Risk Based Internal Audit in Banks - Bulentsenver.com

1 Risk Based Internal Audit in Banks March 9, 2015 Page 2 Agenda 1. Principles of Risk Based Internal Audit 2. Methodology 3. Risk Assessment 4. Annual Plan 5. Audit Engagement 6. Reporting 7. Benefits of Risk Based Audit Page 3 1. Principles of Risk Based Internal Audit Risk: The probability of occurring an event having effects on achievement to objectives. Risk has 4 components: q Event q Effect q Likelihood q Result Risk Management: The process of identification of potential cases, assessment, managing and controlling in order to realize institution s objectives, for providing acceptable assurance.

2 Identification Classification Prioritization Measuring Risk Assessment Process Page 4 1. Principles of Risk Based Internal Audit Risk Assessment Process q A risk assessment is an effort to identify, measure, and prioritize risks organization faces, so that Internal Audit activities are focused on the auditable areas with the greatest significance. q Through the risk assessment process, it is able to develop a risk- Based Internal Audit Plan. Risk Assessment Goals q Inform senior management and the Board of Directors on risk assessment process.

3 Q Get to know your client needs. q Develop a project plan, timeline, and agree upon deliverables. q Provides a framework for assessing and prioritizing risks . Page 5 1. Principles of Risk Based Internal Audit What is risk Based Internal Audit ? The Institute of Internal Auditors defines Risk Based Internal Auditing (RBIA) as: a methodology that links Internal auditing to an organization s overall risk management framework that allows Internal Audit to provide assurance to the board that risk management processes are managing risk effectively, in relation to the risk appetite Page 6 2.

4 Methodology Assessing Risk Annual Plan Audit Engagement Reporting Page 7 Evaluate the level of risk for each auditable area. Risk factors to consider include: Materiality Complexity of Process Business Environment Exposure to Loss Regulatory Environment 3. Risk Assessment Page 8 Identify potential areas for Internal auditing through discussions with key management and review of documentation. Key risks should be taken into account. Interview executive, senior management, middle management, and Board of Directors / Audit Committee.

5 Review financial statements, strategic plans, budgets, policies and procedures, code of conduct, and other entity related information. Review industry information. Facilitate risk assessment sessions with management. 3. Risk Assessment Page 9 Sample Heat Map 3. Risk Assessment Page 10 4. Annual Plan Establishing the Risk Based Internal Audit Plan According to IIA standards, a risk Based Internal Audit plan should satisfy the following issues: q The Internal Audit activity s plan of engagements must be Based on a documented risk assessment, undertaken at least annually.

6 The input of senior management and the board must be considered in this process. q The chief Audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for Internal Audit opinions and other conclusions. q The chief Audit executive should consider accepting proposed consulting engagements Based on the engagement s potential to improve management of risks , add value, and improve the organization s operations. Accepted engagements must be included in the plan.

7 Page 11 4. Annual Plan In Turkey, regulations of Banking Regulation and Supervision Agency necessitate the following conditions for an efficient Internal Audit system: q Annual risk assessments that consider all business units and operations of the bank shall be made. q An annual Audit plan shall be established conveniently to the results of risk assessments. q Annual Audit plan shall be approved by the Board. Page 12 Annual Audit Plan is determined by evaluation of q Risk matrix, q Risk Matrices of Subsidiaries (If applicable) q Risk level of activities q Risk Indicators & Dynamic Risk Assessment q Contemporary conditions and expectations q Feedbacks of Board of Directors, Audit Committee & Senior Management, etc.

8 Audit Committee (Approval) Board of Directors (Approval) Regulatory Authority (for information purposes only) Internal Audit Department SAMPLE Audit PLAN PROCESS 4. Annual Plan Page 13 * A risk rating model can be used to define ideal Audit periods. A risk rate can be given to each auditable entity from 1-High Risk to 5-Low Risk . Identifying the Auditable Entities The Bank s Risk Matrix Risk Level of Bank s Activities Corporate Finance Trading and Sales Retail Banking Credit Extension Deposit Collection and Investment Products Retail Banking Operations Retail Brokerage Commercial Banking Credit Extension Deposit Collection and Investment Products Commercial Banking Operations Payment and Settlement Agency Services Asset Management Mergers and Acquisitions Insurance Services Information Systems Human Resources Legal Proceedings New

9 Technologies Risk Indicators Risk Assessment Reports Importance Level* Audit Period Audit PLAN Identify Key risks Define Audit Universe Perform Risk Ranking Audit Plan 4. Annual Plan Sample Risk Assessment Process: Bank Example Page 14 4. Annual Plan Sample Risk Based Annual Plan Audit Cycle / Area Aggregate Risk from Risk Assessment Matrix Audit Frequency (1, 2, or 3 year rotation) Year - 1 Year - 2 Year - 3 LENDING OPERATIONS Commercial Loans M 2 X X Consumer Loans M 2 X Real Estate Loans M 2 X X Credit Administration H 1 X X X Secondary Marketing L 3 X TREASURY MANAGEMENT Securities M 2 X X Cash Management L 3 X Asset/Liquidity Management M 2 X X Wire Transfer H 1 X X X Automated Clearing House H 1 X X X Borrowings and Repurchase Agreements L 3 X ACCOUNTING AND FINANCIAL REPORTING General Accounting M 2 X X Financial Reporting M 2 X

10 DEPOSIT OPERATIONS M 2 X BRANCH OPERATIONS M 2 X X BANK ADMINISTRATION Human Resources M 2 X X Payroll L 3 X Purchasing L 3 X Insurance Coverage M 2 X X High (H); Medium (M); Low (L) Page 15 Subjects reviewed during the Audit engagements vary according to the work performed by those units. According to the model, controls should provide tenable assurance about the following 4 issues. In the Audit engagement controls on these issues are tested. Efficiency of workflows, Evaluation of capacity usage, Over/under employment.