AUDIT SHIFTS TO RISK BASED INTERNAL AUDIT (RBIA) IN BANKS – PART- 1

[Dr. Sanjiv Agarwal]

What is RBIA

Risk Based Internal Audit has been prescribed by Reserve Bank of India for implementation by the Banks. Under RBIA, Banks have shifted focus from prevailing system of full-scale transaction testing to risk identification, prioritization of audit areas and allocation of audit resources in accordance with the risk assessment. Banks have therefore, developed a well-defined policy, duly approved by the Board, for undertaking risk-based internal audit (RBIA). The policy includes the risk assessment methodology for identifying the risk areas based on which the audit plans are being formulated. The policy should also lay down the maximum time period beyond which even the low risk business activities BUs would not remain unaudited.

The Risk-Based Internal Audit, inter-alia, undertakes risk assessment for the purpose of formulating the risk-based audit plan. The risk assessment would, as an independent activity, cover risks at various levels as also the processes in place to identify, measure, monitor, control and investigate the risks.

Risk Assessment

Risk Assessment can be defined as the "overall process of risk analysis and risk evaluation". Risk assessment has also been defined as "identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risk should be managed". [As defined by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission].

Risk Assessment has three processes viz. risk identification, risk estimation and risk  evaluation.

The objective of the risk assessment process is to draw up a risk-matrix, taking into account both the factors viz, inherent business risks and control risks. The risk matrix appropriately places all the auditable branches or offices into one among the three categories of risk profiles - high, medium or low.

The risk assessment process includes the following:

a)    Determine the vulnerability of each activity undertaken by BU.

b)    Identification of inherent business risks in various activities undertaken by the B/U

 

b)    Evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities (`Control risk’).

c)    Drawing up a risk-matrix for taking into account both the factors viz., inherent business risks and control risks.

Once the risk matrix is prepared, a risk-based audit plan based on the risk profile of the BUs is prepared. This involves decision to be taken on the frequency, timing and the scope of the internal audit of the auditable BU. These decisions are based on the internal audit priorities and keeping in view the objective of internal audit function as a risk management tool. The risk-based internal audit plan as prepared by the internal audit function of the Bank is duly approved by the Chairman/Audit Committee of the Board of Directors of the Bank.

Objective of RBIA:

The objective of RBIA is to provide independent assurance to the Bank’s Board that:

• The risk management process which management has put in place within the Bank (covering all risk management processes at branches and other offices etc.) are operating as intended.
• These risk management processes are of sound design.
• The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level acceptable to the Board.
• A sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat. 

Thus the aims of RBIA are:

a)    An aid to necessary checks and balances in the system.

b)    Timely identification of potential risk concerns.

c)    Tool for effective risk management.

d)    Facilitate improvement in quality and content of procedures and MIS.

Scope of RBIA

The primary focus of risk-based internal audit will be to provide reasonable assurance to the Board and top management about the adequacy and effectiveness of the risk management and control framework in the Banks operations. While examining the effectiveness of control framework, the risk-based internal audit should report on proper recording and reporting of major exceptions and excesses. Transaction testing would continue to remain an essential aspect of risk-based internal audit. The extent of transaction testing will have to be determined based on the risk assessment. Illustratively, the bank should undertake 100 per cent transaction testing if an area falls in cell "Extremely High Risk" of the risk matrix. The Bank may also consider 100 per cent transaction testing if an area falls in cell "Very High Risk" and the risks are showing an increasing trend. The Banks may also consider transaction testing with an element of surprise in respect of low risk areas which would be audited at relatively longer intervals.

The scope of risk-based internal audit should also include a review of the systems in place for ensuring compliance with money laundering controls; identifying potential inherent business risks and control risks, if any; suggesting various corrective measures;   and undertaking follow-up reviews to monitor the action taken  thereon.

Advantages of Risk-based Internal Audit

The advantages of risk-based approach of the internal audit function in Banks are as follows:

• It appropriately defines the audit universe and identifies the auditable branches within the Bank for which these analyses would be carried out.
• It assists the management in identification of appropriate risk factors to reflect the managements concerns.
• It results in development of an appropriate format for evaluating risk factors so that the more important risk factors play a more prominent role in the risk assessment process than less important risk factors.
• It develops a combination rule for each branch, which will properly reflect its riskiness over several risk factors that have been identified and a method of setting up audit priorities for the branches.
• It results in appropriate audit coverage plan, which provides a roadmap for the management of internal audit staff skills so that they are available to carry out audits of appropriate scope when they are needed the most.
• This risk-based internal audit results in a process oriented audit with a risk management perspective, which gives advice to management on the steps to be taken for effective risk management on a bank-wide basis.

RBIA Implementation

The risk assessment tool / format consist of five broad categories as per details below:

a)      Credit Risk

b)      Operational Risk

c)      Earning Risk

d)      Deposit Risk

e)      Branch Management Risk

Each of these categories is further divided into sub-categories, wherein various risk parameters are described and score of the branches in all these categories is worked out to indicate the level of risk ( very low, low, medium , high, very high). The risk scores assigned by the auditor are then reviewed to arrive at the final risk scores and composed matrix of the BUs. The risk assessment of branches on the basis of business and control risk scores may be  categorized as under:

Risk Score                                                 Level of Risk

00 < 01                                                            Very Low Risk

01 < 02                                                            Low Risk

02 < 03                                                            Medium Risk

03 < 04                                                            High Risk

04 < 05                                                            Very High Risk

On receipt of these reports at concerned quarters, the follow up action shall be initiated for rectification of irregularities covered in the report and in addition analysis of the risk factors / scores assigned to various segments of branches is done for taking corrective action.

 (To be continued …………..)