Need for Risk Based Internal Audit
There is a steady increase in the trend of frauds across all sectors. To handle this, the need to manage risk has become an essential part of good corporate governance practice. Organisations are under increasing pressure to identify all the business risks they face and to mitigate their impact. Regulators have also become more vigilant, and they recommend a strong internal control system.
All this has resulted in the need for strong and robust internal control and RBIAs
What is Risk Based Internal Audit?
A risk based internal audit is basically a framework that associates the internal audit to the overall organizational risk framework. Risk-based Internal Auditing (RBIA) allows internal auditor to provide assurance to the stakeholders that the internal control processes are managing risks effectively in relation to its risk appetite.
RBIA is different from other types of audits because it is based on business goals and the risks associated with those goals. Internal auditors not only manage the internal control activities, but they also help an organization develop its risk management processes by understanding the risk landscape in which they operate.
Institute of Internal Audit defines RBIA as “A methodology that links internal auditing to an organization’s overall risk framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.”
In a nutshell, risk-based internal audit puts the risk universe at the center of the auditing strategy to address management’s highest priority risks. Through the audit lifecycle, the risks are addressed accordingly and then reported to provide insights to the senior management team so that they can make well-informed decisions on the next steps.
Development – Traditional Internal Audit to Risk Based Internal Audit
- Unlike traditional internal auditing, where audit plans are carried out within a strict time frame and may not necessarily cover the most important risks, risk-based internal audit is driven by the most recent risk assessments, with the top threats being covered first and far more frequently.
- From a control perspective, the focus shifts from deficiencies in allinternal controls and cases of non-compliance with an organization’s policies and procedures, to the way in which risks specifically are being controlled.
Implementing RBIA
Every organisation is different, with a different risk appetite, different structure, different processes and different controls. If the risk management framework is not very strong or does not exist, the organisation will need to concentrate on creating a fundamental risk management framework.
There are essentially three stages in implementing RBIA
- Assessing Risk Maturity – Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. This provides an indication of the reliability of the risk register for audit planning purposes.
- Periodic Audit Planning – Identifying the assurance and consulting assignments for a specific period, usually annual, by identifying and prioritizing all those areas on which the board requires objective assurance, including the risk management processes, the management of key risks, and the recording and reporting of risks.
- Individual Audit assignments – Carrying out individual risk-based assignments to provide assurance on part of the risk management framework, including on the mitigation of individual or groups of risks.
Benefits of RBIA
With the dynamic business environment and new ongoing challenges, both the internal auditor and the organizations need to look into new areas to identify the risk at an early stage and fix the same, rather the doing a post event analysis for the same. Once such thing where organizations can adapt at the early is the Risk Based Internal Audit and the benefits of the same are stated below:
Focused Approach to Achieve Goals
Prioritization of Risk
Determining Risk Appetite
Effective Risk Mitigation
Regulations on Risk Based Internal Audit-Illustrative
1.For Banks – RBI mandated Risk Based Internal Audit (RBIA) for Scheduled Commercial Banks (except regional rural banks) through notification CO.PP.BC.10/11.01.005/2002-03
Dated 27th December 2002 and has issued a detailed guidance note for the same. Another notification was issued on January 07, 2021 to add additional best practices to be followed by the bank’s internal audit team such as Authority, Stature, Independence of the IA Function, Competence, Staff Rotation, Tenor for appointment for head of Internal Audit, Reporting Line, Remuneration and Outsourcing.
2. For other entities (Urban Cooperative Banks, Select Non-Banking Financial Companies and Housing Finance Companies) – RBI mandated Risk Based Internal Audit (RBIA) through circular dated 03 February, 2021 for select NBFC & UCB and extended the provisions of the circular to select HFCs through circular dated June 11, 2021. The provisions are applicable for
- All deposit taking NBFCs and HFCs
- All non-deposit taking NBFCs and HFCs with asset size of INR 5,000 crore and above
- All Primary UCBs with asset size of INR 500 crore and above
Select NBFCs and UCBs should implement the RBIA framework by 31 March, 2022 in accordance with the guidelines on Risk-Based Internal Audit issued by RBI. Timeline provided for Select HFCs is 30 June, 2022. NBFCs, HFCs and UCBs may constitute a committee of senior executives with the responsibility of formulating a suitable action plan. This committee needs to report progress periodically to the Board and senior management and Implementation of guidelines as per timeline specified should be done under the oversight of the Board.
3. Responsibilities of Board/Audit Committee (ACB) and Senior Management as laid out in above circulars:
Board/Audit Committee (ACB)
- RBIA policy shall be formulated with the approval of the Board. The Policy shall document the purpose, authority, and responsibility of the internal audit activity, with a clear demarcation of the role and expectations from Risk Management Function and Risk Based Internal Audit Function
- ACB/Board shall approve a RBIA plan to determine the priorities of the internal audit function based on the level and direction of risk, as consistent with the entity’s goals. Every activity / location, including the risk management and compliance functions to be covered
- The ACB/Board is expected to review the performance of RBIA
Senior Management
- Senior management is responsible for ensuring adherence to the internal audit policy guidelines as approved by the Board
- Appropriate action is taken on the internal audit findings within given timelines and status on closure of audit reports is placed before the ACB/Board
- RBIA Function is adequately staffed with skilled personnel of right aptitude and attitude
4. Risk Assessment to be performed as part of Internal Audit
Risk assessment in the internal audit department should be used for focusing on the material risk areas and prioritizing the audit work. The Basis for determination of the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business risks and control risks should be clearly spelt out. Risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of overall governance and controls in various business activities
The Internal Audit functions can also prepare a Risk Audit Matrix based on the magnitude and frequency of risk. The Audit Plan should prioritize audit work based on magnitude and frequency. The Internal audit function should be kept informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices / policies, etc. All the pending high, medium risk and persisting irregularities should be reported to the ACB/Board.
The risk assessment methodology should include parameters such as
- Previous internal audit reports and compliance
- Proposed changes in business lines or change in focus
- Significant change in management / key personnel
- Results of regulatory examination report
- Reports of external auditors
- Industry trends and other environmental factors
- Time elapsed since last audit
- Volume of business and complexity of activities
- Substantial performance variations from the budget
- Business strategy of the entity vis-à-vis the risk appetite and adequacy of control
Key drivers to optimize internal audit function
- Building robust internal controls environment – Evaluation of Internal control culture, system and activities, recognition of risk, controls and assessment, adequacy of segregation of duties, monitoring activities and correcting deficiencies
- Off-site audit and orientation – Auditing in a more efficient and productive process by eliminating the inefficiencies and reducing the time spent on onsite audit by performing major audit steps offsite
- Improving audit efficiency by centralizing operations – Enhances independence, provides uniform direction and resource coordination, as well as increased visibility and transparency. Better allocate audit resources to enterprise-wide goals and minimizes audit duplication and overlap through coordinated coverage of risk areas by internal audit
- Audit analytics and transaction monitoring – Use of audit data analytics methods for transaction monitoring, audit planning and sample selection to identify and assess risk by analyzing data to identify exceptions, revenue leakage, fraud indicators, patterns, correlations, and fluctuations from models
- Reduction in branch audit timeline – Focusing on key risk areas, effective risk management, time management and developing an effective team to reduce time spent on branch audits
Strategic road map to move towards RBIA system
- Short Term
- Policy formulation
- RBIA policy formulation detailing the purpose, authority, and responsibility of the internal audit activity,
- Demarcation of the role and expectations from Risk Management Function and Risk Based Internal Audit Function
- Risk Assessment Methodology
- Incorporate qualitative risk analysis and product risk assessment methods and tools for classifying the risk rating covering business risk and control risk
- Medium Term
- Audit Analytics – Use of audit data analytics methods in audit planning and sample selection to identify and assess risk by analyzing data to identify patterns and building a dedicated data analytics team to do transaction monitoring and analyzing of trends
- Risk Sensing – Detect and track nascent risk events and anomalous data in order to monitor changes, trends and patterns and to distill the results into actionable information
- Long Term
- Explore opportunities to automate testing controls from manual environment using Robotics Process Automation
- Use of Robotics Process Automation (RPA) to manage administrative and core activities involved in the review of operational and Internal financial control reporting
- Assurance/monitoring performance of operational and Control activities where RPA is deployed
Article By
Siddharth Sundararajan
CIA,
Disclaimer – “Exclusive Content from this article should not replicated without the permission of IIA Madras Chapter and the author. The author assumes no responsibility or liability for any errors or omissions in the content of this site. The information contained in this site is provided on an “as is” basis with no guarantees of completeness, accuracy, usefulness or timeliness. Contents from regulations are taken from multiple circulars/guidelines/notifications issued by Reserve Bank of India.
