1) INTRODUCTION TO INTERNAL AUDIT:
Due to the ever evolving changes in the financial sector, the internal auditors of the bank are looked with much reliance. The Internal Audit has become a proactive exercise. The Internal Auditors are expected to provide assurance on the adequacy and effectiveness of internal controls with clear objectives whether the risks are managed within acceptable limits. Internal Audit provides independent assurance on the effectiveness of internal controls and risk management processes to enhance governance and achieve organisational objectives.
Internal audit is part of the ongoing monitoring of the bank’s system of internal controls and it is an independent assessment of the adequacy of, and compliance with, the bank’s established policies and procedures. As such, the internal audit function assists senior management and the board of directors in the efficient and effective discharge of their responsibilities. Internal Audit provides assurance that there is transparency in reporting, a part of good governance.
2) NEED FOR INTERNAL AUDIT OF BANKS:
Internal Audit serves as an effective tool that could be used to bridge the gap between top management and the operators in order to assure that the policies and all the control systems laid down are adhered to.
A sound internal audit function plays an important role in contributing to the effectiveness of the internal control system. The audit function should provide high quality counsel to management on the effectiveness of risk management and internal controls including regulatory compliance by the bank.
The evolvement of financial instruments and markets has enabled banks to undertake varied risk exposures. In the context of these developments and the progressive deregulation and liberalisation of the Indian financial sector, having in place effective risk management and internal control systems has become crucial to the conduct of banking business. This is also significant in view of proposed introduction of the New Basel Capital Accord under which capital maintained by a bank will be more closely aligned to the risks undertaken and Reserve Bank’s proposed move towards risk-based supervision (RBS) of banks.
With RBI governing and regulating through guidelines and circulars all the aspects of the commercial banks, banks management are focused to bring about a robust framework which will identify, assess and manage the financial risks. In order to achieve this target, the internal audit of banks is necessary
3) IMPORTANCE OF RISK BASED INTERNAL AUDIT OF BANKS:
To achieve these objectives, banks will have to gradually move towards risk-based internal audit which will include, in addition to selective transaction testing, an evaluation of the risk management systems and control procedures prevailing in various areas of a bank’s operations. The implementation of risk-based internal audit would mean that greater emphasis is placed on the internal auditor’s role in mitigating risks. While focusing on effective risk management and controls, in addition to appropriate transaction testing, the risk-based internal audit would not only offer suggestions for mitigating current risks but also anticipate areas of potential risks and play an important role in protecting the bank from various risks.
4) RISK BASED INTERNAL AUDIT (RBIA)
A. Objective of Risk Based Internal Audit
♦ Risk-based internal audit, on the other hand, undertakes an independent risk assessment solely for the purpose of formulating the risk-based audit plan keeping in view the inherent business risks of an activity/location and the effectiveness of the control systems for monitoring the inherent risks of the business activity.
♦ It needs to be emphasized that while formulating the audit plan, every activity/location of the bank, including the risk management function, should be subjected to risk assessment by the risk-based internal audit.
B. Policy for Risk Based Internal Audit
♦ The focus will shift from the present system of full-scale transaction testing to risk identification, prioritization of audit areas and allocation of audit resources in accordance with the risk assessment.
♦ Banks need to develop a well-defined policy, duly approved by the Board, for undertaking risk-based internal audit.
♦ The policy should include the risk assessment methodology for identifying the risk areas based on which the audit plan would be formulated.
♦ The policy should also lay down the maximum time period beyond which even the low risk business activities/locations should not remain unaudited.
C. Independence of the Internal Audit Team:
♦ The Internal Audit Department should be independent from the internal control process in order to avoid any conflict of interest and should be given an appropriate standing within the bank to carry out its assignments.
♦ It should not be assigned the responsibility of performing other accounting or operational functions.
♦ The internal audit head should report to the Board of Directors/Audit Committee of the Board
D. Risk Assessment:
♦ The risk assessment done by the internal audit team is solely for the purposeof formulating the risk-based audit plan.
♦ The risk assessment process should include the following:
→ Identification of the inherent risks in various activities undertaken by the bank. – INHERENT RISK
→ Evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities. – CONTROL RISK
→ Drawing up a risk matrix for taking into account both the factors – Inherent risk & Control risk
The basis for determination of the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business risks and control risks should be clearly spelt out.
The risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of controls in various business activities. In order to focus attention on areas of greater risk to the bank, an activity-wise and location-wise identification of risk should be undertaken.
Inherent business risks indicate the intrinsic risk in a particular area/activity of the bank and could be grouped into low, medium and high categories depending on the severity of risk.
Control risks arise out of inadequate control systems, deficiencies/gaps and/or likely failures in the existing control processes. The control risks could also be classified into low, medium and high categories.
The overall risk assessment as reflected in each cell of the risk matrix is explained below:
RISK | CONTROL RISK | INHERENT RISK | |
A | High Risk | Low | High |
B | Very High Risk | Medium | High |
C | Extremely High Risk | High | High |
D | Medium Risk | Low | Medium |
E | High Risk | Medium | Medium |
F | Very High Risk | High | Medium |
G | Low Risk | Low | Low |
H | Medium Risk | Medium | Low |
I | High Risk | High | Low |
The banks should also analyse the inherent business risks and control risks with a view to assess whether these are showing a stable, increasing or decreasing trend. Illustratively, if an area falls within cell ‘B’ or ‘F’ of the Risk Matrix and the risks are showing an increasing trend, these areas would also require immediate audit attention, maximum allocation of audit resources besides ongoing monitoring by the bank’s top management. The Risk Matrix should be prepared for each business activity/location. The scope of risk-based internal audit should also include a review of the systems in place for ensuring compliance with money laundering controls; identifying potential inherent business risks and control risks
The risk assessment methodology should include the following parameters
√ Previous internal audit reports and compliance
√ Proposed changes in business lines or change in focus
√ Significant change in management / key personnel
√ Results of latest regulatory examination report
√ Reports of external auditors
√ Industry trends and other environmental factors
√ Time lapsed since last audit
√ Volume of business and complexity of activities
√ Substantial performance variations from the budget
For the risk assessment to be accurate, it will be necessary to have in place proper MIS and data integrity. The internal audit function should be kept informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices/policies etc. The risk assessment should invariably be undertaken on a yearly basis. The assessment should also be periodically updated to take into account changes in business environment, activities and work processes, etc.
E. Risk Based Internal Audit Plan:
While examining the effectiveness of control framework, the risk-based internal audit should report on proper recording and reporting of major exceptions and excesses. Transaction testing would continue to remain an essential aspect of risk-based internal audit. The extent of transaction testing will have to be determined based on the risk assessment
The Audit Plan should prioritize audit work to give greater attention to the areas of:
(i) High Magnitude and high frequency
(ii) High Magnitude and medium frequency
(iii) Medium magnitude and high frequency
(iv) High magnitude and low frequency
(v) Medium Magnitude and medium frequency.
F. Risk Based Internal Audit Report:
The report must review/report on:-
a) process by which risks are identified and managed in various areas;
b) the control environment in various areas;
c) gaps, if any, in control mechanism which might lead to frauds, identification of fraud prone areas;
d) data integrity, reliability and integrity of MIS;
e) internal, regulatory and statutory compliance;
f) budgetary control and performance reviews;
g) transaction testing/verification of assets to the extent considered necessary
h) monitoring compliance with the risk-based internal audit report
i) variation, if any, in the assessment of risks under the audit plan vis-à-vis the risk-based internal audit.
G. Communication:
The communication channels between the risk-based internal audit staff and management should encourage reporting of negative and sensitive findings. All serious deficiencies should be reported to the appropriate level of management as soon as they are identified. Significant issues posing a threat to the bank’s business should be promptly brought to the notice of the Board of Directors, Audit Committee or top management, as appropriate.
H. Performance Evaluation:
The Internal Audit Department should conduct periodical reviews, annually or more frequently, of the risk-based internal audit undertaken by it vis-à-vis the approved audit plan. The performance review should also include an evaluation of the effectiveness of risk-based internal audit in mitigating identified risks.
The Board of Directors/Audit Committee of Board should periodically assess the performance of the risk-based internal audit for reliability, accuracy and objectivity. Variations, if any, in the risk profile as revealed by the risk-based internal audit vis-à-vis the risk profile as documented in the audit plan should also be looked into to evaluate the reasonableness of risk assessment methodology of the Internal Audit Department.
5) CONCLUSION:
Nowadays banks outsource the risk based internal audit assignments, however before engaging the bank should perform due diligence to satisfy itself that the outsourcing vendor has the necessary expertise to undertake the contracted work. Risk-based internal audit is expected to be an aid to the ongoing risk management in banks by providing necessary checks and balances in the system. However, since risk-based internal audit will be a fairly new exercise for most of the Indian banks, a gradual but effective approach would be necessary for its implementation. Initially the risk-based internal audit may be used as a management/audit tool in addition to the existing internal audit/inspection. Once the risk-based internal audit stabilizes and the staff attains proficiency, it should replace the existing internal audit/inspection. The information systems audit (IS Audit) should also be carried out using the risk-based approach.