SlideShare a Scribd company logo

Ppt on risk based internal audit

Download as PPTX, PDF
A
AmitaMistry2

The document summarizes Risk-Based Internal Audit (RBIA) framework requirements for Non-Banking Financial Companies (NBFCs) in India. It specifies that all deposit-taking NBFCs and non-deposit taking NBFCs with assets over ₹5,000 crore must implement an RBIA system by March 31, 2021. The framework outlines objectives to provide assurance on internal controls and risk management. It details responsibilities of the board, senior management, and internal audit function to ensure independence, competency, appropriate resourcing and oversight of the RBIA system.

Related slideshows

Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
 
Operational Risk Management
Operational Risk ManagementOperational Risk Management
Operational Risk Management
 
1 of 17
Risk-Based Internal Audit (Notification no RBI/2020-21/88 Ref.No.DoS.CO.PPG./SEC.05/11.01.005/2020-21dated February 03, 2021)
The Risk-Based Internal Audit System was earlier mandated for all Schedules Commercial Bank (except Regional Rural Banks) , now Non- Banking Financial Companies(NBFC) have to implement framework w.e.f 31/03/3021
Applicability of the Risk-Based Internal Audit System (RBIA) All deposit taking NBFCs, irrespective of their size All Non-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above.
Requirements of framework: Need for framework: 1. NBFC have to constitute a committee for Action plan for implementation of framework. 2. NBFCs have to report progress periodically to Board and Management. NBFCs have grown in size and become systemically important because of different audit system in such entities there were chances of inconsistencies, risks and gaps in process.
Objectives and Scope 1. An effective Risk-Based Internal Audit (RBIA) is an audit methodology that links an organization's overall risk management framework and provides an assurance to the Board of Directors and the Senior Management on the quality and effectiveness of the organization's internal controls, risk management and governance related systems and processes. 2. While the Risk Management Function should focus on identification, measurement, monitoring, and management of risks, development of risk policies and procedures, use of risk management models, etc., RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity / location and the effectiveness of the control systems for monitoring such inherent risks.
Board of Directors / Audit Committee • The Board of Directors (the Board) / Audit Committee of Board (ACB) of NBFCs and the Board of UCBs are primarily responsible for overseeing the internal audit function in the organization. • The quality assurance program may include assessment of the internal audit function at least once in a year for adherence to the internal audit policy, objectives and expected outcomes. Further, ACB/Board shall promote the use of new audit tools/ new technologies for reducing the extent of manual monitoring / transaction testing / compliance monitoring, etc.
Senior Management • The senior management is responsible for ensuring adherence to the internal audit policy guidelines as approved by the Board and development of an effective internal control function that identifies, measures, monitors and reports all risks faced. It shall ensure that appropriate action is taken on the internal audit findings within given timelines and status on closure of audit reports is placed before the ACB/Board. • A consolidated position of major risks faced by the organization shall be presented at least annually to the ACB/Board, based on inputs from all forms of audit.
Internal Audit Function The internal audit function should assess and make appropriate recommendations to improve the governance processes on business decision making, risk management and control; promote appropriate ethics and values within the organization; and ensure effective performance management and staff accountability, etc. The following key-attributes need to be observed for Internal audit function: 1. Authority, Stature, Independence and Resources. 2. Competence. 3. Rotation of Staff. 4. Tenor for appointment of Head of Internal Audit. 5. Reporting Line. 6. Remuneration. 7. Responsibilities and Other General Expectations.
1) Authority, Stature, Independence and Resources: The internal audit function must have sufficient authority, stature, independence and resources thereby enabling internal auditors to carry out their assignments properly. The Head should have independent judgement. The Head should have the authority to communicate with any staff member and get access to all records that are necessary to carry out the audit. 2) Competence Every team member should have requisite professional competence, knowledge and experience and skill to conduct the audit. Team member should have experience of banking/financial entity’s operations, accounting, information technology, data analytics, and forensic investigation etc.
3) Rotation of Staff: Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the Board should prescribe a minimum period of service for staff in the internal audit function. The Board may also examine the feasibility of prescribing at least one stint of service in the internal audit function for those staff possessing specialized knowledge useful for the audit function, but who are posted in other areas, so as to have adequate skills for the staff in the internal audit function. 4) Tenor for appointment of Head of Internal Audit: Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the HIA shall be appointed for a reasonably long period, preferably for a minimum of three years.
5) Reporting Line: The Head of Audit shall directly report to either the ACB/Board/ MD & CEO or to the Whole Time Director (WTD). The ACB/Board shall meet the HIA at least once in a quarter, without the presence of the senior management (including the MD & CEO/WTD). The HIA shall not have any reporting relationship with the business verticals of these SEs and shall not be given any business targets. 6) Remuneration: The remuneration of internal audit staff should not linked to the financial performance of the business lines. The remuneration policies should be structured in a way to avoid creating conflict of interest and compromising audit’s independence and objectivity.
7) Responsibilities and Other General Expectations a) This risk assessment would cover risks at various levels/areas (corporate and branch, the portfolio and individual transactions, etc.) as well as the associated processes. The risk assessment in the internal audit department should be used for focusing on the material risk areas. b) The risk assessment may make use of both quantitative and qualitative approaches. The quantitative assessment will cover the quantum of credit, market, and operational, the qualitative assessment include assessing the quality of overall governance and controls in various business activities.
c) The risk assessment methodology should include following parameters: a) Previous internal audit reports and compliance; (b) Proposed changes in business lines or change in focus; (c) Significant change in management / key personnel; (d) Results of regulatory examination report; (e) Reports of external auditors; (f) Industry trends and other environmental factors; (g) Time elapsed since last audit; (h) Volume of business and complexity of activities; (i) Substantial performance variations from the budget; and (j) Business strategy of the entity vis-à-vis the risk appetite and adequacy of control.
d) For the risk assessment to be accurate, it will be necessary to have proper MIS and data integrity arrangements. The internal audit function should be kept informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices / policies, etc. The risk assessment should invariably be undertaken on a yearly basis. The assessment should also be periodically updated to take into account changes in business environment, activities and work processes, etc. e) Before taking up specific internal audit assignment, the plan, scope, objectives, timelines and resource allocations of the assignment should be clearly established. The scope and objectives of the assignment should be based on a preliminary assessment of the risks relevant to the business activity under review.
f) Risk-matrix of inherent business risks and control risks • There should be independent risk assessment for the purpose of formulating a risk- based audit plan which should considers the inherent business risks emanating from an activity. • The basis for determination of the level (high, medium, low) and trend (increasing, stable, and decreasing) should be considered. Format of a risk-matrix inherent business risks and control risks: High magnitude and high frequency High magnitude and medium frequency High magnitude and low frequency Medium magnitude and high frequency Medium magnitude and medium frequency Low magnitude and high frequency.
g) The scope of the audit and resource allocation should be sufficient to achieve the objectives of the audit assignment. The precise scope of RBIA must be determined by each SE for low, medium, high, very high and extremely high risk areas. The scope of internal audit should also include system and process audits in respect of all critical processes. The findings of such audits should also be placed before the IT Committee of the Board. i) The internal audit report should be based on appropriate analysis and evaluation. It should bring out adequate, reliable, relevant and useful information to support the observations and conclusions. It should cover the objectives, scope, and results of the audit assignment and make appropriate recommendations and / or action plans. j) All the pending high and medium risk paras and persisting irregularities should be reported to the ACB/Board in order to highlight key areas in which risk mitigation has not been undertaken despite risk identification.
k) The internal audit function should have a system to monitor compliance to the observations made by internal audit. Status of compliance should be an integral part of reporting to the ACB/Board. l) The internal audit function shall not be outsourced. However, where required, experts including former employees can be hired on a contractual basis subject to the ACB/Board being assured that such expertise does not exist within the audit function of the SE. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.

More Related Content

Ppt on risk based internal audit

  • 1. Risk-Based Internal Audit (Notification no RBI/2020-21/88 Ref.No.DoS.CO.PPG./SEC.05/11.01.005/2020-21dated February 03, 2021)
  • 2. The Risk-Based Internal Audit System was earlier mandated for all Schedules Commercial Bank (except Regional Rural Banks) , now Non- Banking Financial Companies(NBFC) have to implement framework w.e.f 31/03/3021
  • 3. Applicability of the Risk-Based Internal Audit System (RBIA) All deposit taking NBFCs, irrespective of their size All Non-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above.
  • 4. Requirements of framework: Need for framework: 1. NBFC have to constitute a committee for Action plan for implementation of framework. 2. NBFCs have to report progress periodically to Board and Management. NBFCs have grown in size and become systemically important because of different audit system in such entities there were chances of inconsistencies, risks and gaps in process.
  • 5. Objectives and Scope 1. An effective Risk-Based Internal Audit (RBIA) is an audit methodology that links an organization's overall risk management framework and provides an assurance to the Board of Directors and the Senior Management on the quality and effectiveness of the organization's internal controls, risk management and governance related systems and processes. 2. While the Risk Management Function should focus on identification, measurement, monitoring, and management of risks, development of risk policies and procedures, use of risk management models, etc., RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity / location and the effectiveness of the control systems for monitoring such inherent risks.
  • 6. Board of Directors / Audit Committee • The Board of Directors (the Board) / Audit Committee of Board (ACB) of NBFCs and the Board of UCBs are primarily responsible for overseeing the internal audit function in the organization. • The quality assurance program may include assessment of the internal audit function at least once in a year for adherence to the internal audit policy, objectives and expected outcomes. Further, ACB/Board shall promote the use of new audit tools/ new technologies for reducing the extent of manual monitoring / transaction testing / compliance monitoring, etc.
  • 7. Senior Management • The senior management is responsible for ensuring adherence to the internal audit policy guidelines as approved by the Board and development of an effective internal control function that identifies, measures, monitors and reports all risks faced. It shall ensure that appropriate action is taken on the internal audit findings within given timelines and status on closure of audit reports is placed before the ACB/Board. • A consolidated position of major risks faced by the organization shall be presented at least annually to the ACB/Board, based on inputs from all forms of audit.
  • 8. Internal Audit Function The internal audit function should assess and make appropriate recommendations to improve the governance processes on business decision making, risk management and control; promote appropriate ethics and values within the organization; and ensure effective performance management and staff accountability, etc. The following key-attributes need to be observed for Internal audit function: 1. Authority, Stature, Independence and Resources. 2. Competence. 3. Rotation of Staff. 4. Tenor for appointment of Head of Internal Audit. 5. Reporting Line. 6. Remuneration. 7. Responsibilities and Other General Expectations.
  • 9. 1) Authority, Stature, Independence and Resources: The internal audit function must have sufficient authority, stature, independence and resources thereby enabling internal auditors to carry out their assignments properly. The Head should have independent judgement. The Head should have the authority to communicate with any staff member and get access to all records that are necessary to carry out the audit. 2) Competence Every team member should have requisite professional competence, knowledge and experience and skill to conduct the audit. Team member should have experience of banking/financial entity’s operations, accounting, information technology, data analytics, and forensic investigation etc.
  • 10. 3) Rotation of Staff: Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the Board should prescribe a minimum period of service for staff in the internal audit function. The Board may also examine the feasibility of prescribing at least one stint of service in the internal audit function for those staff possessing specialized knowledge useful for the audit function, but who are posted in other areas, so as to have adequate skills for the staff in the internal audit function. 4) Tenor for appointment of Head of Internal Audit: Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the HIA shall be appointed for a reasonably long period, preferably for a minimum of three years.
  • 11. 5) Reporting Line: The Head of Audit shall directly report to either the ACB/Board/ MD & CEO or to the Whole Time Director (WTD). The ACB/Board shall meet the HIA at least once in a quarter, without the presence of the senior management (including the MD & CEO/WTD). The HIA shall not have any reporting relationship with the business verticals of these SEs and shall not be given any business targets. 6) Remuneration: The remuneration of internal audit staff should not linked to the financial performance of the business lines. The remuneration policies should be structured in a way to avoid creating conflict of interest and compromising audit’s independence and objectivity.
  • 12. 7) Responsibilities and Other General Expectations a) This risk assessment would cover risks at various levels/areas (corporate and branch, the portfolio and individual transactions, etc.) as well as the associated processes. The risk assessment in the internal audit department should be used for focusing on the material risk areas. b) The risk assessment may make use of both quantitative and qualitative approaches. The quantitative assessment will cover the quantum of credit, market, and operational, the qualitative assessment include assessing the quality of overall governance and controls in various business activities.
  • 13. c) The risk assessment methodology should include following parameters: a) Previous internal audit reports and compliance; (b) Proposed changes in business lines or change in focus; (c) Significant change in management / key personnel; (d) Results of regulatory examination report; (e) Reports of external auditors; (f) Industry trends and other environmental factors; (g) Time elapsed since last audit; (h) Volume of business and complexity of activities; (i) Substantial performance variations from the budget; and (j) Business strategy of the entity vis-à-vis the risk appetite and adequacy of control.
  • 14. d) For the risk assessment to be accurate, it will be necessary to have proper MIS and data integrity arrangements. The internal audit function should be kept informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices / policies, etc. The risk assessment should invariably be undertaken on a yearly basis. The assessment should also be periodically updated to take into account changes in business environment, activities and work processes, etc. e) Before taking up specific internal audit assignment, the plan, scope, objectives, timelines and resource allocations of the assignment should be clearly established. The scope and objectives of the assignment should be based on a preliminary assessment of the risks relevant to the business activity under review.
  • 15. f) Risk-matrix of inherent business risks and control risks • There should be independent risk assessment for the purpose of formulating a risk- based audit plan which should considers the inherent business risks emanating from an activity. • The basis for determination of the level (high, medium, low) and trend (increasing, stable, and decreasing) should be considered. Format of a risk-matrix inherent business risks and control risks: High magnitude and high frequency High magnitude and medium frequency High magnitude and low frequency Medium magnitude and high frequency Medium magnitude and medium frequency Low magnitude and high frequency.
  • 16. g) The scope of the audit and resource allocation should be sufficient to achieve the objectives of the audit assignment. The precise scope of RBIA must be determined by each SE for low, medium, high, very high and extremely high risk areas. The scope of internal audit should also include system and process audits in respect of all critical processes. The findings of such audits should also be placed before the IT Committee of the Board. i) The internal audit report should be based on appropriate analysis and evaluation. It should bring out adequate, reliable, relevant and useful information to support the observations and conclusions. It should cover the objectives, scope, and results of the audit assignment and make appropriate recommendations and / or action plans. j) All the pending high and medium risk paras and persisting irregularities should be reported to the ACB/Board in order to highlight key areas in which risk mitigation has not been undertaken despite risk identification.
  • 17. k) The internal audit function should have a system to monitor compliance to the observations made by internal audit. Status of compliance should be an integral part of reporting to the ACB/Board. l) The internal audit function shall not be outsourced. However, where required, experts including former employees can be hired on a contractual basis subject to the ACB/Board being assured that such expertise does not exist within the audit function of the SE. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.