Exposure Draft of Standard on Internal Audit (SIA) 130, Risk Management (Comments to be received by February 05, 2020)
STANDARD ON INTERNAL AUDIT (SIA) 130
The Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 130, Risk Management.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
Comments can be e-mailed either at email@example.com or firstname.lastname@example.org
Last date for sending comments is February 05, 2020.
*Note: This Standard on Internal Audit (SIA) 130 seeks to revise and supersede SIA 13 “Enterprise Risk Management”, issued in February 2009 (in recommendatory form by the Board). This SIA will become mandatory from its effective date.
STANDARD ON INTERNAL AUDIT (SIA) 130
Introduction and Scope
Definition of Risk Management
Responsibility of the Board and Management
Responsibility of the Internal Auditor
This Standard on Internal Audit (SIA) 130, “Risk Management,” issued by the Council of the Institute of Chartered Accountants of India (ICAI) should be read in conjunction with the “Preface to the Standards on Internal Audit”, “Framework Governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.
1.1 Risk Management is a key concept in internal audit and this Standard seeks to clarify both, the concept and the responsibility of the Internal Auditor, Management and other Stakeholders, with respect to risk management, keeping in mind the legal, regulatory and professional obligations.
1.2 Definition of Internal Audit in the “Framework Governing Internal Audits” (refer Para 3.1), indicates providing independent assurance on the effectiveness of internal controls and risk management processes as a basic expectation from internal audit. The definition on Internal Audit elaborates on the term “Risk Management” by clarifying how this is an integral part of management function and business operations.
1.3 Scope: This Standard applies to all risk based internal audits or where risk management framework is a subject matter of an audit, and is being assessed, evaluated and reported on.
2.1 The purpose of this Standard on Risk Management is to:
(a) Provide a common terminology by defining various risk management terms to prevent ambiguity or confusion on the subject matter;
(b) Explain the responsibilities of the Board of Directors and management with regard to risk management, as mandated by law and regulations; and
(c) Specify the responsibilities of the internal auditor, especially when providing assurance on the risk management framework.
2.2 The overall objective of this Standard is to clarify the increasing responsibilities of management and auditors over risk management, and what requirements need to be met to assess, evaluate, report and provide assurance over risk management.
3. Definition of Risk Management
3.1 Risk is defined as the possibility of occurrence of an uncertain event in the future which could prevent the organisation from achieving its goals and objectives. Risk is therefore the product of two variables: impact and probability of occurrence. Risk can be broadly classified into certain areas of impact such as strategic, reputation, operation, financial, compliance, etc.
3.2 Risk Management is a process with a series of steps, taken on a continuous basis to identify the risks, assess them for severity and likelihood, prioritise them for action and to minimise their possible negative impact through mitigation actions. The process also encompasses the monitoring and reporting of the status of these risks.
3.3 Risk Management Framework is the combination of structure, systems and processes put in place to organise the various risk management activities and to integrate them seamlessly into the organisation. It incorporates the formation and functioning of risk management teams or committees, a documented risk management policy, continuous training activities, maintenance of automated database to capture and monitor individual risks and their mitigation steps, periodic and formal communication of status, etc. These frameworks may be focused on certain specific areas such as financial risk framework, operational risk framework, fraud risk framework etc.
3.4 Enterprise Risk Management is a term used to refer to various risk management frameworks uniformly applied on an entity-wide basis for a comprehensive approach to manage risks. It usually involves a separate and dedicated risk management function or department, lead by a (Chief) Risk Officer to support those charged with governance in achieving organisation objectives through risk management.
4. Responsibility of the Board and Management
4.1 Companies Act, 2013 imposes overall responsibility on the Board of Directors with regard to risk management. Clause (n) of Section 134 (3) requires the report of the Board of Directors to include,
(n) a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company;
4.2 In addition, Schedule IV of Companies Act, 2013 on “Code for Independent Directors”, Section II, Roles and function, requires them to,
(1) help in bringing an independent judgment to bear on the Board’s deliberations especially on issues of strategy, performance risk management;
(4) satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible;
4.3 For listed companies, as per The Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“LODR”), the Company has additional responsibilities on risk management. Regulation 17(9) of LODR mandates one of the responsibilities of the Company and its Board of Directors, as:
(9) (a) The listed entity shall lay down procedures to inform members of board of directors about risk assessment and minimization procedures.
(b) The board of directors shall be responsible for framing, implementing and monitoring the risk management plan for the listed entity.
In addition, Regulation 21 of the LODR mandates the constitution of a Risk Management Committee for the top 500 listed entities.
4.4 Hence, the overall responsibility for developing, implementing and monitoring of risk management rests with the Board of Directors and Management.
5. Responsibility of the Internal Auditor
5.1. Unless specially excluded from the audit approach, the Internal Auditor shall plan and conduct risk based internal audits. This requires deploying risk management concepts to ensure that the audits are prioritised in areas of importance, appropriate resources are allocated effectively where needed most, audit procedures are designed to give due attention to important matters and issues identified and reported are significant in nature. (refer para 6.1).
5.2. The nature and extent of audit procedures to be conducted in the area of risk management is dependent on the maturity of the risk processes and framework in place. Where management has implemented a risk management framework, the Internal Auditor shall plan and perform audit procedures to evaluate the design, implementation and operating effectiveness of the organisation’s risk management framework to provide independent assurance to management and those charged with governance (refer para 6.2 and 6.3).
5.3. Where the independent assurance requires the issuance of an audit opinion over the design, implementation and operating effectiveness over risk management, this shall be undertaken in line with the requirements of SIA 110, “Nature of Assurance”, especially with regard to the need to have a formal Risk Management Framework in place, which shall form the basis of such an assurance (refer para 6.4).
5.4. Where there is no formal risk management framework in place, the Internal Auditor shall design and conduct audit procedures with a view to highlight any exposures arising from absent or weak risk processes and make recommendations to formalise and strengthen risk processes and framework, and thereby improve risk maturity.
5.5. The Internal Auditor shall not assume any responsibility to manage the risks or to take risk management decisions. Neither is it the responsibility of the Internal Auditor to mitigate or resolve the risks.
6. Explanatory Comments
6.1. Risk Based Internal Audit (refer Para 5.1): Para 3.6 of “Basic Principles of Internal Audit”, on Risk Based Audits, requires the Internal Auditor to conduct the audits based on a risk assessment exercise. SIAs on Audit Planning (SIA 220, “Conducting Overall Internal Audit Planning” and SIA 310, “Planning the Internal Audit Assignment”) mandates the Internal Auditor to conduct risk-based audit planning to ensure due attention is given to matters of importance, complexity and sensitivity. Similarly, SIA 370, “Reporting Results” expects the auditor to consider the risk of the observations in deciding the matters to be reported.
6.2. Auditing Risk Management Framework (refer Para 5.2): The Internal Auditor shall perform audit procedures over the risk management framework with an overall objective to review the organisation’s ability to:
(a) identify all risks,
(b) assess them objectively,
(c) respond to them in such a manner where unmitigated risks are within the tolerance level; and
(d) monitor and report timely their status, to enable achievement of organisation objectives.
6.3. Audit Objectives on Risk Framework (refer Para 5.2): The work to be performed by the Internal Auditor on the risk management framework shall be directed to ensure that:
(a) The organisation has designed the framework consistent with globally recognised frameworks, such as ISO 31000;
(b) Has implemented various enabling mechanisms, such as a Risk Management Committee, a Risk Management Policy, selection of a leader, and assignment/allocation of resources with defined roles and responsibilities, etc.; and
(c) The system and processes in place are operating in an effective and efficient manner and helping to support full compliance.
Any shortcoming shall result in recommendations for improvement and suggestions on how to make the risk management framework more efficient and effective consistent with its stated objectives.
6.4. Independent Assurance over Risk Management (refer Para 5.3): Where a written assurance report is being issued, the Internal Auditor shall consider the following as a basis for his opinion:
(a) The linkage of the risk management framework with the system of CEO/CFO certification on Internal Controls; and
(b) Certificates of self-compliance from owners of key risks to support a system of continuous compliance.
7. Effective Date
7.1. This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.