RISK BASED INTERNAL AUDITING

Transcription

1 IMPLEMENTATION of RISK BASED INTERNAL AUDITING Inawaty Suwardi Head of Internal Audit IKATAN AKUNTAN INDONESIA "Towards a Greater Transparency and Accountability" Jakarta, November 2006

2 Current Definition of Internal Auditing An independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes RBIA - Kongres X IAI

3 Risk Based Internal Auditing Risk Based Internal Auditing is an approach that can help to meet those requirements The Standards for the Professional Practice of Internal Auditing and the associated Practice Advisories emphasize adopting a Risk-based approach to internal auditing RBIA - Kongres X IAI

4 PERFORMANCE STANDARDS 2010.A1 The internal audit activity s plan of engagements should be based on a risk assessment, undertaken at least annually A1 Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization s governance, operations, and information systems A1 When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment. RBIA - Kongres X IAI

5 Objectives of Risk Based Internal Auditing To provide independent assurance to the board, that: The risk management processes are operating as intended These risk management processes are of sound design The responses to risks are both adequate and effective in reducing those risks to a level acceptable to the board A sound framework of controls is in place to sufficiently mitigate those risks RBIA - Kongres X IAI

6 The Practice of RBIA The key starting point is to determine that appropriate objectives have been set to determine whether the business has an adequate process for identifying, assessing and managing the risks that impact on the achievement of these objectives RBIA - Kongres X IAI

7 The Practice of RBIA. The extent to which internal audit needs to undertake its own risk assessment depends upon the risk management maturity within an organization RBIA - Kongres X IAI

8 Risk Maturity Risk Naïve Risk Aware Risk Defined Risk Managed Risk Enabled The Practice of RBIA. Risk Management Continuum Source : IIA UK/Ireland Key Characteristics No formal approach developed for risk management Scattered silo based Approach to risk management Strategy and policies in place and communicated Risk Appetite defined Enterprise wide approach To risk management Developed and communicated Risk management and Internal control fully embedded Into the operations Internal Audit Approach Promote risk management and rely on audit risk assessment Promote enterprise wide Approach to risk management and rely on audit risk assessment Facilitate risk management/liaise with risk management and use management assessment of risk when appropriate Audit risk management processes and use management assessment of risk as appropriate Audit risk management processes and use management assessment of risks as appropriate RBIA - Kongres X IAI

9 The Practice of RBIA The end result of each audit assignment should be to give assurance that risks are being managed to an acceptable level (as determined by risk appetite) or to facilitate and/or agree improvements as necessary RBIA - Kongres X IAI

10 RISK BASED INTERNAL AUDITING How We Do It in

11 Functional Activitis BANK RISK PROFILE Credit Risk Market Risk Liquidity Risk Inherent Risk Operational Risk Legal Risk Reputation Risk Strategic Risk Compliance Risk Composit Risk Credit Low Low Low Low Low Low Low Low Treasury & Investment Moderate Low Low Low Low Low Moderate Low Low Operational & Services Low Low Low Low Low Low Trade Finance & Bank guarantee Low Low Low low Low Low Low Funding Low low Low Low Low IT & MIS Low Low low Low Low HRM low Low Low Low Low Aggregate Inherent Risk Moderate Low Low Low Low Low Low Low Low RISK CONTROL SYSTEM Board and senior management Oversight Strong Strong Strong Strong Strong Strong Strong Strong Strong Policies, Procedures & Limit Acceptable Strong Strong Acceptable Strong Strong Strong Strong Strong Risk Assessment, measurement & MIS Acceptable Strong Strong Acceptable Strong Strong Strong Strong Strong Internal control Strong Strong Strong Acceptable Strong Strong Strong Strong Strong Agregate Risk Control System Strong Strong Strong Acceptable Strong Strong Strong Strong Strong Composit Risk Moderate Low Low Low Low Low Low Low RISK RATING Low Prepared by Risk Management Unit, validated by Internal Audit, submitted quarterly to BI RBIA - Kongres X IAI

12 Risk Profile. Components The eight types of Risk 1. Credit Risk 2. Market Risk 3. Liquidity Risk 4. Operational Risk 5. Legal Risk 6. Reputation Risk 7. Strategic Risk 8. Compliance Risk Four Elements of Risk Control System 1. Board & Senior Management Oversight 2. Policies, procedures and Limit structure 3. Risk measurement, monitoring & management reporting system 4. Internal Control RBIA - Kongres X IAI

13 RISK BASED AUDIT APPROACH in BCA Annual Audit Planning (Macro Risk Assessment) Individual Engagement Planning (Micro Risk Assessment) Performing Risk-Focused auditing Rating the Risk Control System RBIA - Kongres X IAI

14 MACRO RISK ASSESSMENT Identification, measurement and prioritization of audit areas Is used to create the annual audit plan Helps to allocate audit resources to the most important aspects of the enterprise RBIA - Kongres X IAI

15 Macro Risk Assessment Process 1. Define the Audit Universe 2. Assess each of the auditable unit/area with respect to: Level of the inherent risks in each of the eight inherent risks by business activity (liaise with Risk Management Unit) Previous audit rating & time lapsed since last audit 3. Develop the Annual Audit Plan based on the Ranked Audit Universe 4. Seek for approval from the President Director and Board of Commissioner RBIA - Kongres X IAI

16 Macro Risk Assessment Process Audit Universe Auditable Unit Head Office Regional Office 23 Business & Supporting functions / units 12 Regional Offices Branches 118 Main Branches 665 Sub Branches Subsidiary Companies 3 Subsidiaries RBIA - Kongres X IAI

17 Micro Risk Assessment The primary focus of RBIA is to provide reasonable assurance to the Board and Top management about the adequacy and effectiveness of the risk management and control framework in the bank s operation While examining the effectiveness of control framework, the RBIA should report on proper recording and reporting of major exceptions and excesses. Transaction testing would continue to remain an essential aspect of RBIA The extent of transaction testing will have to be determined based on the risk assessment The Micro Risk Assessment is done at the planning stage of an individual audit engagement RBIA - Kongres X IAI

18 MICRO RISK ASSESSMENT RISK PROFILE MATRIX RISK CONTROL SYSTEMS STRONG ACCEPTABLE WEAK HIGH Moderate to high aggregate risk Limited review High aggregate risk Limited Review High aggregate risk Full-scope Review required INHERENT BUSINESS RISK MODERATE Low to moderate aggregate risk Limited review Moderate aggregate risk Limited review Moderate to high aggregate risk Full scope review required LOW Low Aggregate risk Low aggregate risk Low to moderate aggregate risk No review required No review Required Limited review RBIA - Kongres X IAI

19 OVERVIEW MICRO RISK BASED AUDIT APPROACH AUDIT PLANNING FIELDWORK REPORTING Risk Assessment Audit Program / Tools Assessment of Internal Control, Risk Mgt, Corporate Governance AUDIT RATING Risk Identification Risk Measurement Prioritization Preliminary Fieldwork Procedures Design (Adequacy) Application (Effectiveness) Risk Profile RISK PROFILE MATRIX ( Audit focus ) RISK CONTROL ASSESSMENT TOOLS OBSERVATIOS/ FINDINGS ( Residual risk) Audit Report RBIA - Kongres X IAI

20 RISK FOCUSED EXAMINATION Identification of inherent business risks in various activities undertaken by business activities Evaluation of the effectiveness of the control systems for the monitoring of the inherent risks of the business activities Assign Risk Based Rating to the Control System RBIA - Kongres X IAI

21 Risk Based Rating Finding/ Observation Risk Scenario Generation Control Risk Ranking & Score Risk Control Rating Breach of Key Control 8 types of risk If it s operational risk, refer to Loss Event type classificati on (Basel) Impact : L2,L1,M,H1,H2 Likelihood : L2,L1,M,H1,H2 Extreme, High, Moderate, Low Score: 1,2,3,4,5,6,8, 9, 10,12,15,16,20, 25 Very strong, strong, acceptable, weak, Very weak Rating : 1-10 RBIA - Kongres X IAI

22 Loss Event type classification Event Type Internal Fraud External Fraud Employment Practices and workplace safety Clients, Products & Business Practices Categories Unauthorized activity Theft & Fraud Theft and Fraud Systems Security Employee Relations Safe Environment Diversity & discrimination Suitability, Disclosure & Fiduciary Improper Business or Market Practices Product Flaws Activity Examples Transaction not reported, Trans type unauthorized, Mismarking of position Fraud/credit fraud/worthless deposits, Theft/extortion /embezzlement/ robbery Misappropriation of assets, Malicious destruction of assets Forgery, Check kiting, smuggling, Bribes/ kickbacks, etc Theft/ Robbery, Forgery, check kiting Hacking damage, theft of information Compensation, benefit, termination issues. Organized labour activity General liability. Employee health & safety rule events. Workers compensation All discrimination types Fiduciary breaches/guidelines violations Suitability/disclosure issues (KYC etc) Retail consumer disclosure violations Breach of privacy, Aggressive sales, lender liability, etc Antitrust, improper trade/market practices Market manipulation, insider trading, etc Product defects, model errors Selection, Sponsorship & Exposure Advisory activities Failure to investigate client per guidelines Exceeding client exposure limits Disputes over performance of advisory activities RBIA - Kongres X IAI

23 Loss Event type classification Event Type Damage to Physical assets Business Disruption and system failures Execution, Delivery & process management Categories Disasters and other events Systems Transaction Capture, Execution & Maintenance Monitoring & reporting Customer Intake and Documentation Customer/Client Account management Trade Counterparties Vendors & Suppliers Activity Examples Natural Disaster losses Human losses from external sources (terrorism, vandalism) Hardware Software Telecommunications Utility outage/disruptions Miscommunication Data entry, maintenance or loading error Missed deadline or responsibility Collateral management failure etc Failed mandatory reporting obligation Inaccurate external report (loss incurred) Client permissions/disclaimers missing Legal documents missing / incomplete Unapproved access given to accounts Incorrect client records (loss incurred) Negligent loss or damage of client assets Non client counterparty misperformance Misc. non client counterparty disputes Outsourcing Vendor disputes RBIA - Kongres X IAI

24 Example of Scenario Generation Case : Consumer loan processing Observation The weakest step among the processing flow is registration of collateral because it has no system support, no standardized documents There has been one error recorded (but no financial loss) in the last 5 years Operation volume is approximately new loan /year with the average amount of Rp 1 billion Generated Scenario Risk Factor : Processing Risk Loss Event : Transaction capture, Execution & maintenance Description of scenario: Due to an insufficient system support and complicated documents, a staff forgets to register the collateral of loan. As a result, the bank cannot reimburse the loan from the collateral Loss Severity : Rp 3 billion (considering the analysis of loan amount distribution) Loss Frequency : once in 5 years (considering the analysis of historical loss frequency) Scenarios are generated based on the result of the qualitative assessment. Factors such as the identified control weakness, internal loss experience, business environment, and relevant industry loss experiences, are taken into consideration in generating the scenario RBIA - Kongres X IAI

25 Generated Scenario Mapping to Control Risk Ranking & Score Matrix Impact : Moderate (M) Likelihood : Unlikely (L1) Score 6 = MODERATE Mapping to Table of Risk Control Rating Moderate Impact & Low 1 Likelihood (score = 6) Risk Control rating for the process is 5 = ACCEPTABLE RBIA - Kongres X IAI

26 CONTROL RISK RANKING & SCORE Almost Certain H2 Moderate 5 High 10 Extreme 15 Extreme 20 Extreme 25 Likely H1 Moderate 4 High 8 High 12 Extreme 16 Extreme 20 Likelihood Possibl M Unlikely L1 Low 3 Low 2 Moderate 6 Low 4 High 9 Moderate 6 Extreme 12 High 8 Extreme 15 Extreme 10 Rare Low Low Moderate High High L Low Minor Moderat Major Critical L2 L1 M H1 H2 Impact RBIA - Kongres X IAI

27 RISK CONTROL RATING Control Risk Extreme Low Control Risk Rating Risk Control Ranking Score Impact Likelihood System (RCS) Low 1 Low 2 Low2 1 Very Strong Low 2 Low 2 Low1 1 Very Strong Low 2 Low 1 Low2 1 Very Strong Low 3 Low 2 Moderate 2 Strong Low 4 Low 1 Low 1 2 Strong Moderate 3 Moderate Low 2 3 Acceptable Moderate 4 Low 2 High1 3 Acceptable Moderate 5 Low 2 High 2 4 Acceptable Moderate 6 Low 1 Moderate 5 Acceptable Moderate 6 Moderate Low1 5 Acceptable High 4 High 1 Low 2 6 Weak High 5 High 2 Low 2 6 Weak High 8 High 1 Low1 7 Weak High 8 Low 1 High1 7 Weak High 9 Moderate Moderate 8 Weak High 10 Low 1 High 2 9 Weak High 12 Moderate High1 9 Weak Extreme 10 High 2 Low 1 10 Very Weak Extreme 12 High 1 Moderate 10 Very Weak Extreme 15 Moderate High2 10 Very Weak Extreme 15 High 2 Moderate 10 Very Weak Extreme 16 High 1 High1 10 Very Weak Extreme 20 High 1 High2 10 Very Weak Extreme 20 High 2 High1 10 Very Weak Extreme 25 High 2 High2 10 Very Weak Control Effectiveness Very Weak Very Strong RBIA - Kongres X IAI

28 RISK CONTROL RATING Example: Consumer Loan Description Risk Control Rating RISK CONTROL RATING Credit Market Liquidity Operation legal Reputation Strategic Compliance Control Environment 2 Strong Strong Strong Strong Risk Assessment 5 Acceptable Acceptable Strong Control Activities 6 Acceptable Acceptable Acceptable Information & Communication 5 Acceptable Strong Acceptable Monitoring 2 Strong Strong Risk Control System 4 Acceptable RBIA - Kongres X IAI

29 RISK PROFILE Example: Consumer Loan DESCRIPTION COMPOSITE RISK CONTROL Credit Market Liquidity Operation Legal Reputation Strategic Compliance INHERENT RISK Moderate Moderate n/a n/a Moderate low Low low Low RISK CONTROL SYSTEM Acceptable Acceptable n/a n/a Acceptable Strong Strong Strong acceptable RESIDUAL RISK Moderate Moderate n/a n/a Moderate low low low low RBIA - Kongres X IAI

30 RBIA - Kongres X IAI