Risk Based Internal Audit Mechanism in Banks – Shift from Substantive to Compliance Procedures

Financial auditing is the process of examining an organization’s (or individual’s) financial records to determine if they are accurate and in accordance with any applicable rules (including accepted accounting standards), regulations, and laws. This process of auditing is carried out with different objectives, if objective of auditor is establish fairness of the financial result it is called External Auditing, when exercise has been done with an objective of judging effectiveness of Internal Control Systems it is called Internal Audit, When efforts are aimed at ensuring compliance of management’s plans and policies it is management auditing and finally when efforts are directed towards diagnosis, assessment, incorporation and mitigation of risk involved in transactions, procedures and flow it is Risk Based Internal Audit.

The Institute of Internal Auditors defines Risk Based Internal Auditing (RBIA) as: • a methodology that links internal auditing to an organization’s overall risk management framework and that allows internal audit to provide assurance to the board that risk management processes are managing risk effectively, in relation to the risk appetite

Compliance Procedures are tests designed to obtain reasonable assurance that those internal controls on which audit reliance is to be placed are in effect. The auditor needs to ensure that internal control exist and that the internal control is operating effectively and being operating continuously throughout the period under audit to ensure that they can be relied upon. ·In summary, by doing Compliance Tests, the auditor can then able to ascertain the existence, effectiveness and continuity of the internal control system. Compliance Procedures are tests designed to obtain reasonable assurance that those internal controls on which audit reliance is to be placed are in effect.

Substantive Procedures are tests designed to obtain evidence to ensure the completeness, accuracy and validity of the data produced by the accounting system.

Shift :- In earlier periods Internal Auditing in Banks was done through checking transactions done to ensure fairness of the data and compliance of extant guidelines. Now a days Auditing is being done with an objective to assess, measure and mitigate risk involved in Events & Transactions and Internal Control Mechanism or in simpler words we can call it Work flow.   

Various Risk Involved in Banking Sector are as follows :- 

A. Credit Risks

Credit risk is the risk that arises from the possibility of non-payment of loans by the borrowers. Although credit risk is largely defined as risk of not receiving payments, banks also include the risk of delayed payments within this category. Often times these cash flow risks are caused by the borrower becoming insolvent. Hence, such risk can be avoided if the bank conducts a thorough check and sanctions loans only to individuals and businesses that are not likely to run out of income over the period of the loan. Credit rating agencies provide adequate information to enable the banks to make informed decisions in this regard.The profitability of a bank is extremely sensitive to credit risks. Hence, even if credit risk rises by a small amount, the profitability of the bank can get extremely impacted. Therefore, to deal with such risks banks have come up with a wide variety of measures. For instance, banks always hold a certain amount of funds in reserves to mitigate such risks. The moment a loan is made, a certain amount of money is appropriated to the provision account. Also, banks have started utilizing tools like structured finance to mitigate such risks. Securitization helps remove the concentrated risk from the bank’s books and diffuse it amongst the various investors in the capital markets. Credit derivatives like credit default swap have also come into existence to help banks survive in the event of a credit default. Unpaid loans were, are and will always be a byproduct of conducting the banking business. Modern banks have realized this and are prepared to handle the situation without becoming insolvent until a catastrophic loss occurs.

B. Operational Risks

Banks have to conduct massive operations in order to be profitable. Economies of scale work in the favor of larger banks. Hence, maintaining consistent internal processes on such a large scale is an extremely difficult task. Operational risk occurs as the result of a failed business processes in the bank’s day to day activities. Examples of operational risk would include payments credited to the wrong account or executing an incorrect order while dealing in the markets. None of the departments in a bank are immune from operational risks. Operational risks arise mainly because of hiring the wrong people or alternatively they could also occur if there is a breakdown of the information technology systems. A lapse in the internal processes being followed could also lead to catastrophic errors. For instance, Barings Bank ended up bankrupt because of its failure to implement appropriate internal controls. One trader was able to bet so much in the derivatives market that the equity of Barings Bank was wiped out and the bank simply ceased to exist.

C. Earnings at risk is the amount of change in net income due to changes in interest rates over a specified period. It helps investors and risk professionals understand the impact that a change in interest rates can make on a company’s financial position and cash flow. 

D.Deposit risk is one type of liquidity risk of a financial institution that is generated by deposits with the defined maturity dates (then such deposits are called time or term deposits) or without the ones (then such deposits are called demand or non-maturity deposits).

E.Deposit risk is a risk of probable cash outflows from a financial institution that is caused by changes in depositors’ behavior. In its turn, it consists of early withdrawal or redemption risk, rollover risk and run risk.

I. Early withdrawal risk of time deposits is a risk that a depositor withdraws his or her deposit from an account before the agreed-upon maturity date. It might occur when the corresponding option was declared in a deposit agreement or determined by local laws. When an early withdrawal is made, the depositor usually incurs an early withdrawal fee or penalty. II. Rollover risk of time deposits is a risk that a depositor refuses to roll over his or her matured time deposit. III. Run riskof non-maturity deposits is a risk that a depositor takes back money from his or her accounts at any time. Thus, a run risk has characters of both early withdrawal and rollover risks. For instance, it occurs when depositors expect a bank to fail. As a result, these risks might lead to dropping or even losing a liquidity of a financial institution if it cannot to attract new deposits instead of withdrawn ones. Wherein, the impossibility of the financial institution to refinance by borrowing in order to repay existing deposits is called a refinancing risk

F.Bank Branch Risk

Conducting branch risk assessments is an essential part of Risk Based Audit.

Various risk in Branch Mangement are:-   Lack of Continuity: Changes in the organization or development of new business lines may result in new activities even though existing ones are more effective. Lack of Coordination: Often, activities apply to multiple risks or commitments across functional lines. The inability to formally tie activities to risk or commitments hinders inter-functional coordination, resulting in business silos and duplication of effort. Activity Fatigue: Staff may ignore certain activities because of a lack of time to assess them. Wasted Resources: If a risk changes, most branches would have no way of knowing how (or even if) these changes will affect their resources and activities. Activity Obsolescence:In a changing environment, there is no effective way to know when activities no longer apply. Lack of Prioritization: Picking activities to focus on is likely to be on an ad hoc basis and subject to the whims of current staff.

How Risk is assessed :- Risk Assessment can be defined as the “overall process of risk analysis and risk evaluation”. Risk assessment has also been defined as “identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risk should be managed”. [As defined by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission]. Risk Assessment has three processes viz. risk identification, risk estimation and risk evaluation. The objective of the risk assessment process is to draw up a risk-matrix, taking into account both the factors viz, inherent business risks and control risks. The risk matrix appropriately places all the auditable branches or offices into one among the three categories of risk profiles – high, medium or low. The risk assessment process includes the following: a) Determine the vulnerability of each activity undertaken by BU. b) Identification of inherent business risks in various activities undertaken by the B/U b) Evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities (`Control risk’). c) Drawing up a risk-matrix for taking into account both the factors viz., inherent business risks and control risks. Once the risk matrix is prepared, a risk-based audit plan based on the risk profile of the BUs is prepared. This involves decision to be taken on the frequency, timing and the scope of the internal audit of the auditable BU. These decisions are based on the internal audit priorities and keeping in view the objective of internal audit function as a risk management tool. The risk-based internal audit plan as prepared by the internal audit function of the Bank is duly approved by the Chairman/Audit Committee of the Board of Directors of the Bank.

Why RBIA :-

The evolvement of financial instruments and markets has enabled banks to undertake varied risk exposures. In the context of these developments and the progressive deregulation and liberalisation of the Indian financial sector, having in place effective risk management and internal control systems has become crucial to the conduct of banking business. This is also significant in view of proposed introduction of the New Basel Capital Accord under which capital maintained by a bank will be more closely aligned to the risks undertaken and Reserve Bank’s proposed move towards risk-based supervision (RBS) of banks. Under the proposed RBS approach, the supervisory process would seek to leverage the work done by internal auditors of banks. In this regard, the discussion paper on `Move towards risk-based supervision of banks’ dated August 13, 2001 may be referred. Part II of the discussion paper clearly identifies five significant areas for action on the part of banks, including putting in place risk-based internal audit system by December 2002, to facilitate a smooth switchover to RBS.

Advantages of Risk-based Internal Audit :- The advantages of risk-based approach of the internal audit function in Banks are as follows: It appropriately defines the audit universe and identifies the auditable branches within the Bank for which these analyses would be carried out. It assists the management in identification of appropriate risk factors to reflect the managements concerns. It results in development of an appropriate format for evaluating risk factors so that the more important risk factors play a more prominent role in the risk assessment process than less important risk factors. It develops a combination rule for each branch, which will properly reflect its riskiness over several risk factors that have been identified and a method of setting up audit priorities for the branches. It results in appropriate audit coverage plan, which provides a roadmap for the management of internal audit staff skills so that they are available to carry out audits of appropriate scope when they are needed the most. This risk-based internal audit results in a process oriented audit with a risk management perspective, which gives advice to management on the steps to be taken for effective risk management on a bank-wide basis.