There is a steady increase in the trend of frauds across all sectors. To handle this, the need to manage risk has become an essential part of good corporate governance practice. Organisations are under increasing pressure to identify all the business risks they face and to mitigate their impact. Regulators have also become more vigilant, and they recommend a strong internal control system.
All this has resulted in the need for strong and robust internal control and RBIAs
A risk based internal audit is basically a framework that associates the internal audit to the overall organizational risk framework. Risk-based Internal Auditing (RBIA) allows internal auditor to provide assurance to the stakeholders that the internal control processes are managing risks effectively in relation to its risk appetite.
RBIA is different from other types of audits because it is based on business goals and the risks associated with those goals. Internal auditors not only manage the internal control activities, but they also help an organization develop its risk management processes by understanding the risk landscape in which they operate.
Institute of Internal Audit defines RBIA as “A methodology that links internal auditing to an organization’s overall risk framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.”
In a nutshell, risk-based internal audit puts the risk universe at the center of the auditing strategy to address management’s highest priority risks. Through the audit lifecycle, the risks are addressed accordingly and then reported to provide insights to the senior management team so that they can make well-informed decisions on the next steps.
Every organisation is different, with a different risk appetite, different structure, different processes and different controls. If the risk management framework is not very strong or does not exist, the organisation will need to concentrate on creating a fundamental risk management framework.
There are essentially three stages in implementing RBIA
With the dynamic business environment and new ongoing challenges, both the internal auditor and the organizations need to look into new areas to identify the risk at an early stage and fix the same, rather the doing a post event analysis for the same. Once such thing where organizations can adapt at the early is the Risk Based Internal Audit and the benefits of the same are stated below:
1.For Banks – RBI mandated Risk Based Internal Audit (RBIA) for Scheduled Commercial Banks (except regional rural banks) through notification CO.PP.BC.10/11.01.005/2002-03
Dated 27th December 2002 and has issued a detailed guidance note for the same. Another notification was issued on January 07, 2021 to add additional best practices to be followed by the bank’s internal audit team such as Authority, Stature, Independence of the IA Function, Competence, Staff Rotation, Tenor for appointment for head of Internal Audit, Reporting Line, Remuneration and Outsourcing.
2. For other entities (Urban Cooperative Banks, Select Non-Banking Financial Companies and Housing Finance Companies) – RBI mandated Risk Based Internal Audit (RBIA) through circular dated 03 February, 2021 for select NBFC & UCB and extended the provisions of the circular to select HFCs through circular dated June 11, 2021. The provisions are applicable for
Select NBFCs and UCBs should implement the RBIA framework by 31 March, 2022 in accordance with the guidelines on Risk-Based Internal Audit issued by RBI. Timeline provided for Select HFCs is 30 June, 2022. NBFCs, HFCs and UCBs may constitute a committee of senior executives with the responsibility of formulating a suitable action plan. This committee needs to report progress periodically to the Board and senior management and Implementation of guidelines as per timeline specified should be done under the oversight of the Board.
3. Responsibilities of Board/Audit Committee (ACB) and Senior Management as laid out in above circulars:
Board/Audit Committee (ACB)
Senior Management
4. Risk Assessment to be performed as part of Internal Audit
Risk assessment in the internal audit department should be used for focusing on the material risk areas and prioritizing the audit work. The Basis for determination of the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business risks and control risks should be clearly spelt out. Risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of overall governance and controls in various business activities
The Internal Audit functions can also prepare a Risk Audit Matrix based on the magnitude and frequency of risk. The Audit Plan should prioritize audit work based on magnitude and frequency. The Internal audit function should be kept informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices / policies, etc. All the pending high, medium risk and persisting irregularities should be reported to the ACB/Board.
The risk assessment methodology should include parameters such as
Article By
Siddharth Sundararajan
CIA,
Disclaimer – “Exclusive Content from this article should not replicated without the permission of IIA Madras Chapter and the author. The author assumes no responsibility or liability for any errors or omissions in the content of this site. The information contained in this site is provided on an “as is” basis with no guarantees of completeness, accuracy, usefulness or timeliness. Contents from regulations are taken from multiple circulars/guidelines/notifications issued by Reserve Bank of India.
The Institute of Internal Auditors-India (IIA-India) is affiliated to The Institute of Internal Auditors.
No products in the cart.