teknik penerapan risk based audit
DESCRIPTION
bahan seminarTRANSCRIPT
RISK BASED INTERNAL AUDITING
IMPLEMENTATIONIMPLEMENTATION
"Towards a Greater Transparency and Accountability"
IKATAN AKUNTAN INDONESIA
Jakarta, 21-23 November 2006
Inawaty SuwardiHead of Internal Audit
of
RBIA - Kongres X IAI-2006 2
Current Definition ofInternal Auditing
• “An independent, objective assuranceand consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes”
RBIA - Kongres X IAI-2006 3
Risk Based Internal Auditing
•• Risk Based Internal Auditing is an Risk Based Internal Auditing is an approach that can help to meet those approach that can help to meet those requirementsrequirements
•• The Standards for the Professional The Standards for the Professional Practice of Internal AuditingPractice of Internal Auditingand the associated and the associated Practice AdvisoriesPractice Advisoriesemphasize adopting a Riskemphasize adopting a Risk--based based approach to internal auditingapproach to internal auditing
RBIA - Kongres X IAI-2006 4
PERFORMANCE STANDARDS
•2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually.
•2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems.
•2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.
RBIA - Kongres X IAI-2006 5
Objectives of Risk Based Internal Auditing
• To provide independent assurance to the board, that:• The risk management processes are operating as
intended• These risk management processes are of sound
design• The responses to risks are both adequate and
effective in reducing those risks to a level acceptable to the board
• A sound framework of controls is in place to sufficiently mitigate those risks
RBIA - Kongres X IAI-2006 6
The Practice of RBIA
The key starting point is • to determine that appropriate objectives
have been set • to determine whether the business has an
adequate process for identifying, assessing and managing the risks that impact on the achievement of these objectives
RBIA - Kongres X IAI-2006 7
The Practice of RBIA….
• The extent to which internal audit needs to undertake its own risk assessment depends upon the risk management maturity within an organization
RBIA - Kongres X IAI-2006 8
The Practice of RBIA….
Risk Maturity
Key Characteristics Internal Audit Approach
Risk Naïve No formal approach developed for risk management
Promote risk management and rely on audit risk assessment
Risk Aware Scattered silo based Approach to risk management
Promote enterprise wide Approach to risk management and rely on audit risk assessment
Risk Defined Strategy and policies in place and communicated Risk Appetite defined
Facilitate risk management/liaise with risk management and use management assessment of risk when appropriate
Risk Managed Enterprise wide approach To risk management Developed and communicated
Audit risk management processes and use management assessment of risk as appropriate
Risk Enabled Risk management and Internal control fully embedded Into the operations
Audit risk management processes and use management assessment of risks as appropriate
Risk Management Continuum
Source : IIA UK/Ireland
RBIA - Kongres X IAI-2006 9
The Practice of RBIA…
• The end result of each audit assignment should be
to give assurance that risks are being managed to an acceptable level(as determined by risk appetite)
orto facilitate and/or agree improvements as necessary
RISK BASED INTERNAL AUDITINGHow We Do It
in
RBIA - Kongres X IAI-2006 11
BANK RISK PROFILECredit Risk Market Risk Liquidity
Risk Operational
RiskLegal Risk Reputation
RiskStrategic
RiskCompliance
RiskCredit Low Low Low Low Low Low Low LowTreasury & Investment Moderate Low Low Low Low Low Moderate Low LowOperational & Services Low Low Low Low Low LowTrade Finance & Bank guarantee Low Low Low low Low Low LowFunding Low low Low Low LowIT & MIS Low Low low Low LowHRM low Low Low Low LowAggregate Inherent Risk Moderate Low Low Low Low Low Low Low Low
Board and senior management Oversight Strong Strong Strong Strong Strong Strong Strong Strong StrongPolicies, Procedures & Limit Acceptable Strong Strong Acceptable Strong Strong Strong Strong StrongRisk Assessment, measurement & MIS Acceptable Strong Strong Acceptable Strong Strong Strong Strong StrongInternal control Strong Strong Strong Acceptable Strong Strong Strong Strong StrongAgregate Risk Control System Strong Strong Strong Acceptable Strong Strong Strong Strong Strong
Composit Risk Moderate Low Low Low Low Low Low LowLow
Composit Risk
RISK RATING
Functional ActivitisInherent Risk
RISK CONTROL SYSTEM
Prepared by Risk Management Unit, validated by Internal Audit, submitted quarterly to BI
RBIA - Kongres X IAI-2006 12
Risk Profile….Components
• The eight types of Risk1. Credit Risk2. Market Risk3. Liquidity Risk4. Operational Risk5. Legal Risk6. Reputation Risk7. Strategic Risk8. Compliance Risk
• Four Elements ofRisk Control System
1. Board & Senior Management Oversight
2. Policies, procedures and Limit structure
3. Risk measurement, monitoring & management reporting system
4. Internal Control
RBIA - Kongres X IAI-2006 13
RISK BASED AUDIT APPROACHin BCA
• Annual Audit Planning (Macro Risk Assessment)
• Individual Engagement Planning (Micro Risk Assessment)
• Performing Risk-Focused auditingRating the Risk Control System
RBIA - Kongres X IAI-2006 14
MACRO RISK ASSESSMENT
• Identification, measurement and prioritization of audit areas
• Is used to create the annual audit plan
• Helps to allocate audit resources to the most important aspects of the enterprise
RBIA - Kongres X IAI-2006 15
Macro Risk Assessment Process
1. Define the Audit Universe2. Assess each of the auditable unit/area with respect to:
• Level of the inherent risks in each of the eight inherent risks by business activity(liaise with Risk Management Unit)
• Previous audit rating & time lapsed since last audit3. Develop the Annual Audit Plan based on the Ranked
Audit Universe4. Seek for approval from the President Director and
Board of Commissioner
RBIA - Kongres X IAI-2006 16
Macro Risk Assessment Process…
3 SubsidiariesSubsidiary Companies
118 Main Branches665 Sub Branches
Branches
12 Regional OfficesRegional Office
23 Business & Supporting functions / units
Head Office
Auditable UnitAudit Universe
RBIA - Kongres X IAI-2006 17
Micro Risk Assessment• The primary focus of RBIA is to provide reasonable
assurance to the Board and Top management about the adequacy and effectiveness of the risk management and control framework in the bank’s operation
• While examining the effectiveness of control framework, the RBIA should report on proper recording and reporting of major exceptions and excesses. Transaction testing would continue to remain an essential aspect of RBIA
• The extent of transaction testing will have to be determined based on the risk assessment
• The Micro Risk Assessment is done at the planning stage of an individual audit engagement
RBIA - Kongres X IAI-2006 18
MICRO RISK ASSESSMENTRISK PROFILE MATRIX
Low to moderate aggregate risk
Limited review
Low aggregate risk
No review Required
Low Aggregate risk
No review required
LOW
Moderate to high aggregate risk
Full – scope review required
Moderate aggregate risk
Limited review
Low to moderate aggregate risk
Limited review
MODERATE
High aggregate risk
Full-scopeReview required
High aggregate risk
Limited Review
Moderate to high aggregate risk
Limited review
HIGH
INHERENTBUSINESS RISK
WEAKACCEPTABLESTRONG
RISK CONTROL SYSTEMS
RBIA - Kongres X IAI-2006 19
AUDIT PLANNING FIELDWORK
Risk Assessment
REPORTING
AUDITRATING
Assessment of InternalControl, Risk Mgt,
Corporate Governance
AuditProgram / Tools
Risk Identification
Risk MeasurementPrioritization
Prelimi-nary
FieldworkProcedures
Design(Adequacy)
Application(Effective-
ness)Risk Profile
RISK PROFILEMATRIX
( Audit focus )
RISK CONTROLASSESSMENT
TOOLS
OBSERVATIOS/ FINDINGS
( Residual risk)
Audit Report
OVERVIEW MICRO RISK BASED AUDIT APPROACH
RBIA - Kongres X IAI-2006 20
RISK FOCUSED EXAMINATION
• Identification of inherent business risks in various activities undertaken by business activities
• Evaluation of the effectiveness of the control systems for the monitoring of the inherent risks of the business activities
• Assign Risk Based Rating to the Control System
RBIA - Kongres X IAI-2006 21
Risk Based Rating
Finding/Observation Risk Scenario
Generation
Breach of
Key Control
8 types of riskIf it’s operational risk, refer to Loss Event type classification (Basel)
Impact :L2,L1,M,H1,H2
Likelihood :
L2,L1,M,H1,H2
ControlRisk Ranking &
Score
Extreme, High,
Moderate, Low
Score:
1,2,3,4,5,6,8, 9, 10,12,15,16,20, 25
Risk Control Rating
Very strong, strong, acceptable, weak ,Very weak
Rating :1-10
1 2 3 4 5
RBIA - Kongres X IAI-2006 22
Product defects, model errorsProduct Flaws
Clients, Products & Business Practices
Failure to investigate client per guidelinesExceeding client exposure limits
Selection, Sponsorship & Exposure
Disputes over performance of advisory activitiesAdvisory activities
Antitrust, improper trade/market practicesMarket manipulation, insider trading, etc
Improper Business or Market Practices
General liability. Employee health & safety rule events. Workers compensation
Safe Environment
All discrimination typesDiversity & discrimination
Fiduciary breaches/guidelines violationsSuitability/disclosure issues (KYC etc)Retail consumer disclosure violationsBreach of privacy, Aggressive sales, lender liability, etc
Suitability, Disclosure & Fiduciary
Hacking damage, theft of informationSystems Security
Fraud/credit fraud/worthless deposits, Theft/extortion /embezzlement/ robberyMisappropriation of assets, Malicious destruction of assetsForgery, Check kiting, smuggling, Bribes/ kickbacks, etc
Theft & Fraud
Compensation, benefit, termination issues. Organized labour activityEmployee RelationsEmployment Practices and workplace safety
Theft/ Robbery, Forgery, check kitingTheft and FraudExternal Fraud
Transaction not reported, Trans type unauthorized, Mismarking of positionUnauthorized activityInternal FraudActivity ExamplesCategoriesEvent Type
Loss Event type classification
RBIA - Kongres X IAI-2006 23
Client permissions/disclaimers missingLegal documents missing / incomplete
•Customer Intake and Documentation
Non client counterparty misperformanceMisc. non client counterparty disputes
•Trade Counterparties
Unapproved access given to accountsIncorrect client records (loss incurred)Negligent loss or damage of client assets
•Customer/Client Account management
MiscommunicationData entry, maintenance or loading errorMissed deadline or responsibilityCollateral management failureetc
•Transaction Capture, Execution & Maintenance
Execution, Delivery & process management
Failed mandatory reporting obligationInaccurate external report (loss incurred)
•Monitoring & reporting
OutsourcingVendor disputes
•Vendors & Suppliers
HardwareSoftwareTelecommunicationsUtility outage/disruptions
SystemsBusiness Disruption and system failures
Natural Disaster lossesHuman losses from external sources (terrorism, vandalism)
Disasters and other eventsDamage to Physical assets
Activity ExamplesCategoriesEvent Type
Loss Event type classification
RBIA - Kongres X IAI-2006 24
•Case : Consumer loan processing•Observation
•The weakest step among the processing flow is registration of collateral because it has no system support, no standardized documents•There has been one error recorded (but no financial loss) in the last 5 years•Operation volume is approximately 5.000 new loan /year with the average amount of Rp 1 billion
•Risk Factor : Processing Risk•Loss Event : Transaction capture, Execution & maintenance•Description of scenario: Due to an insufficient system support and complicated documents, a staff forgets to register the collateral of loan. As a result, the bank cannot reimburse the loan from the collateral•Loss Severity : Rp 3 billion (considering the analysis of loan amount distribution)•Loss Frequency : once in 5 years (considering the analysis of historical loss frequency)
Scenarios are generated based on the result of the qualitative assessment. Factors such as the identified control weakness, internal loss experience, business environment, and relevant industry loss experiences, are taken into consideration in generating the scenario
Generated Scenario
Example of Scenario Generation
RBIA - Kongres X IAI-2006 25
Generated Scenario• Mapping to Control Risk Ranking & Score
Matrix• Impact : Moderate (M)• Likelihood : Unlikely (L1)• ----------------------------------• Score 6 = MODERATE
• Mapping to Table of Risk Control Rating • Moderate Impact & Low 1 Likelihood
(score = 6)• Risk Control rating for the process is
5 = ACCEPTABLE
RBIA - Kongres X IAI-2006 26
CONTROL RISK RANKING & SCORE
CriticalH2
MajorH1
ModeratM
MinorL1
LowL2
High5
High4
Moderate3
Low2
Low1
RareL2
Extreme10
High8
Moderate6
Low4
Low2
UnlikelyL1
Extreme15
Extreme12
High9
Moderate6
Low3
PossiblM
Extreme20
Extreme16
High12
High8
Moderate4
LikelyH1
Extreme25
Extreme20
Extreme15
High10
Moderate5
AlmostCertain
H2
Impact
Like
lihoo
d
RBIA - Kongres X IAI-2006 27
Ranking Score Impact LikelihoodLow 1 Low 2 Low2 1 Very StrongLow 2 Low 2 Low1 1 Very StrongLow 2 Low 1 Low2 1 Very StrongLow 3 Low 2 Moderate 2 StrongLow 4 Low 1 Low 1 2 Strong
Moderate 3 Moderate Low 2 3 AcceptableModerate 4 Low 2 High1 3 AcceptableModerate 5 Low 2 High 2 4 AcceptableModerate 6 Low 1 Moderate 5 AcceptableModerate 6 Moderate Low1 5 Acceptable
High 4 High 1 Low 2 6 WeakHigh 5 High 2 Low 2 6 WeakHigh 8 High 1 Low1 7 WeakHigh 8 Low 1 High1 7 WeakHigh 9 Moderate Moderate 8 WeakHigh 10 Low 1 High 2 9 WeakHigh 12 Moderate High1 9 Weak
Extreme 10 High 2 Low 1 10 Very WeakExtreme 12 High 1 Moderate 10 Very WeakExtreme 15 Moderate High2 10 Very WeakExtreme 15 High 2 Moderate 10 Very WeakExtreme 16 High 1 High1 10 Very WeakExtreme 20 High 1 High2 10 Very WeakExtreme 20 High 2 High1 10 Very WeakExtreme 25 High 2 High2 10 Very Weak
Control Risk Rating Risk Control System (RCS)
RISK CONTROL RATINGC
ontr
ol R
isk
Ext
rem
eL
ow
Con
trol
Effe
ctiv
enes
s
Ver
y W
eak
Ver
y St
rong
RBIA - Kongres X IAI-2006 28
RISK CONTROL RATINGExample: Consumer Loan
Credit Market Liquidity Operation legal Reputation Strategic Compliance
Control Environment 2 Strong Strong Strong StrongRisk Assessment 5 Acceptable Acceptable StrongControl Activities 6 Acceptable Acceptable AcceptableInformation & Communication 5 Acceptable Strong AcceptableMonitoring 2 Strong Strong
Risk Control System 4 Acceptable
DescriptionRISK CONTROL RATINGRisk Control
Rating
RBIA - Kongres X IAI-2006 29
Credit Market Liquidity Operation Legal Reputation Strategic Compliance
INHERENT RISK Moderate Moderate n/a n/a Moderate low Low low Low
RISK CONTROL SYSTEM Acceptable Acceptable n/a n/a Acceptable Strong Strong Strong acceptable
RESIDUAL RISK Moderate Moderate n/a n/a Moderate low low low low
DESCRIPTION COMPOSITERISK CONTROL
RISK PROFILE Example: Consumer Loan
RBIA - Kongres X IAI-2006 30