Preamble :

The evolvution of financial instruments and markets has enabled banks to take various exposures. Consequently, banks in India are now exposed to various kinds of risks. Integration of Indian banking industry with the global banking industry has also exposed Indian banks to some of the global risks. Further, banks in India have matured enough to undertake varied risk exposures due to evolvution of financial instruments, such as Cross-Currency Swaps, Currency Options, Caps, Collars and Credit Derivative Swaps. In this context, it is important that banks have effective risk management and internal control systems in place to enable them conduct their business.

The discussion paper on ‘Move towards risk-based supervision of banks’ of August 2001 clearly identifies five significant areas for action on the part of banks, including putting in place risk-based internal audit system. Besides this discussion paper, the Reserve Bank of India (RBI) mandated all banks to put in place risk-based internal audit system by December 2002. Under the Risk-Based Supervision (RBS) approach, supervisory process would largely depend upon the work carried out by internal auditors of the bank.

A sound and effective internal audit function plays an important role in contributing to the effectiveness of the internal control system. Historically, the internal audit system in banks has been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, integrity, adherence to regulatory requirements, etc. Thus, it completely ignores the inherent risk faced by the function/activity/department. Internal audits were undertaken sans regards to the risk that activity posed to the bank. As a result, time, energy and efforts were directed towards ‘internal audit of activity’ rather than ‘internal audit of high-risk areas’. A need was felt for widening as well as redirecting the scope of internal audit to evaluate the adequacy and effectiveness of risk management procedures and internal control systems in the banks. As a result, RBI through its circular dated 27 December 2002 had completely changed the role of internal audit in banks by introducing ‘Risk-Based Internal Audit’.

Risk-based internal audit :

As per RBI, risk-based internal audit undertakes an independent risk assessment solely for the purpose of formulating a risk-based audit plan, keeping in view the inherent business risks of an activity/location and the effectiveness of the control systems for monitoring the inherent risks of the business activity. It needs to be emphasised that while formulating the audit plan, every activity/location of the bank, including the risk management function, should be subjected to risk assessment by the risk-based internal audit.

Under the risk-based internal audit, the focus will shift from the earlier system of transaction-based testing to risk identification, prioritisation of audit areas and allocation of audit resources in accordance with the risk assessment of the bank. In other words, internal audit of any activity/ location/area will be undertaken after a thorough risk assessment of that activity/location/area. To achieve these objectives, banks were required to move towards risk-based internal audit which includes, an evaluation of risk management system and control procedures in various areas of bank’s operations.

Risk assessment :

The key to risk-based internal audit is the proper risk assessment of each location/area/activity of the bank. Internal audit department should undertake risk assessment solely for the purpose of formulating the risk-based audit plan, irrespective of whether other departments including risk management department is undertaking risk assessment. The risk assessment would, as an independent activity, cover risks at various levels (corporate office, by branches, by products, by portfolio, by individual transactions, etc.) as also the processes in place to identify, measure, monitor and control the risks.

Risk assessment process :

The risk assessment process should include the following 3 steps :

The risk assessment process should not only highlight the ‘High, Medium & Low’ risk of any activity/area/location, but it should also reflect the trend of risk i.e., ‘Increasing, Stable & Decreasing’ risk.

Business risks and control risks :

RBI in its Circular has categorically given the various types of business and control risks which are given below.

Business risks :

• Capital

• Credit

• Market

• Earnings

• Liquidity

• Business Strategy & Environment

• Operational

• Group

• Internal Control

• Organisation

• Management

• Compliance

Though the business risks and control risks have to be specified for each location/area/activity, some of the business and control risks such as capital risk, business strategy and environment risk, group risk, organisation and management risk can be evaluated only at the entity level, hence may not be applicable for carrying out risk assessment of each location/area of a bank.

Risk assessment methodology :

Having understood the various types of business and control risks, a comprehensive risk assessment of each location/area/activity of a bank should be undertaken. RBI in its Circular dated 27 December 2002 has categorically stated that the risk assessment methodology should cover the following parameters :

• Previous internal audit reports and compliance

• Proposed changes in business lines or change in focus

• Significant change in management/key personnel

• Results of latest regulatory examination report

• Reports of external auditors

• Industry trends and other environmental factors

• Time lapsed since last audit

• Volume of business and complexity of activities, and

• Substantial performance variations from the budget.

The above parameters are only indicative in nature; one can take various criteria for conducting risk assessment of each location/area/activity of a bank depending upon environment/market under which the activity is carried out. The parameters should be properly spelt out to indicate high, medium and low risk of each activity e.g., in case of volume of business, one can take a view that more than 35% of business undertaken by a location as compared to entire business undertaken by all the locations put together for that particular type of business is ‘high risk’, whereas less than 10% can be construed as ‘low risk’ and the residual is ‘medium risk’.

In order to have accurate risk assessment, it is absolutely essential to have a proper MIS and the data used should be reliable. Further, the Internal Audit Department should be well informed about new products/processes/policies/new locations/any merger/demerger of locations, changes in the reporting lines, key staff turnover, etc.

Inherent business risks indicate the intrinsic risk in a particular area/activity of the bank and could be grouped into low, medium and high categories depending on the severity of risk, whereas control risks arise out of inadequate control systems, deficiencies/gaps and/or likely failures in the existing control processes. Control risks could also be classified into low, medium and high categories. Depending upon the combination of business & control risk, each activity/location/area have to be further classified into low risk, medium risk, high risk, very high risk and extremely high risk.

A — High risk : Although the control risk is low, this is a High Risk area due to high inherent business risks.

B — Very high risk : The high inherent business risk coupled with medium control risk makes this a very high risk area.

C — Extremely high risk : Both the inherent business risk and control risk are high, which makes this is an extremely high risk area. This area would require immediate audit attention, maximum allocation of audit resources, besides ongoing monitoring by the bank’s top management.

D — Medium risk : Although the control risk is low, this is a medium risk area due to medium inherent business risks.

E — High risk : Although the inherent business risk is medium, this is a high risk area because of control risk also being medium.

F — Very high risk : Although the inherent business risk is medium, this is a very high risk area due to high control risk.

G — Low risk : Both the inherent business risk and control risk are low.

H — Medium risk : The inherent business risk is low and the control risk is medium.

I — High risk : Although the inherent business risk is low, due to high control risk this becomes a high risk area.

Banks are required to analyse the inherent business risks and control risks with a view to assess whether these risks are showing a stable, increasing or decreasing trend. Illustratively, if an area falls within cell ‘B’ or ‘F’ of the risk matrix and the risks are showing an increasing trend, these areas would also require immediate audit attention and maximum allocation of audit resources besides ongoing monitoring by the bank’s top management (as applicable for cell ‘C’). The risk matrix is required to be prepared for each business activity/location.

After analysing the business and control risk of each location/area/activity, we get a clear picture of various types of risks that each activity of a bank is exposed to.

The next logical step would be to assign the frequency of internal audit depending upon the type of risk that each activity/location/area is exposed to.

Though RBI has given discretion to each bank to decide about the audit frequency, RBI, in its Circular dated 27 December 2002, has stated that "the bank should undertake 100 per cent transaction testing if an area falls in cell ‘C — Extremely high risk’ of the risk matrix. Bank may also consider 100 per cent transaction testing if an area falls in cell ‘B — Very high risk’ or ‘F — Very high risk’, and the risks are showing an increasing trend. Banks may also consider transaction testing with an element of surprise in respect of low risk areas which would be audited at relatively longer intervals."

Except in case of extremely high risk and very high risk, where RBI has suggested concurrent audit, audit frequency for high risk, medium risk and low risk is left to the discretion of each bank.

In case of new branches, internal audit may be carried out within a reasonable period (within 12 months) of opening of the branch, since detailed risk assessment of a new branch may not be undertaken as is the case with old branches.

As per RBI, Annual risk-based internal audit plan showing detailed risk assessment of each location/ area/activity is required to be put up to the First Tier Audit Committee (FTAC) and then to the Audit Committee of the Board (ACB) for their approval.

Thought the precise scope of internal audit is left to the discretion of each bank, RBI has suggested that at the minimum, it must review/report on the following aspects :

• Process by which risks are identified and managed in various areas;

• Control environment in various areas;

• Gaps, if any, in control mechanism which might lead to frauds, identification of fraud-prone areas;

• Data integrity, reliability and integrity of MIS;

• Internal, regulatory and statutory compliance;

• Budgetary control and performance reviews;

• Transaction testing/verification of assets to the extent considered necessary;

• Monitoring compliance with the risk-based internal audit report;

• Variation, if any, in the assessment of risks under the audit plan vis-à-vis risk-based internal audit.

• RBI has further suggested that the scope of risk-based internal audit should also include a review of the systems in place for ensuring compliance with money laundering controls; identifying potential inherent business risks and control risks, if any; suggesting various corrective measures and undertaking follow-up reviews to monitor the action taken thereon.

The Internal Audit Department should conduct periodical reviews, annually or more frequently, of the risk-based internal audit undertaken by it vis-à-vis the approved audit plan. The performance review should also include an evaluation of the effectiveness of the risk-based internal audit in mitigating identified risks.

The Board of Directors/Audit Committee of Board should also periodically assess the performance of the risk-based internal audit for reliability, accuracy and objectivity. Variations, if any, in the risk profile as revealed by the risk-based internal audit vis-à-vis the risk profile as documented in the audit plan should also be looked into to evaluate the reasonableness of risk assessment methodology of the Internal Audit Department.

Audit resources :

After the approval of the internal audit plan by FTAC and ACB, Head- Internal Audit (or by any other name called) should prepare an audit resource plan, showing resources in terms of infrastructure, trained manpower, etc. that are required, to complete the annual audit plan, within the stipulated period of time.

Conclusion :

Risk-based internal audit is expected to be an aid to the ongoing risk management in banks by providing necessary checks and balances in the system. Risk-based internal audit is also significant in view of the proposed introduction of New Basel Capital Accord, under which capital maintained by a bank will be more closely aligned to the risks undertaken. Risk-based internal audit is extremely useful in understanding business and control risk of each location/area/activity of the bank and scarce human resources can be effectively deployed in sensitive areas such as extremely high, very high and high risk, thereby shifting audit of medium and low risk businesses to a longer time span.