![]() Personal Website of R.Kannan |
Home | Table of Contents | Feedback |
|
The annual audit plan, approved by the Board, should include the schedule and the rationale for audit work planned. It should also include all risk areas and their prioritisation based on the level and direction of risk. Illustratively, the areas or activities identified as high, very high or extremely high risk (based on risk matrix) may be audited at shorter intervals as compared to medium or low risk areas, which may be audited at longer intervals subject to regulatory guidelines, as applicable. Scope The primary focus of risk-based internal audit will be to provide reasonable assurance to the Board and top management about the adequacy and effectiveness of the risk management and control framework in the banks' operations. While examining the effectiveness of control framework, the risk-based internal audit should report on proper recording and reporting of major exceptions and excesses. Transaction testing would continue to remain an essential aspect of risk-based internal audit. The extent of transaction testing will have to be determined based on the risk assessment. Illustratively, the bank should undertake 100 per cent transaction testing if an area falls in cell "C- Extremely High Risk" of the risk matrix. The bank may also consider 100 per cent transaction testing if an area falls in cell "B- Very High Risk" or "F- Very High Risk", and the risks are showing an increasing trend. The banks may also consider transaction-testing with an element of surprise in respect of low risk areas which would be audited at relatively longer intervals. The banks may prepare a Risk Audit Matrix as shown below: Risk Audit Matrix The Audit Plan should prioritize audit work to give greater attention to the areas of:
The precise scope of risk-based internal audit must be determined by each bank for low, medium, high, very high and extremely high risk areas. However, at the minimum, it must review/report on:-
The scope of risk-based internal audit should also include a review of the systems in place for ensuring compliance with money laundering controls; identifying potential inherent business risks and control risks, if any; suggesting various corrective measures and undertaking follow up reviews to monitor the action taken thereon. The communication channels between the risk-based internal audit staff and management should encourage reporting of negative and sensitive findings. All serious deficiencies should be reported to the appropriate level of management as soon as they are identified. Significant issues posing a threat to the bank's business should be promptly brought to the notice of the Board of Directors, Audit Committee or top management, as appropriate. The Internal Audit Department should conduct periodical reviews, annually or more frequently, of the risk-based internal audit undertaken by it vis-�-vis the approved audit plan. The performance review should also include an evaluation of the effectiveness of risk-based internal audit in mitigating identified risks. The Board of Directors/Audit Committee of Board should periodically assess the performance of the risk-based internal audit for reliability, accuracy and objectivity. Variations, if any, in the risk profile as revealed by the risk-based internal audit vis-�-vis the risk profile as documented in the audit plan should also be looked into to evaluate the reasonableness of risk assessment methodology of the Internal Audit Department. The Internal Audit Department should be provided with appropriate resources and staff to achieve its objectives under the risk-based internal audit system. The staff possessing the requisite skills should be assigned the job of undertaking risk-based internal audit. They should also be trained periodically to enable them to understand the bank's business activities, operating procedures, risk management and control systems, MIS, etc. The Board of Directors and top management are responsible for ensuring that the risk-based internal audit continues to function effectively even though it is outsourced. The following aspects may, inter-alia, be kept in view to prevent any risk of breakdown in internal controls on account of outsourcing arrangements:- Before entering into an outsourcing arrangement for risk-based internal audit, the bank should perform due diligence to satisfy itself that the outsourcing vendor has the necessary expertise to undertake the contracted work. The contract, in writing, should at the minimum, specify the following:
Risk-based internal audit is expected to be an aid to the ongoing risk management in banks by providing necessary checks and balances in the system. However, since risk-based internal audit will be a fairly new exercise for most of the Indian banks, a gradual but effective approach would be necessary for its implementation. Initially the risk-based internal audit may be used as a management/audit tool in addition to the existing internal audit/inspection. Once the risk-based internal audit stabilizes and the staff attains proficiency, it should replace the existing internal audit/inspection. The information systems audit (IS Audit) should also be carried out using the risk-based approach. Banks should form a Task Force of senior executives and entrust them with the responsibility to chalk out an action plan for switching over to risk-based internal audit, identifying and addressing transitional and change management issues, implementing the plan and monitoring the progress during the transitional period and report to the Board of Directors, periodically. 1In case of foreign banks the reporting could be to the CEO for Indian operations. |
|