With the developing financial instruments and markets, the banks regularly undertake numerous risk exposures. With a view of these risks increasing day by day, it has become important for banks to establish effective risk management and internal control systems.
A sound internal audit function plays a vital role in the effectiveness of the working of the established internal control system. There is also a need to move from conservative internal audit practices and implement a more sophisticated and robust system in the banking business.
Banks require evaluating the risk management systems and control procedures prevailing in various areas of a bank’s operations. This will achieve the following results:
- Appropriate transaction testing;
- Suggestions for mitigating current risks;
- Anticipate areas of potential risks and their countermeasures.
Policy formulation for internal audit of banks
In a risk-based internal audit, the focus is on risk identification, prioritizing audit areas and allocating the audit resources according to risk assessment of various operational areas.
To perform a risk-based internal audit, the banks shall develop a proper policy which is to be approved by the Board. The policy should include the following:
- Risk assessment methodology for identifying the risk areas for audit planning.
- Business activity wise audit programme of a gap between two audits.
Independence – The Internal Audit Department should be independent of an internal control process to avoid conflict of interest.
Reporting – Usually, the internal auditor should report to the Board of Directors/Audit Committee of the Bank.
Risk assessment and audit plan
This is almost the first activity at field level to perform. The risk assessment should cover risks at all levels (corporate and branch; the portfolio and individual transactions, etc.). The internal auditor should formulate risk assessment methodology according to the size and complexity of the bank’s business.
The risk assessment process should, inter alia, include the following :
- Identification of inherent business risks in various activities undertaken by the bank.
- Evaluating the effectiveness of the control systems for monitoring inherent risks of the business activities.
- Drawing up a risk-matrix for taking into account both the factors viz., inherent business risks and control risks.
The risk assessment methodology should include the following parameters:
- Previous internal audit reports and compliance
- Proposed changes in the line of business
- A significant change in management/key personnel
- Results of the latest regulatory examination report
- Reports of external auditors
- Industry trends and other environmental factors
- Time elapsed since the last audit
- The volume of business and complexity of activities
- Substantial performance variations from the budget
The internal audit function should be informed about all developments such as the introduction of new products, changes in the hierarchy, changes in accounting practices/policies etc. The risk assessment should be performed on the yearly basis
The audit plan should include details about the schedule of and reason for audit work planned. It should also include all risk areas and their prioritization based on the level of risk.
For example:- the activities which are very high risk may be audited at shorter intervals as compared to medium or low-risk areas.
Scope of Internal audit
The primary objective of internal audit should be to provide reasonable assurance to the Board about the adequacy and effectiveness of risk management and internal control in the bank’s operations.
Transaction testing is considered an essential aspect of the risk-based internal audit. The extent of transaction testing will have to be determined on the basis of risk assessment. For low-risk areas, surprise transaction testing can be performed at longer intervals.
The banks can prepare a Risk Audit Matrix as follows:
Risk Audit Matrix
The Audit Plan should prioritize audit work to give greater attention to the areas of:
- High Magnitude and high frequency
- High Magnitude and medium frequency
- Medium magnitude and high-frequency
- High magnitude and low-frequency
- Medium Magnitude and medium frequency.
The exact scope of internal audit should be described by each bank for various risk areas like low, medium, high and very high. However, at the minimum, it must review/report on:
- Process of identifying and managing risks for different areas
- Control environment of various areas
- Gaps in control procedures which may lead to frauds
- Identification of fraud-prone areas
- Data integrity, reliability and integrity of MIS
- Internal, regulatory and statutory compliance. budgetary control and performance reviews
- Transaction testing/verification of assets
The scope should also include a review of the internal control procedures for identifying potential inherent business risks and control risks. Also, suggest various corrective measures that can be implemented to mitigate those risks.
Communication of findings of an internal audit
The communication between the internal audit team and management should encourage reporting of negative and sensitive findings. All major deficiencies should be reported to the appropriate level of management as soon as they are identified.
Significant issues which pose a threat to the bank’s business should be immediately brought to the notice of the Board of Directors or Audit Committee.
Hiring Internal auditors from outside
It is the responsibility of the Board to ensure that the internal audit practices function effectively even though it is outsourced. The following aspects should be kept in view to prevent any breakdown in internal controls on account of outsourcing it:
A. The bank should perform due diligence to ensure that the outsourcing auditor has the necessary expertise to undertake the audit. The contract should at least specify the following:
- Scope and frequency of work to be performed
- Manner and frequency of reporting to the bank
- Manner of determining the cost of damages arising from errors, omissions, and negligence on the part of an auditor
- Locations where the work papers will be stored
- Internal audit reports are the property of the bank and that all work papers are to be provided to the bank when required
- Employees authorized by the bank are to have reasonable and timely access to the work papers
- Supervisors are to be granted immediate and full access to related work papers
B. All work performed by auditor should be reported to the top management through the internal audit department.
C. The bank should have a contingency plan to mitigate any discontinuity in audit due to operational or other failures of the auditor.
The information systems audit (IS Audit) should also be carried out using the risk-based approach. It is considered under the broad definition of a risk-based internal audit.
To Know About Statutory Audit Of Banks, Click here