Risk Based Internal Audit

Aneel Gambhir

Sr Vice President – Internal Audit

Blue Dart Express Ltd.

Internal Audit

• Aim of an organization to achieve its objective

• The aim of the Internal Audit is to assist the organization to achieve its objective

• So if the organisation’s objective is to ‘add shareholder value’ then that is the aim of internal auditing

• The Internal Audit should be able to justify its existence just like any other process in the organization

• There is an assumption, hopefully justified, that the objectives of any organisation would include the requirement to obey applicable laws and regulations.

• The achievement of these objectives is hindered by risks. Risks are what internal auditing is all about.

MAOCARO 1998 AND CARO 2003

• MAOCARO- 4A(XV):

In the case of companies having a paid-up capital exceeding Rs.25 lakhs as at the commencement of the financial year concerned, or having an average annual turnover exceeding Rs.2 crore for a period of three consecutive financial years immediately preceding the financial year concerned, whether the company has an internal audit system commensurate with its size and nature of its business.

• CARO 2003 - 4(vii)

In the case of listed companies and/or other companies having a paid-up capital and reserves exceeding Rs.50 lakhs as at the commencement of the financial year concerned, or having an average annual turnover exceeding five crore rupees for a period of three consecutive financial years immediately preceding the financial year concerned, whether the company has an internal audit system commensurate with its size and nature of its business

Corporate Governance- Clause 49

Role of Audit Committee to include:

• Reviewing with the management, external and internal auditors, the adequacy of internal control systems.

• Reviewing the adequacy of internal audit function, including the structure of the internal audit department, staffing and seniority of the official heading the department, reporting structure coverage and frequency of internal audit.

• Reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board.

• The appointment, removal and terms of remuneration of the Chief internal auditor shall be subject to review by the Audit Committee

Companies Act 2013

• Such class or classes of companies as may be prescribed shall be required to appoint an internal auditor, who shall either be a chartered accountant or a cost accountant, or such other professional as may be decided by the Board to conduct internal audit of the functions and activities of the company. (Section 138)

• The Central Government may, by rules, prescribe the manner and the intervals in which the internal audit shall be conducted and reported to the Board.

Rules to related to Section 138

• Companies required to appoint internal auditor.-

• (1) The following class of companies shall be required to appoint an internal auditor or a firm of internal auditors, namely:-

(a) every listed company;

(b) every unlisted public company having-

(i) paid up share capital of fifty crore rupees or more during the preceding financial year; or

(ii) turnover of two hundred crore rupees or more during the preceding financial year; or

(iii) outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial year; or

(

(iv) outstanding deposits of twenty five crore rupees or more at any point of time during the preceding financial year; and

(c) every private company having-

(i) turnover of two hundred crore rupees or more during the preceding financial year; or

(ii) outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial year:

Provided that an existing company covered under any of the above criteria shall comply with the requirements of section 138 and this rule within six months of commencement of such section.

Evolving role of Internal Audit

• Changing stakeholder expectations and a new view of risk management are prompting an important shift in the role of internal audit in many organisations.

• New demands from the board, senior organisational leaders, and regulators are requiring internal audit groups to refocus their efforts beyond regulatory compliance issues

• Internal audit’s existing organisation-wide perspective and mandate, and its access to all areas of the business, personnel and resources, uniquely position it to expand its role.

• Leading organisations increasingly expect internal audit to use its quantitative skills and risk knowledge to support improvements in risk management

What is Risk Based Auditing

• IIA defines Risk Based Internal Auditing (RBIA) as a methodology that links internal auditing to an organisation's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite. 

Objectives of RBIA

By following RBIA internal audit should be able to conclude that:

• Management has identified, assessed and responded to risks above and below the risk appetite

• The responses to risks are effective but not excessive in managing inherent risks within the risk appetite

• Where residual risks are not in line with the risk appetite, action is being taken to remedy

• Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively

• Risks, responses and actions are being properly classified and reported. 

Risk Management Framework/ Policy

• Section 134(3)(n) requires a company to provide a statement indicating development and implementation of a Risk Management Policy in the Annual Report.

• As per Section 177 (4) (vii) Audit committee needs to evaluate Company’s internal financial controls and risk management system.

• Define the Risk from Company’s perspective.• Define the purpose.• Define the Risk Management Structure.

Risk Management under Companies Act 2013

• Define the Roles and Responsibilities.• Name the members of Risk Management

Committee.• Provide the process for Risk identification/Risk

Assessment.• Provide the attributes for categorizing the risk

(Catastrophic, Major, Moderate, Minor and Insignificant)

• Provide for the process for monitoring and mitigation of key risks.

Risk Management under Companies Act 2013

Action Points • Formulate a Risk Management

Policy.• Indentify the risk applicable to

the Company.• Indentify the element of risk

which may threaten the existence of the Company.

• Indentify the members of Risk Management Committee.

• Indentify the Risk Owner for each risk.

• Review the risk on regular basis.• Help the Audit Committee and

Board on monitoring and mitigation of key risks.

Risk Management under Clause 49 of Listing Agreement(September 15, 2014)

• Role of Audit committee to include:

– Reviewing the company’s financial and risk management policies. (Sr No 9)

• Section 217(2AA) of the Companies Act, 1956 requires that the Board’s report should include a Director’s Responsibility Statement which covers many of the items covered in this clause

– Reviewing the company’s financial and risk management policies.

• Review of information by Audit committee

– Reports relating to compliance with laws and to risk management

For RBIA to be effective, Risk Management to include:• Directors and managers have identified and assessed the risks

threatening their organisation’s objectives and have developed a system of internal control, or other suitable response, to reduce this threat to below the risk appetite, or report to the board where this is not possible.

• The inherent risks are recorded and assessed in some way that permits them to be ranked in order of threat.

• The board have approved a risk appetite for the organisation on such a basis that risks can be easily identified as being above, or below, the risk appetite.

• The responsibility for providing assurance on the risk management framework is defined. This will include defining the responsibilities of management, external audit, internal audit and any other functions that provide assurance, such as HR, Finance, Loss Prevention and Health and Safety departments.

• Directors are expected to understand the risks their organisation is facing

• Managers are expected to identify, assess, monitor and report these risks;

• The Head of Internal Audit is expected to provide assurance that risk management processes are effective.

• Risk based internal auditing provides the means to do this.

Risk Measurement

• Risks are ideally scored before and after taking account of the response which manages the risk.

• Inherent (or gross or absolute) risk scores are measured by assessing the consequence and likelihood of a risk occurring before any internal controls are taken into account.

• Residual (or net or controlled) risk scores are measured by assessing the consequence and likelihood of a risk occurring after any internal controls are taken into account.

Risk Appetite - Probability

Risk Appetite - Impact

5 Catastrophic

> INR _____ million impact on profitability

Loss of key alliances

Sustained, serious loss in market share

Will require direct intervention of the Board or Stakeholders

Significant diminution of share price

4 Major

INR ____ million to INR _____ million impact on profitability

Serious diminution in brand value and market share with adverse publicity

Key alliances threatened

Events and problems will require Board and Managing Director attention

Adverse effect on share price

3 Moderate

INR _____ million to INR _____ million impact on profitability

Market share and/or brand value will be affected in the short term

The event will require MD and Senior Management intervention

2 Minor

INR ____ million to INR _____ million loss in profitability

Consequences can be absorbed under normal operating conditions

There is a potential impact on market share and brand values

Issues will be delegated to middle and senior management for resolution

1 Insignificant

< INR ____ million impact on profitability

No potential impact on market share

No impact on brand value

Issues will be delegated to middle, junior management and staff for resolution

Risk description

• xxxx

Mitigation plan

• xxxxxx

RiskCardNo=1

• xxxxxx

Root cause

Name of the Risk

Existing control / Mitigation measures

• xxxxx

How do we manage Risk• Avoid the risks, for example not starting up a business selling

innovative products or closing a factory making dangerous chemicals. This may mean giving up significant opportunities. This process is known as ‘termination

• Transfer them, the best example being insurance.

• Tolerate them, without planning any contingencies. These are the ‘asteroid hits earth’ type of risk. This does not mean that no-one will address this risk – governments may decide to try and deflect asteroids using nuclear missiles.

• Tolerate them, and plan contingencies. These are the ‘hurricane destroys factory’ type of risk.

• Introduce some processes to reduce the consequence or likelihood of a risk. These processes are usually referred to as ‘controls’ and include everything from having a clear strategy to installing a fire alarm. This method of management is known as ‘treatment’.

Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors

Control It

Share orTransfer It

Diversify orAvoid It

RiskManagement

ProcessLevel

ActivityLevel

Entity Level

RiskMonitoring

Identification

Measurement

Prioritization

RiskAssessment

Risk Analysis

Implementation of RBIA

• Assessing Risk Maturity

• Periodic Audit Planning

• Individual Audit Assignment

Assess Risk Maturity

• Meet Board and Senior Managers to ascertain:– Steps initiated to improve the risk maturity

– Review training records related to trainings, risk workshop etc.

– Interview the risk managers

• Review Supporting information:– Organizations objective

– Process of assessing risks including impact and likelihood parameters

– Boards definition of risk appetite

– Procedure used by management to identify all key risks threatening the organizations objective.

– Overall industry vertical scenario and likely global impacts.

• Conclude on risk maturity– Formulate opinion on risk maturity of the organisation.

Assess Risk Maturity

Categorization of the organization:

• Risk enabled: - Risk management and internal control fully embedded in the operations– Risk register is available for audit planning

– Confidence in risk management enable a range of audit techniques to be used

– Emphasis of the audit work would be that risk management processes are working properly.

• Risk defined: - Strategies and policies in place and communicated. Risk appetite defined.– Managers may have complied the list of risks but not assembled in

risk register

– Internal Audit to work as consultant to facilitate compilation of risk register

– Quality of risk management may vary across organization

Assess Risk Maturity– Any Individual audit therefore will have to place emphasis o the level

of risk maturity in the area being audited

– Where risk management is poor, Internal audit will have to facilitate the identification of risks

– Advise managers what action to take where weaknesses are found

• Risk aware: - silo approach to risk management

– No risk register will be available

– Few managers will have determined their risks

– Internal audit will have to facilitate the identification of risks

– This type of organisation does not have a risk management framework, RBIA cannot be implemented.

– However, individual audits can be driven by risks where management understand risks

• Risk naive: - no formal approach developed for risk management

– it will be necessary to promote, or provide consultation on, the establishment of a risk management framework. Until this is done RBIA cannot be implemented.

Assess Risk Maturity

• It is not possible to carry out risk based internal auditing without a reliable risk register, that is in organisations that are risk naïve or risk aware. Such organisations need to improve their risk maturity to a minimum of risk defined before RBIA can be used.

Audit Plan

Having assessed the risk maturity of the organisation , the

auditor can decide what reliance to place on the list of risks

provided by management when determining the audit plan.

•Which risks should be checked to ensure they are being

properly managed?

• When should they be checked (this year, next year)?

• How should they be checked?

Audit Plan

Objective:

To produce an audit plan, listing audits to be carried out over a specified period, usually a year. This plan will include all the audits, and other work, which enable the internal audit department to report its conclusions on the risk management processes, as defined by the terms of reference agreed with the audit committee.

Audit Plan

• Determine the risks requiring the assurance

• Allocate risks to audits

• Draw up proposed annual audit plan

• Allocate resources

• Publish the audit plan

• Update the risks and audit universe

Audit Plan

• Determine the risks requiring the assurance:• Filter the list of inherent risks to remove those where an audit is not possible or

necessary, as follows:• The risk is within the risk appetite of the organisation and requires no further

work. • The nature of the risk is considered such that it cannot be bought within the risk

appetite, and it will be tolerated. • The risk is being examined by a third party (external auditors, quality control,

health and safety), who may provide assurance directly to the audit committee, or through internal audit, or through another function.

• The risk was being managed within the risk appetite, as evidenced by previous audit work.

• The remaining risks are those on which assurance is required and these will form the basis of the audit plan. These risks, and those filtered out, will be included in the report to the audit committee, so they are aware of how all the risks are being managed.

Audit Plan

Allocate risks to audits: • By objectives. This links audits directly to the objectives threatened

by the risks, whose management is being checked by the audit.

• By risk owner. This method can be used for audits in specific locations, such as oil refineries.

• By business unit. This is useful where the organisation has a number of physically independent business units, whose processes are self-contained.

• By process, such as sales, purchases, stock control. This is useful in a large central organisation with integrated systems.

• By type, such as governance, financial, external, operational and compliance. They are rather broad and also can overlap. For example, a failure to maintain adequate books and records is a financial and compliance risk.

Audit Plan

Draw up proposed annual audit plan:

• There will be a range of scores and, in drawing up the audit plan, a policy will have to be established about which risks to cover and how often. It is unlikely that the board, or audit committee, will require assurance on the management of every risk above the risk appetite, every year. They may require assurance on the risks with a high likelihood of significant/ catastrophic losses every year but other risks above the risk appetite every two or three years.

Audit Plan

Allocate resources• The number of days required to complete each audit is estimated.

The total of days required to audit all the controls over the risks is summed and compared to the resources available.

• If resources are insufficient to complete the plan, prepared on the basis of internal audit’s terms of reference, an increase in staff should be considered, alongside other options, such as reducing the number of audits.

• If sufficient staff are not available, the audit committee should be informed of those risks not audited due to resource constraints and given the opportunity to decide on their preferred option.

• When resources have been allocated, approximate timings and other details of the audit should be updated. A unique reference (separate from the audit group letters) is given to each audit and used on all audit.

Audit Plan

Publish the audit plan:• Details of those risks where assurance will be provided on the

risk management processes, by carrying out the audits in the plan.

• Details of those risks where assurance will be provided but based on audit work from previous years.

• Details of those risks where consultancy work will be carried out to assist management in reducing the risks to below the risk appetite.

• Any risks not covered, due to policy or resource constraints.

• Confirmation that the plan is in accordance with the internal audit department’s terms of reference.

Audit Plan

Update the risk and audit universe :• This should be done regularly, at least every three months,

from management’s reassessment of risks and conclusions from audits reporting during this period. The impact on the audit plan should then be considered. It may be necessary to add audits where new, significant risks have been identified and remove those where risks are considered to have diminished. In particular, it will be necessary to add new major projects to this list.

Carrying out an individual assurance audit

• The purpose of an individual audit is to provide assurance that risks are being properly managed, and report where they are not.

• The audit plan is that part of the risk and audit universe which shows the audits to be carried out in the specified period (usually a year). It also shows the risks to be covered in any audit and may also provide details of personnel, budgeted time and estimated date for issue of the report.

• The plan may be used to generate a quarterly plan that provides greater detail about the staff working on the audit and how their time is to be used.

• The main tasks involved in an individual audit are shown below, with greater detail provided in the section for internal audit staff:

Carrying out an individual assurance audit

The aim of audit work should be to provide assurance that:

• Management have identified, assessed and responded to risks above the risk appetite.

• The responses, especially the system of internal controls treating the risks, are effective in reducing the inherent risks to below the risk appetite.

• Where residual risks are above the risk appetite, action is being taken to reduce them to within the risk appetite, or the board has been informed that they will be tolerated, transferred or terminated.

• Risk management processes are being monitored by management to ensure they continue to operate effectively.

Carrying out an individual assurance audit

• The risk is being managed to within the risk appetite

of the organisation or,

• Action has been agreed to bring to the risk within the

risk appetite or,

• The risk will have to be tolerated or,

• The risk is being terminated or transferred, or

• The risk is not being managed to within the risk

appetite, and no suitable action is being taken.

Comparison

Audit process Risk-based auditing Previous methodology

Audit Universe

All activities of the business Primarily financial areas but also involving compliance with laws and regulations, and ‘operations’

Audit Objectives

Provide an opinion as to whether risks are being managed to acceptable Levels

Confirm internal controls areOperating. Improve efficiency

Annual Plan Audits directed at high risks Cyclical plan of audits, notnecessarily dependent on risk levels

Audit Types Only distinction is betweenproject (systems development) audits and ongoing processes

Distinguishes between financial, operational, compliance and other types

Audit process Risk-based auditing Previous methodology

Involvement ofthe rest of theorganisation

Involved at all stages of planning and the audit, since they own the risks and must provide assurance to thestakeholders

Minimal. May approve the auditplan and be involved at the endof an audit to agree the pointsfound

Fieldwork Ensures the organisationhas identified all its risks,and is controlling them

Based on a set work programme, where there may beno clear objective set, just teststo carry out

Testing Similar tests as used at present but aimed at confirming that important controls are operating. Changes emphasis of testing depending on risk maturity of the organisation.

Confirms the operation of controls – but may not prioritisethese in order of importance.May also be directed towards finding errors, however immaterial.

Report Provides an opinion to management as to whether its risks are being managed to acceptable levels, and reports if they are not

Confirms internal controls are operating and reports where they are not

RBIA- advantages

• Risk Based Internal Audit is simple concept. it involves the whole organisation and its processes – so no need to define which functions internal auditing should involve – all of them.

• Easily demonstrate what proportion of significant risks we have audited, and the results, to provide assurance to the board about the “effectiveness of the company’s system of internal control”

• The work is more challenging and interesting to staff. They have to work in non finance areas, with staff that may be seconded in for the audit.

• Risk-based auditing is more efficient, because it directs audits at the high-risk areas, as opposed to financial areas, which may not represent such a great risk.

• The organisation buys in to the audit process. Because it has to be closely involved in the process, and should be able to clearly see the benefits of output.

• Resources can be justified. Because the audit plan is driven by the proportion of risks on which the audit committee requires assurance, this determines the resources required

• We can rank recommendations, to provide the greatest value added in terms of the risks mitigated.

• RBIA should highlight risks which are over-controlled, and therefore improve efficiency

RBIA- advantages

RBIA - disadvantages• The closer relationship with the rest of the organisation may reduce

the independence of the internal audit function. We should prevent this by making the responsibility of internal auditing clear and by adopting the ‘iron fist in a velvet glove’ approach.

• It’s hard work! We have to sell the risk-based process to the organisation, get it to tell us its risks, score them and then have to carry out some difficult audits which we have never done before! Stakeholder management is vital, and takes time.

• While the principles are simple, the delivery can be complex, as we can see from the spreadsheets.

• Existing staff may need retraining.

• By concentrating on audits of inherent risks above the risk appetite, some audits previously considered important by senior management might disappear.

• These might include audits of small overseas subsidiaries, ‘petty cash’ and the Staff Social Club.

THANK YOU FOR YOUR TIME AND ATTENTION