risk based internal audit in banks
DESCRIPTION
Risk Based Internal Audit in Banks. April 7, 2014. Agenda. Principles of Risk Based Internal Audit Methodology Risk Assessment Annual Plan Audit Engagement Reporting Benefits of Risk Based Audit. 1. Principles of Risk Based Internal Audit. - PowerPoint PPT PresentationTRANSCRIPT
Risk Based Internal Auditin Banks
April 7, 2014
Page 2
Agenda
1. Principles of Risk Based Internal Audit
2. Methodology
3. Risk Assessment
4. Annual Plan
5. Audit Engagement
6. Reporting
7. Benefits of Risk Based Audit
Page 3
1. Principles of Risk Based Internal Audit
Risk: The probability of occurring an event having effects on achievement to objectives.
Risk has 4 components:
Event Effect Likelihood Result
Risk Management: The process of identification of potential cases, assessment, managing and controlling in order to realize institution’s objectives, for providing acceptable assurance.
Identification Classification Prioritization Measuring
Risk Assessment Process
Page 4
1. Principles of Risk Based Internal Audit
Risk Assessment Process
A “risk assessment” is an effort to identify, measure, and prioritize risks organization faces, so that internal audit activities are focused on the auditable areas with the greatest significance.
Through the risk assessment process, it is able to develop a risk-based Internal Audit Plan.
Risk Assessment Goals
Inform senior management and the Board of Directors on risk assessment process.
Get to know your client needs.
Develop a project plan, timeline, and agree upon deliverables.
Provides a framework for assessing and prioritizing risks.
Page 5
1. Principles of Risk Based Internal Audit
What is risk based internal audit?
The Institute of Internal Auditors defines Risk Based Internal Auditing
(RBIA) as:
• a methodology that links internal auditing to an organization’s overall
risk management framework
• that allows internal audit to provide assurance to the board that risk
management processes are managing risk effectively, in relation to
the risk appetite
Page 6
2. Methodology
Assessing Risk
Annual Plan
Audit Engagement
Reporting
Page 7
Evaluate the level of risk for each auditable area.
Risk factors to consider include:
Materiality
Complexity of Process
Business Environment
Exposure to Loss
Regulatory Environment
3. Risk Assessment
Page 8
Identify potential areas for internal auditing through discussions with key management and review of documentation. Key risks should be taken into account.
Interview executive, senior management, middle management, and Board of Directors / Audit Committee.
Review financial statements, strategic plans, budgets, policies and procedures, code of conduct, and other entity related information.
Review industry information.
Facilitate risk assessment sessions with management.
3. Risk Assessment
Page 9
Sample Heat Map
3. Risk Assessment
Page 10
4. Annual Plan
Establishing the Risk Based Internal Audit Plan
According to IIA standards, a risk based internal audit plan should satisfy the following issues:
The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.
The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions.
The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.
Page 11
4. Annual Plan
In Turkey, regulations of Banking Regulation and Supervision Agency necessitate the following conditions for an efficient internal audit system:
Annual risk assessments that consider all business units and operations of the bank shall be made.
An annual audit plan shall be established conveniently to the results of risk assessments.
Annual audit plan shall be approved by the Board.
Page 12
Annual Audit Plan is determined by evaluation of
Risk matrix,
Risk Matrices of Subsidiaries (If applicable)
Risk level of activities
Risk Indicators & Dynamic Risk Assessment
Contemporary conditions and expectations
Feedbacks of Board of Directors, Audit Committee & Senior Management, etc.
Audit Committee(Approval)
Board of Directors(Approval)
Regulatory Authority
(for information purposes only)
Internal Audit Department
SAMPLE AUDIT PLAN PROCESS
4. Annual Plan
Page 13
* A risk rating model can be used to define ideal audit periods. A risk rate can be given to each auditable entity from “1-High Risk” to “5-Low Risk”.
Identifying the
Auditable Entities
The Bank’s Risk Matrix
Risk Level of Bank’s Activities
Corporate FinanceTrading and Sales
Retail BankingCredit Extension
Deposit Collection and Investment ProductsRetail Banking Operations
Retail BrokerageCommercial Banking
Credit ExtensionDeposit Collection and Investment Products
Commercial Banking OperationsPayment and Settlement
Agency ServicesAsset Management
Mergers and AcquisitionsInsurance Services
Information SystemsHuman ResourcesLegal Proceedings New Technologies
Risk Indicators
Risk Assessment
Reports
Importance
Level*
Audit P
eriod
AU
DIT
PLA
N
Identify Key Risks Define Audit Universe Perform Risk Ranking Audit Plan
4. Annual Plan – Sample Risk Assessment Process: Bank Example
Page 14
4. Annual Plan – Sample Risk Based Annual Plan
Audit Cycle / AreaAggregate Risk from
Risk Assessment Matrix
Audit Frequency (1, 2, or 3 year
rotation)Year - 1 Year - 2 Year - 3
LENDING OPERATIONS Commercial Loans M 2 X XConsumer Loans M 2 X Real Estate Loans M 2 X XCredit Administration H 1 X X XSecondary Marketing L 3 X TREASURY MANAGEMENT Securities M 2 X XCash Management L 3 XAsset/Liquidity Management M 2 X XWire Transfer H 1 X X XAutomated Clearing House H 1 X X XBorrowings and Repurchase Agreements L 3 X ACCOUNTING AND FINANCIAL REPORTING General Accounting M 2 X XFinancial Reporting M 2 X DEPOSIT OPERATIONS M 2 X BRANCH OPERATIONS M 2 X XBANK ADMINISTRATION Human Resources M 2 X XPayroll L 3 X Purchasing L 3 X Insurance Coverage M 2 X X
High (H); Medium (M); Low (L)
Page 15
Subjects reviewed during the audit engagements vary according to the work performed by those units. According to the model, controls should provide tenable assurance about the following 4 issues. In the audit engagement controls on these issues are tested.
•Efficiency of workflows,
•Evaluation of capacity usage,
•Over/under employment.
•Policies,•Procedures,•Laws and regulations,•Agreements.
•Policies for Segregation of Duties
•Evaluation of procedures designed against theft, forgery, illegal acts and etc.
•Financial records,•Operational records,•Record keeping and reporting activities.
Reliability & Integrity of
Information
Safeguarding of Assets
Effectiveness & Efficiency of Operations
Compliance
COSO is a committee composed of 5 professional organizations. This model is preferred and suggested by IIA (Institute of Internal Auditors.).
5. Audit Engagement
Page 16
Identifying
Analyzing
Evaluation of Information
EXECUTING THE AUDITS SPECIFIC TECHNIQUES USED TO OBTAIN INFORMATION
Interviewing
Re
com
pu
ting
Detailed Te
sting
Observation
& Inspection
Statistical
Sampling
Con
firm
atio
n
Analytical
Procedures
5. Audit Engagement
Page 17
5. Audit Engagement
Sample Audit Plan
Sample Working Paper
Risk based audit plans and working papers are prepared in audit engagement.
Contents of these documents that are mentioned below identify the scope of assurance.
Purpose, Scope, Analyzing Method,Sampling Method, Results
Page 18
6. Reporting
What is expected by the senior management and the board from internal audit reports?
• Compliance of the audited unit to the Law and other legal procedures
• Compliance of the audited unit to the internal policies and procedures
• Efficiency and effectiveness of processes in the audited unit and possible corrective actions that may be taken by the senior management
Page 19
(High / Medium / Low) Headline
Number of
Finding
2013-910-H-001
Current
State
Auditee ControlsAny kind of controls that are currently available in the process
Finding
Explaining the examined process briefly
Highlighting the risky points
Auditor’s opinions
Examined
Process
Related Process / Sub-Process
Process from the audit plan in which the finding is detected
Risk and
Suggestion
Risk Risks regarding the process
Suggestion Suggestions to cover risk
Result
Response of Auditee
The answer / opinion of the auditee regarding the finding, risk and suggestion
Target Remedition Date
Related Parties
Assistant Manager Unit Manager
Internal Audit Reporting Sample
6. Reporting
Page 20
Reporting to Senior Management and the Board
In IIA standards, reporting levels are explained as follows:
The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.
Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.
Reporting to the Audit Committee
The internal audit function is ultimately reports and is accountable to the Audit Committee. Prior to meeting the Audit Committee, internal audit reports of the audit period are prepared and delivered to the members of the Audit Committee and other concerned parties.
6. Reporting
Page 21
Monitoring Progress and Communicating the Acceptance of Risks
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.
When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.
The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.
6. Reporting
Page 22
Benefits of Risk Based
Audit
Conducting efficient audit
activities
Identifying the risk
appropriately
Affirmative cost-benefit
impacts
Fulfilling the stakeholders’ expectations
Focusing on the most
significant and risky auditable
areas
7. Benefits of Risk Based Audit
Page 23
Internal Audit Exam
Deadline to Application: April 18th,
2014Exam Date: April 27th,
2014 Exam Locations:İstanbulAnkaraİzmirExpected to
Hire:35 People
Expected Date to Begin:
July 2014
http://garantilikariyer.garanti.com.tr/
Page 24April 7, 2014 - Istanbul