RISK-BASED

INTERNAL
AUDITING (RBIA)
CA. Sunil Pokhrel
Deputy Chief
Internal Audit Department, RBBL
INTRODUCTION TO AUDITING

 “An audit is Independent

Examination and Evaluation of Financial
Information of any entity, whether profit oriented or
not, and irrespective of its size or legal form, when such an
examination is conducted with a view to expressing an
Opinion thereon.” -
Institute of Chartered Accountant of India
INTERNAL AUDITING
 “Internal auditing is an Independent,
Objective Assurance and Consulting
activity designed to add value and improve
an organizations operations.
 It helps an organization accomplish its
objectives by bringing a systematic,
disciplined approach to evaluate and
improve the effectiveness of Risk
Management, Internal Control and
Governance process.”
Institute of Internal Auditors
Compliance Based Internal Auditing :

 Compliance was what internal auditing function

began.
 Focus on whether circulars, manuals, directives, rules
& regulations are followed.
 It is still a valid but a limited in scope because
organization can not grow in this competitive market
even after compliance of all rules & regulation.
System Based Internal Auditing
 Mostly adopted by modern internal auditing.
 Evaluating system & process rather than balances,
transactions and supporting documents of any
branches or departments.
 Reviewing the activity across the organization -
“From Cradle To Grave”.
“We will not get credit for
only criticizing the past
when management are
facing the challenges of
the future.”
Risk Based Internal Auditing
 It builds on system based auditing focusing on areas
of highest risk to the organization.
 The key issues in Risk Based Internal Auditing is
Looking Forward and not backward.
 It requires a demonstration of greater knowledge of
Business & allows a much broader level of assurance
to be given to Top management & Board.
Why is Risk ?
 “An organization that understands its Risk,
understands its Opportunity”.
1. If organization doesn’t know its risk, it doesn’t
know the risk it can accept.
2. If it doesn’t know the risk it can accept, it doesn’t
know the risk to take.
3. If it doesn’t know the risk to take, it doesn’t know
how to grow.
4. If it doesn’t know how to grow, it will fade away.
What is Risk ?

Risk is the Negative Impact of the

exercise of a Vulnerability,
considering both Probability and the
Impact of Occurrence.
What is Risk Management ?

 Risk Management is the process of

Identifying Risk, Assessing Risk and taking
steps to reduce Risk to an Acceptable
Level.
 Risk Management is the sole responsibility

of Management.
Risk Management Framework

 Identification of Risk
 Measurement of Risk

 Mitigation of Risk

 Revaluation/Reassessment.
(Areas: Credit Risk, Operational Risk Including
IT Risk, Liquidity Risk, Interest Rate Risk, Legal
Risk etc.)
Identification of Risk :
 Knowledge of the Business/System
Process.
 Threat Identification

 Vulnerability Identification
Measurement of Risk :
 Likelihood Determination
 Impact Analysis

 Risk Determination
 IT Risk ...how to know ???..
 Part of Operational Risk Management
 Major Asset of Bank : Data & Information
1. Loss of Integrity
2. Loss of Availability
3. Loss of Confidentiality
Response to Risk :
 Tolerate : Do Nothing but need for
contingency plan.
 Transfer : Pass Risk to another
party. Eg- Insurance.
 Terminate : Remove/Reject the
circumstances.
 Treat : Implement a system of Internal
Control & Risk Mitigation factor.
Revaluation & Reassessment
WHY RBIA ?
 Stakeholders including investors and other
interested bodies now expect that this Risk
Management Framework is operating effectively.
 Just as External Auditor provide confirmation
concerning true & fair view of Financial Statement,
so Internal Auditors provide confirmation on Risk
Management.
Approach to RBIA

 It requires Pre-Audit Risk Assessment such as

Branches or Activities can be divided into 3
categories : I, II & III on the basis High, Medium &
Low Risk.
 Prioritization of audit areas and allocation of audit
resources in accordance with Risk Assessment.
Approach to RBIA
S. N. Audit Conclusion Reporting But Be Aware :
Responsibility
Never take the
1 When Risk Provide Assurance
Management System is
responsibility of
adequate & operating Risk Management.
effectively
Management
2 When Risk Provide should not rely on
Management System is Consultancy
not adequate or not
Internal Audit for
operating effectively Risk Management
Process.
Most Recent Issues:
 Many banks with combination of :
 Compliance of rules, regulation & policy
 Sufficient Internal control

 Sufficient Risk Management System

Should have to be a sound and

competent bank ………………
…..Most Recent Issues:

BUT ……………………….have
turned into Problem
Banks………….and even went into
Liquidation.
….Why ??????????......
…..Most Recent Issues:

Failure in Corporate
Governance
Governance Based Internal Auditing

 Governance means moral, ethics, intention,

culture, values, attitude of the Top management
& Board.
 Its focus is to assure that there is good
governance in the organization.
 It is the most recent development in the role of
internal auditing.
Evolution in Internal Auditing

S. No. Focus Before Year- BY Year- After Year-

2000 A.D. 2005 A. D. 2010 A. D.
1. Compliance Based 70 % 30 % 5%

2. System Based 20 % 40 % 20 %

3. Risk Based 9% 25 % 50 %

4. Governance 1% 5% 25 %
Based
Total 100 % 100 % 100 %
Evolution in Internal Auditing :

Compliance Based Internal Auditing

System Based Internal Auditing

Risk Based Internal Auditing

Governance Based Internal

Auditing
ANY QUESTIONS ???
????......................................
..........................................
THANK YOU