v e d i n t h e c o n t r ol p r o c e d u r e s d e s ig n e d f o r m i t ig a t io n o f r i s k s

2 .4 .8 A ft er o bt ai ni ng a n u nd e rs ta nd ing o f t h e c on tr o l en vi r on me nt a nd c on tr o l p r oc ed ur e s a nd

h av i ng s a ti s fi e d h i ms e lf t h at c o nt r ol p r o ce d ur e s a r e e x is t en t i n a l l t h e a u di t ab l e u n it s, t h e

i n te r n al a u di t or s h ou l d ma ke a p r e li m in a ry a s se s sm e nt o f c o n t ro l r is k . T h e p r e li m in a ry

a s s e s sm e n t o f c o n t r o l r i s k i s t h e p r o c e s s o f e v a l u a ti n g t h e l i k e ly e f f e ct i ve n e s s o f a n e n t i ty ' s

!

!

!

!

!

!

!

Internal audit and control risk

Preliminary assessment of control risk



28/66

c o nt r o l e nv i r on m en t a n d t he c o nt r ol p r o c e du r e s i n m a nag i ng t h e i n he r e nt b u si n es s r i sk s. T h e

p r el im in ar y a s se ss me nt o f c o nt r ol r i s k i s b as ed o n t he a ss um p ti on t ha t t he c on tr o ls o pe ra tegenerally as designed and described and that they operate effectively throughout the period of

i n te n d ed r e l i a nc e. T h e r e w i ll a l w ay s b e s o me c o nt r ol r i s k b e c au s e o f t h e i n he r e nt l i mi t at i on s o f

any internal control system.

2 .4 .9 T h e p r el im in ar y as se ss me nt o f c o nt ro l ri sk sh ou ld b e h ig h u nl es s t he a ud i to r is a bl e t o i de nt if y

c o nt r o l p r o ce d ur e s r e l ev a nt t o t h e i n he r e nt b u si n es s r i s k o f a n a u di t ab l e u n it a n d e n s ur i ng t h at

c o nt r ol p r o ce d u re s a r e a d eq u at e t o m i ti ga t e t h e b u si n es s r i sk . W h e n c o nt r ol r i sk i s a s se s se d a t

l e s s t h a n h i g h , t h e i n t e r na l a u d it o r w o ul d a l s o d o c u m e nt t h e b a s i s f o r t h e c o n cl u s i o ns .

2 .4 .1 0 A t t hi s s tag e t he i nt er n al a u di to r s ho ul d d o cu me nt t he u nd er s ta nd ing o b ta in ed o f t he b an k' s

c o nt r ol e n v i r on m en t a n d t h e c o nt r o l p r o ce d ur e s. H e s h ou l d a l s o d e c id e w h et h er t h e s i tu a ti o n

w ar r an ts a n i nd ep e nd e nt t es t o f c on tr o l p ro ce d ur e s t o b e p e rf or m ed f o r u nd e rs ta nd ing t hecontrol risk involved.

2 . 4. 1 1 D i ff e r en t t e ch n iq u es m ay b e u s ed t o d o c um e nt i n fo r m at i on r e l at i ng t o c o nt r o l e nv i r on m en t a n d

p r o c e d u r es . S e l e c ti o n o f a p a r t i cu l a r t e c hn i q u e i s a m a t t er o f t h e i n t e r na l a u d i to r ' s j u dg m e n t .

C o m m o n t e ch n i q u es , u s e d a l o ne o r i n c o m b i na t i o n, a r e n a r r a ti v e d e s c r ip t i o n s, q u e s t i o nn a i r e s,

c he ck l is t s a n d fl o w ch a r ts . T h e s i ze a n d co m pl e xi t y of t h e a u di t ab l e u n it a n d th e n a tu r e o f t h e

i n he r e nt b u si n es s r i sk s t o w h ic h t h e a u di t ab l e u n it i s e x po s ed , i n fl u en c e t h e f o r m a n d e x te n t o f

t h i s d o c u m e nt a t i on . G e n e r a ll y, t he m o r e c o m p l ex t he c o n t r ol e nv i r o n m en t a n d p r o c e d u r es a n d

th e m or e ex te ns iv e th e i nte rn al au di to r' s p ro ce du re s, the m or e ex te ns ive t he a ud ito r' s

d o c u m en t a t io n w i l l n e e d t o b e .

2 . 4. 1 2 W h er e ve r n e c es s ar y, b a s e d o n t h e p r e li m in a ry a s s e ss m en t o f c o nt r ol r i s k , t h e i n te r n al a u d i to r

c a n u n de r ta k e t h e t e st s o f c o nt r o l a s a o n e - ti m e e xe r c is e t o u n de r s ta n d t h e o p er a ti o n o f i n te r n al

c o n t r ol s d e s ig n e d f o r a n a u d i t a b l e u n i t i n a s y s t em a t i c m an n e r. T e s t s o f c o n t r o l m ay i n c lu d e :

! I n sp e c ti o n o f d o cu m en t s s u pp o r ti ng t r a n sa c ti o ns a n d o th e r e v en t s t o g ai n a u di t e v id e n ce

t h a t i n t e r n al c o n t r o l s h a ve o p e r a te d p r o p e r l y, f o r e x a m p l e, v e r i f y i ng t h a t a t r a n s ac t i o n h a s

been properly authorised

! I n qu i ri e s a b ou t , a n d o b se r v at i on o f, i n te r n al c o nt r ol s, wh i ch l e av e n o a u di t t r ai l , f o r

e xa mp le , d e te r mi ni ng wh o a ct ua ll y p e rf or m s e ac h f un ct io n a nd no t m er e ly wh o i s

s u p p o se d t o p e r f or m i t! R e - p e rf o r m a nc e o f i n t e r na l c o n tr o l s, f o r e x a mp l e , r e c on c i l i at i o n o f b a n k a cc o u n ts , t o

e n s u r e t h e y w e r e c o r r e c t ly p e r f o r m e d b y t he e n t i ty

! T e s t i ng o f i n t e r n al c o n t r o l o p e r a ti n g o n s p e c i fi c c o m p u t e ri z e d a p p l i ca t i o ns o r o v e r t h e

overall information technology function, for example, access or program change controls

Tests of control



29/66

2 .4 .1 3 T he i nt er na l au di to r s ho ul d o bt ai n a ud it e vi de nc e t hr ou gh t es ts o f c o nt ro l to s up po rt a ny a s se s sm e nt o f c o nt r o l r is k , w hi ch i s l e ss t h an h ig h . T h e l o we r t h e a s se s sm e n t o f c o nt r ol r i s k , t he

m o r e e v id e n ce t h e i n te r n al au d it o r s h ou l d o b ta i n t h at i n te r n al co n tr o l s y st e ms a r e s u it a bl y

designed and operating effectively.

2 .4 .1 4 W he n o bt ai ni ng a ud it e vi d en ce a bo ut t he e ff ec ti ve o p er at io n o f i nt er na l c o n tr o ls, t he a ud it or

c o ns i d er s h o w t h ey we r e a p pl i e d, t he c o ns i st e nc y w i th w h ic h t h ey we r e a p pl i ed d ur i ng t h e

p e r i o d a n d b y w h o m t h e y w e r e a p p l i ed . T h e c o n c e pt o f e f f e ct i ve o p e r a ti o n r e c og n i z e s t h a t s o m e

d e vi a ti o ns m ay ha ve o c cu r r ed . D e vi a ti o ns f r o m p r e sc r ib e d c o nt r o ls m ay be c a us e d b y s u ch

f a c t o r s a s c h an ge s i n k e y p e r s o n ne l , s i gn i f i c an t s e a s o na l f l u c tu a t i on s i n v o l u me o f t r an s a c ti o n s

a n d h u ma n e r r o r. W h en d e vi a ti o ns a r e d e te c te d , t h e i n te r n al a u d it o r m a ke s s p e ci f ic i n q ui r i es

r e ga r d in g t he s e m a tt e r s, p a r t ic u la r ly, t h e t i mi ng o f s t af f c ha ng e s i n k ey i n t er n al c o n t ro l

f u n c ti o n s. T h e a u d i to r t h en e n s u r e s t h a t t h e t e s t s o f c o n t r o l a p p r o p ri a t e ly c o ve r s u ch a p e r i od o f change or fluctuation.

2 .4 .1 5 B as ed o n t he r e su lt s o f t h e t es ts o f c o nt r ol , th e a ud it or s ho ul d ev al ua te w he th er th e i nt er n al

c o n t r o ls a r e d e s ig n e d a n d o p e r a ti n g a s c o n t e mp l a t e d i n t h e p r e l i m in a r y a s s e ss m e n t o f c o n t r o l

r i s k . T h e e v a lu a t i on o f d e v i at i o n s m a y r e s u l t i n t h e i n t e r na l a u d i to r c o n cl u d i ng t h a t t h e a s s e ss e d

l e ve l o f c o n tr o l r is k n ee d s t o b e r e v is e d . I n s u ch c a se s, t h e i n te r n al a ud i to r w ou l d mo d if y t he

nature, timing and extent of planned substantive procedures.

2 . 4. 1 6 T h e b a si s f o r d e te r m in a ti o n o f t h e l e ve l ( h ig h , m e d iu m , l o w) a n d t r en d ( i nc r e as i ng , s t ab l e,d e c re a si ng ) o f i n he r e nt b u si n es s r i sk s a n d c on t ro l r i sk s s h ou l d b e c le a rl y s pe l t o u t t h r ou g h t h e

u s e o f b o t h q u a l it a t iv e a n d q u a n ti t a t iv e a p p r o a ch e s. W h i l e t h e q u a n tu m o f c r e d i t, m a r ke t , a n d

o p e ra t io n al r is k s c o ul d la r ge l y b e d e te r m in e d b y q u an t it a ti ve a s se s sm e nt , t h e q u al i ta t iv e

a p pr o a ch m ay b e a d op t ed f o r a s s e ss i ng t h e q u al i ty o f c o nt r ol s i n v a ri o us b u si n es s a c ti v it i es . I n

o r d er t o f o cu s a t te n ti o n o n a r e as o f g r e a t e r ri s k to t h e b a nk , a n a c ti vi t y wi s e a n d lo c at i on - wi s e

i d e n t if i c a ti o n o f r i s k s h o u ld b e u n d e r ta k e n .

2 . 4. 1 7 I n t h is c o nn e ct i on , t h e p r in c ip l e e n un c ia t ed i n t h e A u di t in g a n d A s su r an c e S t an d ar d ( A AS ) 2 0 ,

K n o w le d ge o f t h e B u s i ne s s, s h o ul d b e n o t e d w h i ch i s a s f o l l ow s :

I n p erforming a n a udit of fina ncia l sta tements, the a uditor should ha ve or obta in knowledge of the businesssufficient to ena ble the a uditor to identify a nd understa nd the events, tra nsa ctions a nd p ra ctices tha t, in the

a uditor's judgment, ma y ha ve a significa nt effect on the fina ncia l sta tements or on the ex a mina tion or a udit

rep ort. S uch knowledge is used by the a uditor in a ssessing inherent a nd control risks a nd in determining the

Q u a l ita t ive a n d q u a n tit a t ive a p p r oa c h e s f o r r is k a s s e s sm e n t



30/66

na ture, timing a nd ex tent of a udit p rocedures.

2 .4 .1 8 A ft er t he i nh er en t a nd c o nt ro l r is ks a re i de nt if ie d, t he a ud it or s h ou ld m a p b ot h t he r is ks t o

e ns ur e t ha t t he c om bi na ti on o f b ot h t he r is ks a re a t a n a cc e pt ab le l ev el . F or t hi s p ur p os e, t he

a u d i to r h a s t o j u x t a po s e t h e i n h e r e nt b u s i n es s r i s k s a n d t h e c o n t r o l r i s k i n a s y s t em a t i c m a n n er .

T h e r e su l ta n t s c e na r io d e te r m in e s t h e r i sk ap p e ti t e o f a p a rt i cu l ar au d it u n it , w h ic h i s t h e k ey

i n p u t f o r d e t e r m i na t i o n o f r i s k - b a se d a ud i t p l a n f o r t h a t p a r t i cu l a r a u d i ta b l e u n i t . A t y p i ca l r is k

m a t r ix l o o k s a s f o l l ow s :

A n e x p l an a t i on o f th e u n d e r ly i ng t h e r i s k a p p e t it e o f th e a b o ve a u d i ta b l e u n i t s i s a s f o l l ow s :

R i s k M a t r i x

1. A High Risk

2. B Ver y

H ig h R i sk

3. C E xtr emely

H ig h R i sk

4. D M edium

Risk

S. No Auditable Unit N atur e of r isk

3. C Extr emelyH ig h R i sk

A lt ho ug h t he c on tr o l r is k i s l ow, t h is i s a H ig h R is k

a r e a d u e t o h i gh i n h e r e nt b u s i ne s s r i s k s.

T he h ig h i nh er en t b us in es s r is k c ou pl ed wi th

m ed iu m c on tr o l ri sk m a ke s t hi s a V er y H ig h R is k

area

B o th t h e i n he r e nt b u si n es s r i sk a nd c o nt r o l r i sk a r e

h ig h w h ic h m a ke s t h is a n E x t re m el y H ig h R i sk a r e a .

T h i s a r e a w o ul d r e q ui r e i m me d i at e a u di t a t te n ti o n,

m ax im um a ll oc at io n o f a ud it r es ou rc es b es id es

o ng o i ng m o n i t or i ng b y t h e b a n k ' s t o p m a n ag e m e nt .

A lt ho ug h t he c on tr o l r is k i s l ow th is i s a Me di um

R i s k a r e a d u e t o m e d i u m i n h e r e n t b u s i n es s r i s k s.

Explanation

B o t h t h e i n h e r en t b u s i n es s r i s k a n d c o n t r ol r is k a r eh ig h w hi ch m a ke s t h is a n E x tr e me ly H ig h R i sk a r ea .T h i s a r e a w o u ld r e q u i r e i m m ed i a t e a u d it a t t en t i o n,m ax im um a ll oc at io n o f au di t r es ou rc es b es id esongoing monitoring by the bank's top management.

20

R i sk M a tr i x

I n he r e nt r i sk n h er e nt r i sk

Control riskontrol risk

HighighMediumedium

LowowLowow Mediumedium Highigh

A B CD E F

G H I

T e ch n ic a l G u i de o n R i sk - ba s ed I n te r na l A u d it i n B a nk s


31/66

R is k - ba se d I n t e rn a l A u d it P l a n

!

!

!

!

!

2 .5 .1 O nc e t he r is k a ss es sm en t e xe r ci se i s u nd e rt ak en b y th e i nt er na l a ud it or a n d th e a ud i ta bl e u ni ts

a r e a r r an ge d as p e r t h e r i sk m at r ix a s e x pl a in e d a b ov e, t he n ex t s t ep i s t o d e vi s e t h e r i sk - ba s ed

a u d i t p l a n d e t a i li ng o u t t h e p r i o r it i e s, n a tu r e , ti m i ng a n d e x t en t o f i n t e r n a l a u d i t p r o c e d u r es i n

a n a u di t ab l e u n it w i th r e fe r e nc e t o t h e r i sk c a te go r i za t io n o f th e a u di t ab l e u n it . I n te r n al a u di t

p r i or i ti e s a r e d r iv e n p r im a ri ly b y t h e n e e d t o a s se s s t h e r i sk m a nag e me n t p r ac t ic e s a n d c o n tr o l s

t o v a r y i ng l e v e l s o f a s s u ra n c e o r b y a n e e d f o r a d v i c e.

2 .5 .2 T he p re ci se s co pe o f r is k- ba se d i nt er na l a ud it m us t b e d et er mi ne d b y e ach b an k f or l ow,

m e d i u m , h ig h , v e r y h ig h a n d e x tr e m e ly h i g h r i s k a r e a s. H o w ev e r, a s p e r t h e e x t an t g u i d e l in e s o f

R B I , a t t h e m i n i mu m , i t m u s t r e v i ew / r e p o r t o n :

P r o c e s s b y wh i c h r i s k s a r e i d e n ti f i e d a nd m a n ag e d i n v a r i o u s a r e a s

T h e c o n t r o l e n v ir o n m e n t i n v a r i o us a r e a sG a p s, i f a n y, i n c o n t r ol m e c h a ni s m w h i ch m i gh t l e a d t o f r a u d s, i d e n t i f i ca t i o n o f f r a u d p r o n e

areas

Data integrity, reliability and integrity of MIS

Internal, regulatory and statutory compliance

Scope

5. E HighRisk

6. F Ver y

H ig h R i sk

7. G Low Risk

8. H Med ium

Risk

9. I High

Risk

A lt ho ug h t he i nh er e nt b us in es s r i sk i s m ed iu m t hi si s a H ig h R i s k a r e a b e c a us e o f c o n t r o l r i s k a l s o b e i ng

medium.

A l t h ou g h t h e i n h e r e nt b u s i n es s r i s k i s m e d i u m, t h i s

i s a Ve r y H i gh R i s k a r e a d u e t o h i gh c o n t r o l r i s k .

B o t h t h e i n h e r e nt b u s i n es s r i s k a n d c o n t r o l r i s k a r e

low.

T h e i nh er e nt b us in es s r is k i s l ow an d t he c on tr o l

r i s k i s m e d i u m.

A lt ho ug h t he i nh er e nt b us in es s r is k i s l ow, d ue t o

h i gh c o n t r ol r i sk t h i s b e c o m es a H ig h R i s k a r e a .



32/66

!

!

!

!

!

!

!

!

!

!

Budgetary control and performance reviews

T r a n s ac t i o n t e s t in g/ v e r i fi c a t io n o f a s s e ts t o t h e e x t e nt c o n s i de r e d n e c e s s ar y M o n i t or i ng c o m p l i a n ce w i t h t h e r i s k - ba s e d i n t e r n al a u d i t r e p o r t

V ar ia ti on , i f a ny, i n t he a ss es sm en t o f r i sk s u nd e r th e a ud i t p la n vis- -vis t h e r i sk - ba s ed

internal audit.

2 .5 .3 T h e s co pe o f ri sk -b as ed i nt er n al au di t s ho ul d a ls o i ncl ud e a r ev ie w o f th e s ys te ms i n p la ce f or

e n s u r in g c o mp l i a nc e w i t h m o n e y l au n d e r in g c o nt r o l s ; i d e n t if y i ng p otentia l i n h e r e nt b u s i ne s s

r i s k s a n d c o n tr o l r i s k s, i f a n y; s u g ge s t i ng v a r i ou s c o r r e c t iv e m e a s u r es ; a n d u n d e r ta k i ng f o l l ow

u p r e v ie w s t o m o ni t or t h e a c t i on t a ke n t h er e o n.

2 .5 .4 T h e c o n te nt s o f r i sk -b as e d a ud i t p l an a re n or m al ly as f ol lo ws :

(i) Audit Univer se: T he r is k- ba se d a ud it p la n a t t he o ut se t l is ts d ow n t he e nt ir e a ud it ab

risk based auditing.pdf

Documents