Guide To Bank Audit

The Inst|tute of
Chartered Accountants of Ind|a

(Set up under an Act o Par||ament}
CommIffoo on InfornnI AudIf
1eclnical cnide on
Inteinal Andit
In Ianks
kisk-based
C 3 435 19
Inteinal Andit
in Ianks
kisk-based
1eclnical cnide on
1ho busc druft of ths 1ochncu Cudo wus propurod by Sh.
Nugosh DPngo und Sh. Srnvus Yunumunduru. 1ho vows
oxprossod n 1ochncu Cudo uro thoso of tho uuthors und
muy not nocossury bo tho vows of tho orgunzuton thoy
roprosont.
Jhe !nsrirure of Charrereo Accounranrs of !noia
Inteinal Andit
in Ianks
kisk-based
1eclnical cnide on
C 1ho lnsttuto of Churtorod Accountunts of lndu
A rghts rosorvod
No purt of ths 1ochncu Cudo muy bo roproducod, storod n u rotrovu systom, or
trunsmttod, n uny form, or by uny mouns, ooctronc, mochuncu, photocopyng,
rocordng, or othorwso, wthout pror pormsson, n wrtng fromtho pubshor.
lrst Ldton: Novombor 2005
lSN: 81-88437-73-5
Prco: Rs. 150
L-mu: cugcu.org
Wobsto: http://www.cu.org
PubIished by
VlAYKAPUR-ddtonal Dtoctot (Spocal Ctado
1ho lnsttuto of Churtorod Accountunts of lndu
'lCAl huwun'
lndruprusthu Murg
NowDoh - 110 002
lNDlA
Cover & lIIustrations
Nurondru hou
Design & ReaIisation
Storng Proforrod Prntng
foiewoid
1
le banking indnstiy las always tliown np newei oppoitnnities and clallenges, be it tle statntoiy
andits oi otlei assignments sncl as concniient andits oi inteinal andits etc. 1le dynamic
enviionment in wlicl tlis indnstiy opeiates ieqniies tle membeis to not only nse tleii existing
skill sets to tle best o tleii ability bnt also keep tle same slaip enongl at all times to eectively tnin
tlose clallenges into oppoitnnities. 1le intiodnction o iisk-based inteinal andit systemin banks by tle
keseive Iank o India is one sncl oppoitnnity in tle oimo a clallenge oi tle membeis to contiibnte
towaids tle iesilience and stability o tle banking indnstiy inIndia.
1le iisk-based inteinal andit in banks, as against tle conventional concniient andit oi inteinal andit in
banks, is ocnsed at impioving tle iisk management system in banks, necessitated on acconnt o
involvement o laige amonnt o pnblic and goveinment monies. civen tle act tlat even tle
implementation aspect o tle iisk-based inteinal andit systemin tle banking indnstiy is in nascent and
leaining stages, it is necessaiy tlat oni membeis take aninitiative to piopeily nndeistand tle intiicacies
Kamlosh 8. Vikamsoy
Piesident
2tl Octobei, 2uu5
New Delli
oi typicalities in caiiying ont a iisk-based inteinal andit and lelp not only tle systemto take iimioots in
tle indnstiy bnt also tle indnstiy to deiive maximnmbeneit ont o tle system.
I amtleieoie, lappy to note tlat tle committee onInteinal Andit las decided to biing ont tlis 1eclnical
cnide on kisk-based Inteinal Andit in Ianks oi tle gnidance o tle membeis. I am snie tlat tle
committee will continne to biing ont moie o sncltopical pnblications oi tle beneit o tle membeis.
Pieace
1
le banking indnstiy in India is in a state o continnons giowtl and expansion, making its
piesence elt in all spleies o economic giowtl, domestic as well as global. 8ncl maiked
piesence at tle domestic as well as inteinational iont makes it qnintessential oi tle banking
indnstiy to benclmaik witl tle inteinational standaids to ensnie ciedibility, iesilience as also
tianspaiency in its woiking in botl domestic as well as inteinational aiena. fstablislment o iisk-based
Inteinal Andit 8ystems is one sncl measnie iecommended by tle Iasel committee on Ianking
8npeivision.
1le keseive Iank o India made a beginning in tlis diiection by issning a ciicnlai in Angnst 2uu!
ieqniiing tle banks to take necessaiy steps to establisl a iisk-based inteinal andit systemin banks. Ovei
tle peiiod, tle iegnlatoi also bionglt ont detailed ciicnlais, gnidance notes etc., dealing witltle topic o
kisk-based snpeivision o banks. Implementation o iisk-based snpeivision systemin banks las to tle
need oi a systemo iisk-based inteinal andit inbanks. 1le new systemieqniies tle claiteied
acconntants not only to lone tleii existing skills bnt also acqniie new knowledge and skills to
appiopiiately nndeistand tle complexities o tle system and make tle best possible nse o tleii
knowledge and expeitise to lelptle banking indnstiy ieapmaximnmbeneits o tle system.
In view o tle above, tle committee on Inteinal Andit las bionglt ont tlis pnblication, '1eclnical cnide
on kisk-based Inteinal Andit in Ianks" to lelp tle membeis nndeistand tle nndamentals o tle system.
1le 1eclnical cnide is divided into oni clapteis. claptei !, Intiodnction, deals witl aspects sncl as
cost beneit analysis, key andit decisions sncl as ieqnency, scope, timing, size o teametc., advantages,
kisk-based inteinal andit system :|-s-:| iisk management nnction. claptei 2, 8teps in kisk-based
Inteinal Andit, inclnding iisk matiix and a case stndy. claptei ? deals witl otlei signiicant
consideiations ielating to kisk-based Inteinal Andit in Ianks and lastly, 1le Way Alead. 1le 1eclnical
cnide also contains appendices containing tle ielevant ciicnlais o tle keseive Iank o India.
I mnst, at tlis jnnctnie, expiess my deep giatitnde to 8lii Nagesl D Pinge, 8enioi ceneial Managei and
lis colleagne 8lii 8iinivas Yanamandaia, IcIcI Iank Iimited wlo volnnteeied to sqneeze time ont o
tleii piessing pie-occnpations to slaie tleii wealtl o knowledge and expeiience witl ns and piepaied
tle neai peiect basic diat o tle 1eclnical cnide at sncl sloit notice. 1le piactical and cleai appioacl
o tle 1eclnical cnide deinitely ielects yeais o lands on expeiience and giasp o tle antlois in tle
aiea. fnitlei, I am also tlanknl to my colleagnes at tle committee on Inteinal Andit oi pioviding
valnable gnidance onmaking tle 1eclnical cnide moie nsenl. I also wislto expiess my appieciationoi
tle snppoit o 8lii Vijay Lapni, Additional Diiectoi (Ioaid o 8tndies), 8mt. Pnja Wadleia, 8ecietaiy,
committee onInteinal Andit and 8lii Nitin8inglal, fxecntive Oicei ininalisationo tle pnblication.
I am snie tlat tle membeis wonld ind tle 1eclnical cnide immensely nsenl in nndeistanding and
implementing tle concept o kisk-based Inteinal Andit inIanks.
AmarjiI 0hopra
claiiman
committee on Inteinal Andit
2tl Octobei, 2uu5
New Delli
contents
|oroword
0hapIor !
0hapIor 2
0hapIor 8
0hapIor 4
APPLN0|0L8
v
ProIaco vii
!
Intiodnction
9
8teps in kisk-based Inteinal Andit o Ianks
2I
Otlei consideiations
80
1le Way Alead
82
I kII's Discnssion Papei
Move 1owaids kisk-based 8npeivision o Ianks 88
II kII's ciicnlai o Decembei 2uu2
kisk-based Inteinal Andit 45
III kII's ciicnlai o febinaiy 2uu5
Implementation o kisk-based Inteinal Andit in Ianks 54
Intiodnction
Backgrouad
!.! Dniing tle iecent yeais, tle snpeivisoiy nnction o tle keseive Iank o India (kII), tle
banking iegnlatoi in India, is incieasingly getting iisk ocnsed and tle kII las expiessed its
intention to move towaids iisk-based snpeivision (kI8) o banks. 1owaids tlis end, tle kII
pnblisled a discnssionpapei inAngnst, 2uu!, 'Move 1owaids kisk-based 8npeivisiono Ianks',
desciibing tle scope o tle kI8 o banks. 1le discnssion papei is given as Appendix I to tle
1eclnical cnide.
!.2 Lndei tle kI8, tle kII wonld ocns its snpeivisoiy attentionontle banks inaccoidance witltle
iisk pioile o eacl bank deteimined by kII. facl bank nndei tle pioposed kI8 iamewoik o
kII is expected to piepaie a iisk pioile o its own, taking into acconnt tle vaiions iisks to wlicl
tle bank is exposed. 1le iisk pioile o tle bank wonld deteimine tle snpeivisoiy piogiamme
claptei !
compiising o-site sniveillance, taigeted on-site inspections, stinctnied meetings witl banks,
commissioned exteinal andits, speciic snpeivisoiy diiections and new policy action, as
waiianted. 1lns, kI8 ieqniies adeqnate piepaiatoiy steps botl at tle kII level as well as at tle
level o individnal commeicial banks.
!.? kII las indicated tle ollowing ive aieas o bank level piepaiation oi snccessnl
implementationo tle kI8 iamewoik:
8etting npo iisk management aiclitectnie
Adoptiono iisk ocnsed inteinal Andit
8tiengtlening o management inoimationsystemand inoimationteclnology
Addiessing Hnmankesonices Depaitment (HkD) issnes
8etting npo a compliance nnit.
!.1 8nbseqnently, in Decembei 2uu2, kII issned a gnidance note on tle iisk-based inteinal andit
nnctionintle banks, detailing tle steps ieqniied to be adopted tleieoi. 1le said gnidance note
is given as Appendix II to tle 1eclnical cnide. fnitlei, in febinaiy 2uu5, kII issned a ciicnlai
ieiteiating tle impoitance o tle iisk-based inteinal andit in banks. kII, tliongl tle said
ciicnlai, las advised tle banks as to piepaiation o tle kisk Andit Matiix based on tle iisk
ocnsed appioacl, enabling tle banks to move towaids tle advanced appioacles oi
deteimining capital claige oi tle opeiational iisk nndei tle pioposed Iasel II Inteinational
capital Adeqnacy iamewoik. 1le text o tle ciicnlai is given in Appendix III to tlis 1eclnical
cnide.
!.5 1le objective o tlis 1eclnical cnide is to piovide gnidance to tle membeis o tle Institnte,
landling tle inteinal andit nnction, speciically in banking indnstiy, as to tle steps involved in
tle iisk-based inteinal andit inbanks.
!.0 Pieace to tle 8tandaids and cnidance Notes on Inteinal Andit, issned by tle Institnte o
claiteied Acconntants o India deines tle teim'inteinal andit" as:
'Ia/.ras/ sa1|/ | sa |a1./.a1.a/ rsas.r.a/ /aa:/|a w/|:/ |a:/:. s :a/|aaa sa1 :r|/|:s/
s//rs|s/ / //. /aa:/|a|a / sa .a/|/y w|// s :|.w / a./ |r/r:.r.a/ //.r./ sa1 s11 :s/a. / sa1
/r.a//.a //. :.rs// :.rasa:. r.:/sa|r / //. .a/|/y |a:/a1|a //. .a/|/y' /rs/.|: r|/ rsas.r.a/
sa1 |a/.ras/ :a/r/ y/.r
|aIoraal AudiI - 0oIiaiIioa, 0bjocIivos aad8copo

1eclnical cnide on kisk-based Inteinal Andit in Ianks 2
!. fnitlei, paiagiapl S o tle Anditing and Assniance 8tandaid (AA8) 0, kisk Assessments and
Inteinal contiol, issned by tle Institnte o claiteied Acconntants o India, claiiies tlat inteinal
andit ':a/|/a/. s ./srs/. :r/a.a/ / |a/.ras/ :a/r/ w|// //. /.:/|:. / 1./.rr|a|a w/.//.r //.r
|a/.ras/ :a/r/ sr. w.// 1.|a.1 sa1 /r/.r/y /.rs/.1
!.S Acaienl analysis o tle above ieveals tlat tle scope o tle inteinal andit, oidinaiily, inclndes:
fxamination and evalnation o tle adeqnacy and eectiveness o tle inteinal contiol
systems
keview o tle application and eectiveness o iisk management piocednies and iisk
assessment metlodologies
keview o tle management and inancial inoimation systems, inclnding tle electionic
inoimationsystems
keview o tle accniacy and ieliability o tle acconnting iecoids and inancial iepoits
keview o tle means o saegnaiding assets
Appiaisal o tle economy and eiciency o tle opeiations
1esting o botltiansactions and tle nnctioning o speciic inteinal contiol piocednies
keview o tle systems establisled to ensnie compliance witl legal and iegnlatoiy
ieqniiements, code(s) o condnct and tle implementationo policies and piocednies
1esting o tle ieliability and timeliness o tle iegnlatoiy iepoiting.
!.u 1le banking indnstiy is special as it involves dealing witl pnblic money. 1le veiy natnie o
banking bnsiness o dealing witl money ieqniies piopei clecks and balances in place to ensnie
tlat tle dealings aie closely monitoied and tle iisks aiising ont o tle banking bnsiness aie
minimized. 1owaids tlis end, tle inteinal andit nnction in a bank assists tle senioi
management o tle bank in pioviding an objective assniance tlat all tle contiols aie well
designed and eectively opeiated. 1le bank's inteinal andit iepoits aie tle piimaiy sonice o
inoimation abont tle eectiveness o tle iisk management and inteinal contiol systems in tle
bank. 1lns, it can be seen tlat inteinal andit las a cincial iole to play in a bank's existence and
giowtl and, tleieoie, needs to be eective. 1owaids tlis end, tle Iasel committee on Ianking
8npeivision o tle Iank oi Inteinational 8ettlements las also piononnced ceitain piinciples
ieqniied to be ollowed oi aneective inteinal andit inbanks.
!.!u In India, eacl bank, noimally, las a sepaiate inteinal andit/inspection depaitment tlat
inspects tle bank's nnctioning peiiodically and iepoits to tle Andit committee o tle Ioaid o
Diiectois o tle bank. Ianks aie expected to lave snicient iesonices and invest in tiaining
tleii sta to condnct inteinal inspections. Howevei, it is also a commonpiactice among banks to
|aIoraal AudiI iaBaaks

Intiodnction 3
ontsonice tle ollowing inteinal andit/inspectionactivities:
1lose wliclaie iontine innatnie.
1lose wliclaie exceptional and/oi oi wliclno expeitise is available witlintle bank.
1lose wleie cost o being caiiied ont in-lonse wonld exceed tle beneits to be deiived
tleie iompiovided tlat tle cost o ontsonicing is lessei tlantle oimei cost.
Additionally, banks lave also eitlei institnted in-lonse depaitments oi caiiying ont systems
andits oi lave ontsoniced tlis specialized ield. 8ystems Andit ocnses on wletlei tle inteinal
piocednies and contiols aie being adleied to at tle opeiational level and wletlei tle existing
systems aie adeqnate and commensniate witl tle ieqniiement o tle clanging bnsiness
enviionment.
!.!! 1le eectiveness o inteinal andit nnction o banks is assessed dniing tle conise o on-site
inspection by kII. 8npeivisoiy conceins tliown np by inteinal andit/inspection piovide
pointeis oi indicatois oi on-site inspectiono kII.
!.!2 A sonnd inteinal andit nnction plays an impoitant iole in contiibnting to tle eectiveness o
tle inteinal contiol system. Lntil iecently, tle inteinal andit system in banks lad been
concentiating on tiansaction testing, testing o accniacy and ieliability o acconnting iecoids
and inancial iepoits, integiity, ieliability and timeliness o contiol iepoits, and adleience to
legal and iegnlatoiy ieqniiements. Howevei, in tle clanging scenaiio, sncl testing by itsel is
not snicient oi tle pnipose o pioviding anobjective assniance ontle nnctioning o inteinal
contiols by tle inteinal andit nnction.
!.!? Dniing iecent times, in addition to tle tiaditional iisks tlat tle banks aie exposed to, tle
incieasing global scale opeiations o banks, impact o tle inoimation teclnology on tle
banking systems and piocesses, lave exposed tle bnsiness o tle banks to newei iisks. 1le
management o tlese iisks is cincial oi tle snccess o any banking oiganisation. 1lis ieqniies
tle independent nnctions sncl as compliance and inteinal andit to be moie iisk ocnsed to
ensnie tlat tle iisks aie being identiied, assessed and managed eectively ona bank-wide basis.
1owaids tlis end, kII elt tlat tleie is a need oi widening as well as iediiecting tle scope o
inteinal andit to evalnate tle adeqnacy and eectiveness o iisk management piocednies and
inteinal contiol systems intle banks.
!.!1 1le aignment oi tle iisk-based inteinal andit can be nitlei snpplemented by tle cost-beneit
Risk-basod|aIoraal AudiI
0osI-boaoIiI Aaalysis
4 1eclnical cnide on kisk-based Inteinal Andit in Ianks
analysis o tle inteinal andit nnction. In tlis connection, it slonld be noted tlat inteinal andit
is invaiiably a cost centei in any oiganisation. It is, tleieoie, necessaiy tlat tle inteinal andit
nnctiondevelops and implements aneective, long iange inteinal andit planso tlat tle beneits
deiived tleieiomeectively exceed tle costs allocated to tle nnction.
!.!5 1le piimaiy objective o inteinal andit is to piovide anobjective assniance ontle nnctioning o
inteinal contiols in tle bank. Howevei, tleie is an inleient iisk tlat tle inteinal andit nnction
may not ieveal all tle weaknesses in tle inteinal contiols. 1lis may lead to iisk o losses in teims
o iand, inclnding embezzlement, and misappiopiiation o assets. 1o minimize tlese iisks, one
snggestive appioacl is to make tle inteinal andit nnction moie continnons, i.e., andit tle
dieient depaitments moie ieqnently. foi example, inciease in ieqnency o inteinal andit
may iesnlt in iednction in expected losses bnt incieases tle cost o andit nnction. On tle otlei
land, deciease in ieqnency o inteinal andit, tlongl may iednce tle costs o andit nnction,
iesnlts in iisk o iands and eiiois leading to inancial and otlei losses to tle bank. 1lns, tle
decision to inciease tle ieqnency o inteinal andit slonld be based on a caienl analysis o tle
tiade-o between tle cost associated witl caiiying ont ieqnent inteinal andits :| s :| tle
expected losses aiising ont o not caiiying ont inteinal andit. 1lis tiade-o canbe best aclieved
witl tle iisk-based inteinal andit, wlicl aims at optimal ntilization o inteinal andit iesonices
witlanenteipiise-wide iisk management peispective.
!.!0 In tle above diagiam, tle cnive AI denotes tle iisk cnive, wlicl iepiesents tlat as tle
ieqnency o inteinal andit incieases, tle iisk o non-detection o ineective inteinal contiols
(and conseqnently tle expected losses) decieases. 1le cnive cD denotes tle cost cnive, wlicl

1lis can be pictoiially depicted as ollows:
Risk oI lossos
duo Io aoa-audiI/
cosI oI iaIoraal
audiI rosourcos
A f f D
c
c
I
|roquoacy oI iaIoraal audiI
5 Intiodnction
iepiesents tlat as tle ieqnency o inteinal andit incieases, tle costs associated witl caiiying
ont inteinal andit inciease. 1le cnive ff denotes tle total cost cnive (wlicl inclndes tle cost o
non-detection o ineective inteinal contiols in teims o expected losses and tle cost o
iesonices allocated to inteinal andit nnction), wlicl decieases npto a ceitain level and
tleieatei incieases. Point cis wleie tle total cost is at its minimnmand is ideal oi a iisk-based
scenaiio.
!.! Leeping tle above tleoietical backgionnd in mind, it is impoitant to note tlat tle iisk-based
inteinal andit is animpoitant tool inaiding tle management decisioninielationto tle ollowing
aspects o inteinal andit nnction.
!.!S 1le iisk-based appioacl o inteinal andit assists tle management in deciding tle ieqnency o
tle andit. Atei nndeitaking tle iisk assessment o tle anditee nnits in tle andit nniveise, tlese
nnits can be categoiized on tle basis o tle iisk paiameteis as ligl, medinmoi low iisk nnits.
1lese nnits can tlen be snbjected to tle inteinal andit at a ieqnency snited to tleii iisk pioile.
1lis can be aclieved by snbjecting tle nnits witl a ligl-iisk pioile to inteinal andit moie
ieqnently tlan tle nnits tlat exlibit a low-iisk pioile. 1lns, iisk assessments o andit nnits
deteimine tle ieqnency o tle inteinal andit and tlns assist in optimal allocation o andit
iesonices.
!.!u 8cope o inteinal andit ieeis to tle extent to wlicltle testing o inteinal contiols inaninteinal
andit assignment slonld be nndeitaken. As a geneial piinciple, ligl-iisk andit nnits sncl as
tieasniy divisiono tle bank slonld be snbject to !uu tiansactions testing. Howevei, nnits witl
a ielatively low-iisk pioile activity sncl as allocation o tle lockeis to tle cnstomeis may be
snbject to a sample testing. In tlis connection, membeis aie also advised to ieei to tle Anditing
and Assniance 8tandaid (AA8) !5, Andit 8ampling, oi gnidance on nsing statistical sampling
teclniqnes oi nndeitaking andit assignments. Howevei, tle sampling teclniqne pioposed to be
so adopted slonld iist be placed oi tle appioval o tle andit committee, i any.
!.2u It is a known act tlat no inteinal andit nnction las tle iesonices to andit all tle anditable nnits
Koy AudiI 0ocisioas oI a Risk-basod|aIoraal AudiI
|roquoacy oI AudiI
8copooI AudiI
Timiag oI |aIoraal AudiI
simnltaneonsly. 1leieoie, tle tliid key decision tlat can be taken nsing tle iisk-based inteinal
andit is to ensnie tlat tle iiskiei nnit is snbject to andit soonei tlantle less iisky andit nnits. 1lis
can be aclieved by adoption o a /|v.1 /|r|a //|:y o inteinal andit wleieby tle less iisky nnits
aie snbject to inteinal andit at known ixed inteivals. Howevei, tle ligl-iisk andit nnits can be
snbject to a rsa1r /|r|a //|:y (wleie tle ieqnency and timing o andits is nnpiedictable to
tle anditable nnit). 8nipiise visits and snap andits, in addition to nll-scale inteinal andit, aie
components o iandom timing policy. foi anditable nnits witl medinm-iisk pioile, inteinal
andit slonld be based on conditional timing policy, nndei wlicl inteinal andits aie sclednled
wlen nnits exlibit a deteiioiation o contiols oi peioimance along witl some key dimension.
1le deteiioiation can be obseived on tle basis o analysis and scintiny o tle key ietnins on tle
peioimance o tle anditable nnit.
!.2! kisk-based inteinal andit appioaclassists tle management (wleie tle inteinal andit nnctionis
in-lonse) and tle andit iim(wleie tle inteinal andit nnction is ontsoniced) in deteimination
o tle size o tle inteinal andit team. I iisk actois ielect tle management conceins, tlen tley
can be nsed as a basis oi establisling tle size o tle inteinal andit team appiopiiate to addiess
tle most impoitant andit nnits.
!.22 1o ensnie tlat tle cost actois aie eectively actoied into andit decision and tle key andit
decisions, as explained above, aie moie iisk-based, banks aie advised by tle kII to make a
giadnal move towaids iisk-based inteinal andit systemwlicl inclndes, in addition to selective
tiansaction testing, an evalnation o tle iisk management systems and contiol piocednies
pievailing in vaiions aieas o a bank's opeiations. 1le implementation o iisk-based inteinal
andit wonld mean tlat gieatei emplasis is placed on tle inteinal anditoi's iole in mitigating
iisks. Wlile ocnsing on eective iisk management and contiols, in addition to appiopiiate
tiansaction testing, tle iisk-based inteinal andit wonld not only oei snggestions oi mitigating
cniient iisks bnt also anticipate aieas o potential iisks and play an impoitant iole in piotecting
tle bank iomvaiions iisks.
!.2? 1le advantages o iisk-based appioaclo tle inteinal andit nnctionaie as ollows:
It appiopiiately deines tle andit nniveise and identiies tle anditable nnits witlin tle
entity oi wlicltlese analyses wonld be caiiied ont.
It assists tle management in identiication o appiopiiate iisk actois to ielect tle
management's conceins.
8izooI Iho|aIoraal AudiI Toam
AdvaaIagos oI Risk-basod|aIoraal AudiI
? Intiodnction
Risk-basod|aIoraal AudiI Risk HaaagomoaI |uacIioa

It iesnlts in development o an appiopiiate oimat oi evalnating iisk actois so tlat tle
moie impoitant iisk actois play a moie piominent iole in tle iisk assessment piocess tlan
less impoitant iisk actois.
It develops a combination inle oi eacl andit nnit, wlicl will piopeily ielect its iiskiness
ovei seveial iisk actois tlat lave beenidentiied and a metlod o setting np andit piioiities
oi tle andit nnits.
It iesnlts in appiopiiate andit coveiage plan, wlicl piovides a ioadmap oi tle
management o inteinal andit sta skills so tlat tley aie available to caiiy ont andits o
appiopiiate scope wlentley aie needed tle most.
1lis iisk-based inteinal andit iesnlts in a piocess oiiented andit witl a iisk management
peispective, wlicl gives advice to management on tle steps to be taken oi eective iisk
management ona bank-wide basis.
!.21 1longl botl tle iisk management and tle inteinal andit (iisk-based) nnctions deal witl tle
iisk management systems o tle bank, it is necessaiy to distingnisl botl tle nnctions. 1le iisk
management nnction o a bank ocnses on aieas sncl as identiication, monitoiing and
measniement o iisks, development o policies and piocednies, nse o iisk management models,
etc. 1lns, tle end iesnlt o tle iisk management nnction is development o appiopiiate policies
and piocednies oi eective iisk management ona bank-wide basis.
!.25 1le concept o iisk identiication and tle assessment is also nndeitaken nndei tle iisk-based
inteinal andit iamewoik o tle banks. Howevei, nnlike iisk management nnction, tle iisk-
based inteinal andit, nndeitakes an independent iisk assessment solely oi tle pnipose o
oimnlating tle iisk-based andit plan keeping in view tle inleient bnsiness iisks o an
activity/location and tle eectiveness o tle contiol systems oi monitoiing tlose inleient
bnsiness iisks.
!.20 1le piimaiy dieience between tle two nnctions :|:, iisk management and tle inteinal andit,
tleieoie, is tle pnipose oi wlicl tle tool o tle iisk assessment is nsed. Lndei tle oimei
nnction, it is nsed oi development o iisk management policies and piocednies wleieas in tle
latei nnction, tle same is nsed oi oimnlation o appiopiiate iisk-based andit plan iesnlting in
optimal nsage o inteinal andit iesonices ona iisk sensitive basis.
!.2 Ieing an independent and key nnction in tle bank, tle iisk management depaitment slonld
also be snbjected to iisk assessment by tle iisk-based inteinal andit piocess and slonld be
andited in accoidance witl tle iisk-based andit plan dnly appioved by tle Andit committee o
tle Ioaid.
vs.
|aIroducIioa
8Iop!. ProparaIioa
2.! 1le adoption o tle iisk-based appioacl to tle inteinal andit ieqniies tle ollowing oni majoi
steps to be adopted by tle inteinal anditois:
2.!.! 1le inteinal anditoi slonld tieat tle iisk-based inteinal andit assignment as a sepaiate pioject
since it ieqniies signiicant andit iesonices and time. foi tlis pnipose, it is absolntely essential
tlat tle piepaiation oi tle pioject is meticnlonsly planned sncl tlat tle iisk assessment
exeicises aie piopeily nndeitaken at a latei stage. 1le ontpnt nndei tlis step wonld not only
deine tle size and stinctnie o tle inteinal andit nnction in tle bank, wleie tle bank las an
in-lonse inteinal andit nnctionoi tle size o tle inteinal andit teamwleie tle inteinal andit
Inteinal Andit in Ianks
8teps in kisk-based
claptei 2
l0
nnctionis ontsoniced, bnt also seives as a basis oi assignment o cleai ioles and iesponsibilities
to tle paiticipants intle inteinal andit exeicise and commnnicationo tle same to tlem.
2.!.2 Identiication o anditable nnits constitntes tle second step in tle iisk-based inteinal andit.
Identiication o anditable nnits is ielevant to nndeistand tle entiie andit nniveise coveied
nndei tle scope o tle iisk-based inteinal andit. It, tlns, leads to tle conclnsion o tle
nncoveied anditable nnits and tle iesnltant iesidnal iisk o non-andit o tlose anditable nnits.
2.!.? fnitlei, tle pioposed new capital adeqnacy iamewoik o kII (based on tle Iasel committee's
Inteinational capital Adeqnacy fiamewoik) also ieqniies identiication o bnsiness nnits as a
iist step in deteimination o tle capital claige ieqniied oi tle opeiational iisk. It wonld be a
pindent decision to combine botl tle capital adeqnacy assignment (iom an opeiational iisk
management peispective) witl tle iisk-based inteinal andit assignment, as botl aie
complementaiy to eaclotlei.
2.!.1 1le next step is to identiy tle iisks and categoiize tle iisks as ligl, medinmand low, depending
npon tle natnie o tle iisks. kisks in tle context o tle inteinal andit o banks can be classiied
as inleient banking bnsiness iisks sncl as ciedit and maiket iisks. In iecent yeais, given tle
signiicant volnmes o tiansactions in tle ietail poitolio o tle bank, a new iisk, styled as
'opeiational iisk", las emeiged giadnally. 1lese iisks can be mitigated by adoption o iisk
management and inteinal contiol policies and piocednies, oimnlated by tle Ioaid o
Diiectois. Howevei, adoption o appiopiiate policies and piocednies still caiiies a iisk called as
contiol iisk tlat is tle iisk o ailnie o contiol policies and piocednies in detection o a
mateiial iisky sitnation and addiessing it appiopiiately. In addition to identiication o tle
qnantnm o tle iisks at tlis stage, tle tiend o tle iisks (incieasing, stable, decieasing) is also
identiied at tlis stage.
2.!.5 Once tle iisks aie classiied nndei inleient bnsiness iisks and tle contiol iisks, eacl o tle
anditable nnits is to be assessed witl ieeience to tle identiied iisk paiameteis. foi tlis
pnipose, it is necessaiy to categoiize tle entiie banking bnsiness as identiiable anditable nnits,
eaclpione to a dieient level o a iisk.
2.!.0 1le objective o tle iisk assessment piocess is to diaw np a iisk-matiix, taking into acconnt botl
tle actois :|:, inleient bnsiness iisks and contiol iisks identiied in tle eailiei step. 1lis iisk
matiix appiopiiately places all tle anditable nnits into one among tle tliee categoiies o iisk
8Iop2. |doaIiIicaIioaoI audiIablouaiIs
8Iop8. 0oaducI risk assossmoaI
1eclnical cnide on kisk-based Inteinal Andit in Ianks
ll
pioiles-ligl, medinmoi low.
2.!. 1le inteinal andit nnction, wletlei in-lonse oi ontsoniced, slonld lave in place, an
independent iisk assessment system oi ocnsing on tle mateiial iisk aieas and piioiitizing tle
andit woik. 1le metlodology may iange ioma simple analysis o wly ceitain aieas slonld be
andited moie ieqnently tlan otleis in tle case o small sized banks nndeitaking tiaditional
banking bnsiness, to moie soplisticated assessment systems in laige sized banks nndeitaking
complex bnsiness activities.
2.!.S Once tle iisk matiix is piepaied, a iisk-based andit plan based on tle iisk pioile o tle andit
nnits is piepaied. 1lis involves decisionto be takenontle ieqnency, timing and tle scope o tle
inteinal andit o tle anditable nnit. 1lese decisions aie based ontle inteinal andit piioiities and
keeping in view tle objective o inteinal andit nnction as a iisk management tool. 1le iisk-
based inteinal andit planas piepaied by tle inteinal andit nnctiono tle bank is dnly appioved
by tle Andit committee o tle Ioaid o Diiectois o tle Iank.
2.!.u 1le above piocess is diagiammatically iepiesented as ellows :
8Iop4. Risk-basodiaIoraal audiI plaa

8Iop !.
ProparaIioa

8Iop 2.
|doaIiIicaIioa oI
AudiIablo uaiIs

8Iop 8.
Risk
AssossmoaI
8Iop !.
fstablisl tle Pioject

8peciy Obectives
cieation o
Oiganisation
8tinctnie
8Iop 2.

Identiy tle
anditable nnits
Deteimine tle iisk
o non-andit o
nnidentiiable
anditable nnits
categoiize
tle iisks
8Iop 8.

Identiy tle
anditable nnits
condnct iisk
assessment o
anditable nnit
categoiize tle
anditable nnit
8Iop 4.

finalization o
tle iisk-based
inteinal andit plan
8nbmission and
appioval iom tle
Andit committee

8Iop 4.
Risk-basod
|aIoraal AudiI
Plaa

8teps in kisk-based Inteinal Andit o Ianks
2.!.!u faclo tle above steps aie desciibed as ollows:
2.!.!! 1le iist step involves tle initiation o tle iisk-based inteinal andit piocess at tle bank. 1le idea
at tlis stage is to tieat tle iisk-based andit concept as a distinct pioject witl an objective o
oimnlation o andit plan witl moie iisk ocns at tle end o tle pioject. foi tlis pnipose, it is
absolntely necessaiy at tlis stage to:
fstablisltle pioject team
claiiy tle ioles and iesponsibilities o tle pioject team
8clednling tle pioject tasks
commnnication
2.!.!2 Depending npon tle size o tle bank, tle iisk-based inteinal andit pioject can be landled by a
small teamo andit pioessionals oi by an individnal. Wlile cloosing tle pioessionals oi tlis
assignment, it slonld be ensnied tlat tley lave adeqnate inteinal andit and iisk management
expeitise. few ciiteiia oi selection o pioessionals oi tlis assignment inclnde, expeiience in
condncting iisk assessments, andit planning expeiience and ability to analyze and syntlesize a
wide iange o inoimation.
2.!.!? Atei cloosing appiopiiate pioessionals oi tle assignment, it is impoitant to claiiy tle ioles
and iesponsibilities o tle team membeis o tle iisk-based inteinal andit assignment. 1lis
involves designation o a senioi pioessional as tle pioject antloiity, laving oveiall
iesponsibility oi tle entiie pioject. 1le team leadei wonld be assisted by tle team membeis
wlo wonld be iesponsible oi pioposing and execnting an appioacl oi implementation o tle
pioject. 1le team wonld lave extensive inteiactions witl tle senioi management o tle
anditable nnits wlo wonld be iesponsible oi paiticipation in meetings oi identiication and
assessing tle key iisks aced by tle anditable nnits.
2.!.!1 As tle pioject gets staited, it is impoitant to ensnie tlat tle pioject is accomplisled witl tiglt
deadlines and iepoiting iesponsibilities. 1lis ieqniies oimnlation o a pioject plan and
pioviding tle teammembeis witl appiopiiate tools sncl as policies/piocednies, clecklists oi
evalnation and tle sotwaie, i any, necessaiy to execnte tle plan and docnment tle iesnlts.
fective planning demands commnnication o tle establisled appioacl to all tle paiticipant
nnits sncltlat all tle membeis o tle teamaie at tle same wavelengtl.
2.!.!5 1le next steptowaids iisk-based inteinal andit is to identiy all tle activities tlat aie snsceptible
ProparaIioa
|doaIiIicaIioaoI audiIablouaiIs
l2 1eclnical cnide on kisk-based Inteinal Andit in Ianks

to tle inleient iisk. In line witl tle pioposed Opeiational kisk Management iamewoik
ennnciated by kII, tle identiication o anditable nnits can be taken at tliee dieient levels as
ollows:
Ievel !- lists tle main bnsiness gionps sncl as coipoiate inance, tiading and sales (tieasniy
nnction), ietail banking, commeicial banking, etc.
Ievel 2- lists tle piodnct teams in tlese bnsiness gionps sncl as tiansaction banking, tiade
inance, geneial banking, caslmanagement seivices, etc.
Ievel ?- lists ont tle piodncts oeied in tlese bnsiness gionps sncl as impoit bills, lettei o
ciedit, bank gnaiantee nndei tiade inance, etc.
2.!.!0 Identiication o tle anditable nnits at tle iist level itsel is ieqniied oi tle pnipose o tle iisk-
based andit plan. Howevei, tle snb-classiication into nitlei levels lelps tle inteinal andit
teamto identiy and assess tle applicable iisks to tle anditable nnit ina moie systematic mannei.
2.!.! It slonld be noted tlat tleie aie two types o iisks in banking bnsiness in tle context o iisk-
based inteinal andit. One tlat is inleient intle bnsiness opeiations o tle bank itsel, snclas tle
ciedit, maiket and opeiational iisk and tle otlei one is tle iisk tlat tle contiols designed to
mitigate tlese iisks may not be eective, typically teimed as contiol iisk. 1lns, inleient bnsiness
iisks indicate tle intiinsic iisk ina paiticnlai aiea/activity o tle bank. contiol iisks aiise ont o
inadeqnate contiol systems, deiciencies/gaps and/oi likely ailnies in tle existing contiol
piocesses.
2.!.!S Hence, wlile nndeitaking a iisk identiication exeicise nndei tle iisk-based andit piogiamme,
one slonld keep inmind tlat tle iisk assessment o ananditable nnit is laigely based onbotltle
inleient and tle contiol iisks and slonld be jndged incombinationtleieo.
2.2 Ieoie nndeistanding tle iisk assessment exeicise as pei tle steps ennmeiated snbseqnently, it
slonld be boine inmind tlat tle iisk assessment is laigely deteimined by actois snclas:
Pievions inteinal andit iepoits and compliance
Pioposed clanges inbnsiness lines oi clange inocns
8igniicant clange inmanagement/key peisonnel
kesnlts o latest iegnlatoiy examinationiepoit
0oaducI risk assossmoaI
Koy |acIors RolovaaI Ior Risk AssossmoaI
l3 8teps in kisk-based Inteinal Andit o Ianks
|ahoroaI Busiaoss Risks
kepoits o exteinal anditois

Indnstiy tiends and otlei enviionmental actois
1ime lapsed since last andit
Volnme o bnsiness and complexity o activities
8nbstantial peioimance vaiiations iomtle bndget
Leeping tle above actois in mind, tle iisk assessment exeicise can be nndeitaken nsing tle
ollowing steps.
2.? Ianks aie snbject to wide vaiiety o iisks in tle aieas o tleii opeiation. All o tlem can be
bioadly categoiized as ciedit, maiket and opeiational iisks. facl o tlese iisks aie explained as
ollows:
2.?.! ciedit iisk is deined as tle possibility o losses associated witl diminntion in tle ciedit qnality
o boiioweis oi connteipaities. In a bank's poitolio, losses stem iom ontiiglt deanlt dne to
inability oi nnwillingness o a cnstomei oi conntei paity to meet commitments in ielation to
lending, tiading, settlement and otlei inancial tiansactions. Alteinatively, losses iesnlt iom
iednction in poitolio valne aiising iom actnal oi peiceived deteiioiation in ciedit qnality.
ciedit iisk emanates iom a bank's dealings witl an individnal, coipoiate, bank, inancial
institntionoi a soveieign. ciedit iisk may take one oi moie o tle ollowing oims:
D|r.:/ /.a1|a piincipal and/oi inteiest amonnt may not be iepaid
Casrsa/.. r /.//.r / :r.1|/ nnds may not be oitlcoming iom tle constitnents npon
ciystallizationo tle liability
Tr.sary /.rs/|a tle payment oi seiies o payments dne iomtle conntei paities nndei
tle iespective contiacts may not be oitlcoming oi ceases
S.:ar|/|. /rs1|a /a|a.. nnds/ secniities settlement may not be eected
Cr-/r1.r .v/ar. tle availability and iee tiansei o oieign cniiency nnds may eitlei
cease oi tle soveieignmay impose iestiictions
2.?.2 ciedit iisk is moie ielevant to tle anditable nnits wleie ciedit lending nnctionis exeicised sncl
as tle coipoiate/ietail lending nnction o tle banks. 1le extent o ciedit iisk may also
snbstantially diei iom tle nnits wlicl aie dedicated to ciedit sanctions sncl as tle ciedit
Depaitment wleie tle iisk is liglei wleieas in otlei nnctions wleie ciedit sanction is
!
0rodiI Risk
1. Pouso rofor Rosorvo unk of lndu Cudunco Noto on Crodt Rsk Munugomont Cctobor 12, 2002.
incidental to tle main nnction (sncl as in biancles o banks wleie sanction o loan against
deposits is only incidental as pei tle delegation o inancial poweis to tle biancl managei), tle
ciedit iisk impact miglt be lowei.
2.?.? Maiket kisk may be deined as tle possibility o loss to a bank cansed by clanges in tle maiket
vaiiables. Maiket kisk is tle iisk to tle bank's eainings and capital dne to clanges in tle maiket
level o inteiest iates oi piices o secniities, oieign exclange and eqnities, as well as tle
volatilities o tlose clanges. Iesides, it is eqnally conceined abont tle bank's ability to meet its
obligations as and wlentley all dne. Maiket iisk maniests itsel into vaiions oims snclas:
L|a|1|/y r|/ Iiqnidity iisk is tle potential inability o tle bank to meet its liabilities as and
wlen tley become dne. It aiises wlen tle banks aie nnable to geneiate casl to cope witl a
decline in deposits oi inciease in assets. It oiiginates iom tle mismatcles in tle matniity
patteino assets and liabilities.
Ia/.r./ rs/. r|/ It is tle iisk wleie clanges in maiket inteiest iates miglt adveisely aect a
bank's inancial condition.
Ir.|a Lv:/sa. R|/ It may be deined as tle iisk tlat a bank may snei losses as a iesnlt o
adveise exclange iate movements dniing a peiiod in wlicl it las an open position, eitlei
spot oi oiwaid, oi a combinationo tle two, inanindividnal oieigncniiency.
2.?.1 Opeiational iisk las been deined by tle Iasel committee on Ianking 8npeivision as tle iisk o
loss iesnlting iominadeqnate oi ailed inteinal piocesses, people and systems oi iomexteinal
events. Opeiational iisk may maniest itsel in a vaiiety o ways in banking indnstiy sncl as
inteinal/exteinal iand, client/piodnct/bnsiness piactices, damage to plysical assets, bnsiness
disinption and systemailnie etc. fxamples o vaiions contiibnting actois oi opeiational iisks
aie as ollows:
P.//. r|/ 1lis depends npon tle placement, competency o tle employees o tle bank and
tle woik enviionment, motivationand tninovei/iotationina bank.
Pr:. r|/ kisk aiising ont o execntion o tiansactions involving violation o contiols,
opeiational disinptions, exceeding o limits, money lanndeiing, non-obseivance o
contiactnal commitments, etc.
Sy/.r r|/ 1lis is tle combination o botl teclnology iisks iesnlting in system ailnie,
piogiamming eiioi, commnnicationailnie, etc., conpled witltle MI8 iisk.
2
HarkoI Risk
0poraIioaal Risk
2. Pouso rofor Rosorvo unk of lndu Cudunco Noto on Murkot Rsk Munugomont Cctobor 12, 2002.
L.s/ sa1 r.a/s/ry r|/ kisk o ailing to comply witllaws and iegnlations.
R./a/s/|as/ r|/ 1le iisk o loss o tle iepntation o tle bank in tle geneial pnblic dne to
tle ailnie to condnct its bnsiness npto tle standaids expected.
L:.a/ r|/ kisk o nnanticipated clanges in exteinal enviionment otlei tlan macio
economic actois.
2.1.! Once tle iisks aie identiied as above, it slonld be ensnied tlat tle bank las appiopiiate iisk
management systems in place, wlicl deine tle contiol enviionment and piesciibe tle contiol
piocednies oi mitigation o tle above iisks. In tlis context, it is ielevant to nndeistand tle
concept o tle contiol enviionment and tle contiol piocednies as iisk management tools.
Ca/r/ La:|rar.a/
2.1.2 1le Anditing and Assniance 8tandaid 0, kisk Assessments and Inteinal contiol deines tle teim
'contiol enviionment' as 'tle oveiall attitnde, awaieness and actions o diiectois and
management iegaiding tle inteinal contiol system and its impoitance in tle entity". 1le
contiol enviionment las an eect on tle eectiveness o tle speciic contiol piocednies and
piovides tle backgionnd against wlicl otlei contiols aie opeiated. A stiong contiol
enviionment, oi example, one witl tiglt bndgetaiy contiols and an eective inteinal andit
nnction, cansigniicantly complement speciic contiol piocednies.
2.1.? Ina banking oiganisation, tle actois ielected intle contiol enviionment inclnde:
Oiganizational stinctnie o tle bank and tle metlods o assigning antloiity and
iesponsibility inclnding segiegationo dnties and snpeivisoiy nnctions
kole o Ioaid o Diiectois and its committees indeining contiol enviionment and adopting
appiopiiate contiol piocednies
Management's plilosoply and opeiating style
Management's contiol systeminclnding tle inteinal andit nnction, peisonnel policies and
piocednies
Ca/r/ Pr:.1ar.
2.1.1 1le Anditing and Assniance 8tandaid 0, kisk Assessments and Inteinal contiol deines tle teim
'contiol piocednies' as 'tlose policies and piocednies, in addition to tle contiol enviionment,
wlicl tle management las establisled to aclieve tle entity's speciic objectives". In tle context
0oaIrol Risk
o banking oiganisation, tle speciic contiol piocednies inclnde:
Appioving and contiolling o docnments
8egiegationo dnties and snpeivisoiy nnctions
Decision making snbject to tle 'oni eyes' (tlose o tle makei and tle cleckei) concept o
management
kepoiting and ieviewing o exceptions
compaiing tle inteinal data witlexteinal sonices o inoimation
kestiicting diiect access to assets, iecoids and inoimation
Inoimation system contiols, wlicl inclnde contiols ovei clanges to compntei piogiams
and access to data iles
2.1.5 As obseived above, wlile tle establislment o tle contiol enviionment is tle iesponsibility o
tle top management o tle bank, designing o appiopiiate contiol piocednies oi mitigation o
iisks is tle iesponsibility o tle iisk management depaitment. Anindependent iisk management
nnction, opeiating in a pioactive contiol enviionment, designs tle contiol piocednies, wlicl
aie to be implemented ona bank-wide basis.
2.1.0 1le inteinal anditoi, wlile developing a iisk-based inteinal andit plan slonld obtain an
nndeistanding o tle contiol enviionment snicient to assess management's attitndes,
awaieness and actions iegaiding inteinal contiols and tleii impoitance in tle bank. 1le
inteinal anditoi slonld also obtain an nndeistanding o tle contiol piocednies snicient to
developtle iisk-based andit plan.
2.1. fiomtle point o view o iisks, tle iole o inteinal andit at tlis jnnctnie is twoold:
Asceitaining tle inleient iisk o tle iisk management nnction and identiying tle extent
o tle aieas wleie tle contiol piocednies aie not establisled by tle iisk management
nnction
fvalnating tle iisk involved intle contiol piocednies designed oi mitigationo iisks
2.1.S Atei obtaining an nndeistanding o tle contiol enviionment and contiol piocednies and
laving satisied limsel tlat contiol piocednies aie existent in all tle anditable nnits, tle
inteinal anditoi slonld make a pieliminaiy assessment o contiol iisk. 1le pieliminaiy
assessment o contiol iisk is tle piocess o evalnating tle likely eectiveness o anentity's
|aIoraal audiI aadcoaIrol risk

Prolimiaary assossmoaI oI coaIrol risk
l? 8teps in kisk-based Inteinal Andit o Ianks
contiol enviionment and tle contiol piocednies in managing tle inleient bnsiness iisks. 1le
pieliminaiy assessment o contiol iisk is based on tle assnmption tlat tle contiols opeiate
geneially as designed and desciibed and tlat tley opeiate eectively tlionglont tle peiiod o
intended ieliance. 1leie will always be some contiol iisk becanse o tle inleient limitations o
any inteinal contiol system.
2.1.u 1le pieliminaiy assessment o contiol iisk slonld be ligl nnless tle anditoi is able to identiy
contiol piocednies ielevant to tle inleient bnsiness iisk o an anditable nnit and ensniing tlat
contiol piocednies aie adeqnate to mitigate tle bnsiness iisk. Wlen contiol iisk is assessed at
less tlanligl, tle inteinal anditoi wonld also docnment tle basis oi tle conclnsions.
2.1.!u At tlis stage tle inteinal anditoi slonld docnment tle nndeistanding obtained o tle bank's
contiol enviionment and tle contiol piocednies. He slonld also decide wletlei tle sitnation
waiiants an independent test o contiol piocednies to be peioimed oi nndeistanding tle
contiol iisk involved.
2.1.!! Dieient teclniqnes may be nsed to docnment inoimation ielating to contiol enviionment and
piocednies. 8election o a paiticnlai teclniqne is a mattei o tle inteinal anditoi's jndgment.
common teclniqnes, nsed alone oi in combination, aie naiiative desciiptions, qnestionnaiies,
clecklists and low claits. 1le size and complexity o tle anditable nnit and tle natnie o tle
inleient bnsiness iisks to wlicl tle anditable nnit is exposed, inlnence tle oimand extent o
tlis docnmentation. ceneially, tle moie complex tle contiol enviionment and piocednies and
tle moie extensive tle inteinal anditoi's piocednies, tle moie extensive tle anditoi's
docnmentationwill need to be.
2.1.!2 Wleievei necessaiy, based on tle pieliminaiy assessment o contiol iisk, tle inteinal anditoi
can nndeitake tle tests o contiol as a one-time exeicise to nndeistand tle opeiation o inteinal
contiols designed oi ananditable nnit ina systematic mannei. 1ests o contiol may inclnde:
Inspection o docnments snppoiting tiansactions and otlei events to gain andit evidence
tlat inteinal contiols lave opeiated piopeily, oi example, veiiying tlat a tiansaction las
beenpiopeily antloiised
Inqniiies abont, and obseivation o, inteinal contiols, wlicl leave no andit tiail, oi
example, deteimining wlo actnally peioims eacl nnction and not meiely wlo is
snpposed to peioimit
ke-peioimance o inteinal contiols, oi example, ieconciliation o bank acconnts, to
ensnie tley weie coiiectly peioimed by tle entity
1esting o inteinal contiol opeiating on speciic compnteiized applications oi ovei tle
oveiall inoimationteclnology nnction, oi example, access oi piogiamclange contiols
TosIs oI coaIrol
2.1.!? 1le inteinal anditoi slonld obtain andit evidence tliongl tests o contiol to snppoit any
assessment o contiol iisk, wlicl is less tlan ligl. 1le lowei tle assessment o contiol iisk, tle
moie evidence tle inteinal anditoi slonld obtain tlat inteinal contiol systems aie snitably
designed and opeiating eectively.
2.1.!1 Wlen obtaining andit evidence abont tle eective opeiation o inteinal contiols, tle anditoi
consideis low tley weie applied, tle consistency witl wlicl tley weie applied dniing tle
peiiod and by wlomtley weie applied. 1le concept o eective opeiationiecognizes tlat some
deviations may lave occniied. Deviations iom piesciibed contiols may be cansed by sncl
actois as clanges in key peisonnel, signiicant seasonal lnctnations in volnme o tiansactions
and lnman eiioi. Wlen deviations aie detected, tle inteinal anditoi makes speciic inqniiies
iegaiding tlese matteis, paiticnlaily, tle timing o sta clanges in key inteinal contiol
nnctions. 1le anditoi tlenensnies tlat tle tests o contiol appiopiiately covei sncla peiiod o
clange oi lnctnation.
2.1.!5 Iased on tle iesnlts o tle tests o contiol, tle anditoi slonld evalnate wletlei tle inteinal
contiols aie designed and opeiating as contemplated in tle pieliminaiy assessment o contiol
iisk. 1le evalnationo deviations may iesnlt intle inteinal anditoi conclnding tlat tle assessed
level o contiol iisk needs to be ievised. In sncl cases, tle inteinal anditoi wonld modiy tle
natnie, timing and extent o planned snbstantive piocednies.
2.1.!0 1le basis oi deteimination o tle level (ligl, medinm, low) and tiend (incieasing, stable,
decieasing) o inleient bnsiness iisks and contiol iisks slonld be cleaily spelt ont tliongl tle
nse o botl qnalitative and qnantitative appioacles. Wlile tle qnantnmo ciedit, maiket, and
opeiational iisks conld laigely be deteimined by qnantitative assessment, tle qnalitative
appioacl may be adopted oi assessing tle qnality o contiols in vaiions bnsiness activities. In
oidei to ocns attention on aieas o gieatei iisk to tle bank, an activity wise and location-wise
identiicationo iisk slonld be nndeitaken.
2.1.! In tlis connection, tle piinciple ennnciated in tle Anditing and Assniance 8tandaid (AA8) 2u,
Lnowledge o tle Insiness, slonld be noted wliclis as ollows:
'Ia /.r/rr|a sa sa1|/ / /|asa:|s/ /s/.r.a/ //. sa1|/r /a/1 /s:. r //s|a /aw/.1. / //. /a|a.
a//|:|.a/ / .as//. //. sa1|/r / |1.a/|/y sa1 aa1.r/sa1 //. .:.a/ /rsas:/|a sa1 /rs:/|:. //s/ |a //.
sa1|/r' a1r.a/ rsy /s:. s |a|/|:sa/ .//.:/ a //. /|asa:|s/ /s/.r.a/ r a //. .vsr|as/|a r sa1|/
r./r/ Sa:/ /aw/.1. | a.1 /y //. sa1|/r |a s.|a |a/.r.a/ sa1 :a/r/ r|/ sa1 |a 1./.rr|a|a //.
0ualiIaIivoaadquaaIiIaIivoapproachos Ior risk assossmoaI
as/ar. /|r|a sa1 .v/.a/ / sa1|/ /r:.1ar.
2.1.!S Atei tle inleient and contiol iisks aie identiied, tle anditoi slonld map botl tle iisks to
ensnie tlat tle combination o botl tle iisks aie at an acceptable level. foi tlis pnipose, tle
anditoi las to jnxtapose tle inleient bnsiness iisks and tle contiol iisk in a systematic mannei.
1le iesnltant scenaiio deteimines tle iisk appetite o a paiticnlai andit nnit, wlicl is tle key
inpnt oi deteimination o iisk-based andit plan oi tlat paiticnlai anditable nnit. Atypical iisk
matiix looks as ollows:
Anexplanationo tle nndeilying tle iisk appetite o tle above anditable nnits is as ollows:
Risk HaIrix
!. A Higl kisk
2. I Veiy
Higl kisk
?. c fxtiemely
Higl kisk
1. D Medinm
kisk
8. No AudiIablo UaiI NaIuro oI risk
Altlongl tle contiol iisk is low, tlis is a Higl kisk
aiea dne to liglinleient bnsiness iisks.
1le ligl inleient bnsiness iisk conpled witl
medinm contiol iisk makes tlis a Veiy Higl kisk
aiea
Iotl tle inleient bnsiness iisk and contiol iisk aie
ligl wlicl makes tlis an fxtiemely Higl kisk aiea.
1lis aiea wonld ieqniie immediate andit attention,
maximnm allocation o andit iesonices besides
ongoing monitoiing by tle bank's topmanagement.
Altlongl tle contiol iisk is low tlis is a Medinm
kisk aiea dne to medinminleient bnsiness iisks.
LxplaaaIioa
20
Risk HaIrix
Inleient iisk
contiol iisk
Higl
Medinm
Iow
Lw M.1|ar
H|/
A I c
D f f
c H I
Risk-basod|aIoraal AudiI Plaa
2.5.! Once tle iisk assessment exeicise is nndeitaken by tle inteinal anditoi and tle anditable nnits
aie aiianged as pei tle iisk matiix as explained above, tle next step is to devise tle iisk-based
andit plan detailing ont tle piioiities, natnie, timing and extent o inteinal andit piocednies in
an anditable nnit witl ieeience to tle iisk categoiization o tle anditable nnit. Inteinal andit
piioiities aie diiven piimaiily by tle need to assess tle iisk management piactices and contiols
to vaiying levels o assniance oi by a need oi advice.
2.5.2 1le piecise scope o iisk-based inteinal andit mnst be deteimined by eacl bank oi low,
medinm, ligl, veiy ligl and extiemely ligl iisk aieas. Howevei, as pei tle extant gnidelines o
kII, at tle minimnm, it mnst ieview/iepoit on:
Piocess by wlicliisks aie identiied and managed invaiions aieas
1le contiol enviionment invaiions aieas
caps, i any, incontiol meclanismwliclmiglt lead to iands, identiicationo iand pione
aieas
Data integiity, ieliability and integiity o MI8
Inteinal, iegnlatoiy and statntoiy compliance
8copo
5. f Higl
kisk
0. f Veiy
Higl kisk
. c Iow kisk
S. H Medinm
kisk
u. I Higl
kisk
Altlongl tle inleient bnsiness iisk is medinmtlis
is a Higlkisk aiea becanse o contiol iisk also being
medinm.
Altlongl tle inleient bnsiness iisk is medinm, tlis
is a Veiy Higlkisk aiea dne to liglcontiol iisk.
Iotl tle inleient bnsiness iisk and contiol iisk aie
low.
1le inleient bnsiness iisk is low and tle contiol
iisk is medinm.
Altlongl tle inleient bnsiness iisk is low, dne to
liglcontiol iisk tlis becomes a Higlkisk aiea.
2l 8teps in kisk-based Inteinal Andit o Ianks
Indgetaiy contiol and peioimance ieviews

1iansactiontesting/veiiicationo assets to tle extent consideied necessaiy
Monitoiing compliance witltle iisk-based inteinal andit iepoit
Vaiiation, i any, in tle assessment o iisks nndei tle andit plan :|-s-:| tle iisk-based
inteinal andit.
2.5.? 1le scope o iisk-based inteinal andit slonld also inclnde a ieview o tle systems in place oi
ensniing compliance witl money lanndeiing contiols; identiying //.a/|s/ inleient bnsiness
iisks and contiol iisks, i any; snggesting vaiions coiiective measnies; and nndeitaking ollow
npieviews to monitoi tle actiontakentleieon.
2.5.1 1le contents o iisk-based andit planaie noimally as ollows:
(i) AudiI Uaivorso. 1le iisk-based andit plan at tle ontset lists down tle entiie anditable nnits,
wlicl aie snbject to tle inteinal andit in one oim oi otlei. An explanation o tle natnie and
scope o tle anditable nnits is piovided nndei tlis section.
(ii) PrioriIy. facl anditable nnit is to be assigned a iisk categoiy based on tle iisk assessment o tle
anditable nnit as ontlined above. foi tlis pnipose, it is impoitant tlat tle plan slonld give
impoitance to tle magnitnde and tle ieqnency o tle iisks also as obseived in tle iisk
assessment exeicise oi tle pnipose o condncting o inteinal andit in iespect o tle iespective
anditable nnit. 1le andit planslonld piioiitize andit woik to give gieatei attentionto aieas o:
HiglMagnitnde and liglieqnency
HiglMagnitnde and medinmieqnency
Medinmmagnitnde and liglieqnency
Higlmagnitnde and low ieqnency
MedinmMagnitnde and medinmieqnency.
(iii) Typo oI Iho iaIoraal audiI assigamoaI. 1le slape and tle oim o tle inteinal andit assignment
slonld be cleaily deined. 1wo types o tle inteinal andit assignment aie paiticnlaily ielevant in
tlis connection:
Assuraaco. 1lis type o inteinal andit assignment is designed to piovide senioi
management witl assniance seivices. Assniance seivices aie objective examinations o
evidences oi tle pniposes o pioviding an independent assessment o iisk management
0oaIoaIs oI Risk-basodAudiI Plaa
stiategies and piactices, management contiol iamewoiks and piactices and inoimation
nsed oi decisionmaking and iepoiting.
0oasulIiag. consnlting assignments aie designed to piovide senioi management witl
assistance. 1lese assignments aie not designed to piovide assniance as mentioned above.
(iv) |roquoacy. 1le iisk-based inteinal andit plan slonld also ontline tle ieqnency witlin wlicl
tle anditable nnits aie snbject to tle inteinal andit. It slonld be noted tlat tle ieqnency o tle
andit is a nnction o tle inteinal andit piioiities as ontlined above and tle available inteinal
andit iesonices etc. Howevei, all tle anditable nnits slonld be snbject to one oim oi otlei o
inteinal andit at inteivals as decided by tle management bnt pieeiably, at least once in tliee
yeais.
(v) LxIoaI oI IosIiag. 1le piimaiy ocns o iisk-based inteinal andit will be to piovide ieasonable
assniance to tle Ioaid and top management abont tle adeqnacy and eectiveness o tle iisk
management and contiol iamewoik in tle banks' opeiations. Wlile examining tle
eectiveness o tle contiol iamewoik, tle iisk-based inteinal andit slonld iepoit on piopei
iecoiding and iepoiting o majoi exceptions and excesses. As pei tle extant gnidelines o kII,
tiansaction testing wonld continne to iemain an essential aspect o iisk-based inteinal andit o
banks. 1le extent o tiansaction testing wonld be deteimined on tle basis o iisk assessment.
Illnstiatively, tle bank slonld nndeitake !uu pei cent tiansaction testing i an aiea alls in cell
'fxtiemely Higl kisk" o tle iisk matiix. 1le bank may also considei !uu pei cent tiansaction
testing i anaiea alls incell 'I-Veiy Higlkisk" oi 'f-Veiy Higlkisk", and tle iisks aie slowing
anincieasing tiend. 1le banks may also considei tiansactiontesting witlanelement o snipiise
iniespect o low iisk aieas, wliclwonld be andited at ielatively longei inteivals.
(vi) Rosourco roquiromoaIs. 1le plan oi iisk-ocnsed andit slonld also speciy an estimated iange
o level o eoit ieqniied to caiiy ont tle pioject. 1le eoit estimate slonld take into
consideiationtle ollowing actois:
Natnie o inteinal andit assignment (consnlting, assniance)
1le scope o tle inteinal andit assignment (inclnding consideiations o andit peiiod,
bnsiness piocess and tle bnsiness objectives to be assessed)
1le complexity o anditable nnit, bnsiness piocesses and systems inscope
1le availability o inteinal andit and snbject mattei expeitise
1le qnality and qnantity o existing docnmentationintle snbject aiea
1le andit appioacl and teclniqnes to be nsed (e.g., inteiviews, tiansaction sampling,
woikslops, compntei assisted andit tools, etc.).
As pei tle gnidelines o kII, tle inteinal andit nnction slonld be piovided witl appiopiiate
iesonices and sta to aclieve its objectives nndei tle iisk-based inteinal andit system. 1le sta
23 8teps in kisk-based Inteinal Andit o Ianks
possessing tle ieqnisite skills slonld be assigned tle job o nndeitaking iisk-based inteinal
andit. 1ley slonld also be tiained peiiodically to enable tlemto nndeistand tle bank's bnsiness
activities, opeiating piocednies, iisk management and contiol systems, MI8, etc.
(vii) 8ubmissioa oI Iho iaIoraal audiI plaa. 1le iesnlts o tle above piocess inclnding toolset
ieqniiements oi tle iisk-based inteinal andit slonld be piesented and validated by tle senioi
management. It is impoitant to engage senioi management in tlis piocess to seek tleii inal
inpnt on tle liglest piioiities oi inteinal andit and to ensnie tlat tleie is adeqnate snppoit oi
tle iationale piovided. It is, tleieoie, iecommended to seek tle views o tle senioi
management o tle anditable nnits on tle iisk-based inteinal andit plan and incoipoiate tle
necessaiy snggestions in tle andit plan. 1le inal plan as acceptable to tle inteinal andit
nnction and tle anditable nnits is to be placed beoie tle Andit committee o tle Ioaid o
Diiectois oi tleii inal appioval.
Iet ns considei, oi example, one o tle identiied anditable nnits by tle inteinal anditoi as 'ketail Ioan
depaitment". 1lis inclndes nitlei snb-nnits sncl as lome loans, commeicial velicle loans, peisonal
loans, anto loans and two wleelei loans depaitments. Once tle anditable nnit is identiied, tle ollowing
steps aie to be nndeitakenoi ensniing tle iisk appetite o tle ietail loandepaitment.
I1.a/|/|:s/|a / |a/.r.a/ /a|a. r|/ In ietail loan poitolio, tle majoi inleient bnsiness iisk is tle ciedit
iisk, i.e., iisk o deanlt by a ietail boiiowei.
I1.a/|/|:s/|a / :a/r/ /r:.1ar. 1o ensnie tlat tle ciedit iisk is appiopiiately taken caie o, adeqnate
contiol policies and piocednies aie to be oimnlated by tle ietail iisk management depaitment o tle
bank. 1lese piocednies miglt inclnde:
Devising tle scoiecaid appioacles speciying tle ciiteiia oi acceptance o cnstomei.
8egiegationo tle nnctions o sonicing tle boiioweis and sanctioning o tle loans.
fstablislment o an independent iisk contiol nnit, wlicl nndeitakes tle veiiication o tle
accniacy o tle loan docnments along witl tle necessaiy snpplements docnments snbmitted by
tle boiiowei inclnding tleii antlenticity itsel.
Designing a piopei MI8 iamewoik iesnlting in appiopiiate monitoiing o tle poitolio
inclnding peiiodic, exceptioniepoits being geneiated.
0A8L 8TU0Y
Risk AssossmoaI oI aa AudiIablo UaiI-RoIail Loaa 0oparImoaI
fnsniing adeqnate peisonnel to nndeitake tle stndy o tle movement o tle ietail loanpoitolio
witl paiticnlai emplasis on tle tiend o tle delinqnency iatios being obseived ovei a peiiod o
time.
cieationo a sepaiate loancollectionnetwoik oi ollowing npwitltle delinqnent boiioweis.
1le oimnlation o tle above contiol piocednies is, as mentioned above, tle iesponsibility o tle iisk
management depaitment. Howevei, once tle piocednies aie oimnlated tleie is a iisk tlat tley may not
be piopeily implemented dne to ailnie o people, piocess oi systems. 1lis iisk is teclnically teimed as
opeiational iisk.
1le inteinal anditoi wlo is nndeitaking tle iisk assessment o tle ietail loandepaitment o a bank las to
piimaiily nndeistand tle piocednies deteimined oi mitigating tle ciedit iisk inleient in tle ietail loan
poitolio. Wlile nndeistanding tle piocednies, le may come acioss ceitain aieas in tle ietail loan
poitolio, wlicl may not be coveied by tle above piocednies. foi example, tle sonicing o tle boiioweis
nnction las been entinsted to an exteinal agency by tle bank. In tlat sitnation, tle ontsonicing iisks
aiising ont o tle exteinal agency aiiangement may be o paiticnlai concein oi deteimining tle
opeiational iisk o tle ietail loan depaitment. 1lese ontsonicing iisks inclnde, iisk o ake ield
investigation, dnbions iepoits being snbmitted by tle exteinal agency, etc. 1le inteinal anditoi in sncl
case can snggest to tle iisk management depaitment, tle iisk mitigants to be oimnlated to obviate tle
ontsonicing iisks. Howevei, it slonld be noted tlat tle nltimate iesponsibility o designing appiopiiate
contiol piocednies lies witltle iisk management depaitment.
Wlile nndeitaking tle pieliminaiy assessment o tle contiol iisk, tle inteinal anditoi slonld deteimine
tle likelilood o tle iisk o a paiticnlai piocess oi nnction not adeqnately coveied by tle contiol
piocednies. He slonld also, in sncl ciicnmstances, nndeistand tle qnantnmo tle iisk being identiied
and docnment tle inteinal andit piocednies nndeitakento ieaclsnclconclnsion.
foi tle pnipose o iisk assessment, tle inteinal anditoi may adopt a iating ciiteiia oi assessing tle iisks,
botl inleient and contiol, wlicl wonld assist lim in objective evalnation o tle iisks in tle anditable
nnit. 1lis exeicise ieqniies tle inteinal anditoi to iate tle iisk posed by tle anditable nnit on a pie-
deined iating scale wleie tle low iating wonld indicate a low iisk and :|:. :.rs 8nclanexeicise wonld
iesnlt in tle standaidization o tle iisk assessment and assist tle inteinal anditoi in docnmenting tle
steps nndeitakenoi tle iisk assessment.
Prolimiaary assossmoaI oI IhocoaIrol risk
Risk RaIiag
25 8teps in kisk-based Inteinal Andit o Ianks
TosIs oI coaIrols
Risk Happiag
Atei tle pieliminaiy assessment, tle inteinal anditoi, i le eels tlat tle sitnation demands tlat tle tests
o contiols slonld be nndeitaken, slonld take appiopiiate steps to independently test tle opeiationo tle
inteinal contiol piocednies. foi tlis pnipose, le may take np appiopiiate ciedit iles and tiy to evidence
tle obseivance o tle piesciibed piocednies. 1lese tests o contiols nitlei snpplement tle pieliminaiy
assessment o inteinal contiol in ieacling a conclnsion abont tle contiol iisk o tle ietail loan
depaitment.
Atei identiication o tle inleient and tle contiol iisks o tle ietail loan depaitment, tle inteinal
anditoi is ieqniied to make a jndgment abont tle natnie o tlese iisks as ligl, medinmoi low depending
on tle iesnlts o tle andit piocednies as above, inclnding tle iesnlts o tle tests o tle contiol
nndeitaken, i any, and docnment tle decisiono tle iisk assessment o tle ietail loandepaitment.
Otlei consideiations
1le ollowing actois slonld also be consideied wlile nndeitaking tle iisk-based inteinal andit
assignments as pei tle extant gnidelines o kII:
?.!.! 1le inteinal andit nnction slonld be independent iomtle inteinal contiol piocess in oidei to
avoid any conlict o inteiest and slonld be given an appiopiiate standing witlin tle bank to
caiiy ont its assignments. It slonld not be assigned tle iesponsibility o peioiming otlei
acconnting oi opeiational nnctions. 1le management slonld ensnie tlat tle inteinal andit
sta peioims tleii dnties witl objectivity and impaitiality. Noimally, tle inteinal andit lead
slonld iepoit to tle Ioaid o Diiectois tlionglAndit committee o tle Ioaid.
?.!.2 1le Ioaid o Diiectois and topmanagement will be iesponsible oi laving inplace aneective
|uacIioaal iadopoadoaco
claptei ?
iisk-based inteinal andit system and ensnie tlat its impoitance is nndeistood tlionglont tle
bank. 1le snccess o inteinal andit nnction depends laigely on tle extent o ieliance placed on
it by tle management oi gniding tle bank's opeiations.
?.!.? In tlis context, attention is invited to tle Anditing and Assniance 8tandaid , 'kelying Lpon tle
Woik o An Inteinal Anditoi" wlicl piovides tlat tle geneial evalnation o tle inteinal andit
nnction will assist tle exteinal anditoi in deteimining tle extent to wlicl le can place tle
ieliance on tle woik o inteinal anditoi. 1le 8tandaid also ieqniies tle oiganizational statns o
tle inteinal andit nnctionto be examined as a pait o tle geneial evalnationand piovides tlat:
'W/.//.r |a/.ras/ sa1|/ | aa1.r/s/.a /y sa a/|1. s.a:y r /y sa |a/.ras/ sa1|/ 1./sr/r.a/ w|//|a //.
.a/|/y |/.// //. |a/.ras/ sa1|/r r./r/ / //. rsas.r.a/ Ia sa |1.s/ |/as/|a /. r./r/ / //. /|/./
/.:./ / rsas.r.a/ sa1 | /r.. / say //.r /.rs/|a r./a|/|/|/y Aay :a/rs|a/ r r./r|:/|a //s:.1
a/a /| wr/ /y rsas.r.a/ /a/1 /. :sr./a//y .:s/as/.1
?.2 1le commnnication clannels between tle iisk-based inteinal andit sta and management
slonld enconiage iepoiting o negative and sensitive indings. All seiions deiciencies slonld be
iepoited to tle appiopiiate level o management as soonas tley aie identiied. 8igniicant issnes
posing a tlieat to tle bank's bnsiness slonld be piomptly bionglt to tle notice o tle Andit
committee oi top management, as appiopiiate. In paiticnlai, tle inteinal anditoi slonld be iee
to commnnicate nlly witltle exteinal anditoi.
?.?.! 1le Inteinal andit nnction slonld condnct peiiodical ieviews, annnally oi moie ieqnently, o
tle iisk-based inteinal andit nndeitaken by it :|-s-:| tle appioved andit plan. 1le
peioimance ieview slonld also inclnde anevalnationo tle eectiveness o iisk-based inteinal
andit inmitigating identiied iisks.
?.?.2 1le Andit committee o Ioaid slonld peiiodically assess tle peioimance o tle iisk-based
inteinal andit oi ieliability, accniacy and objectivity. Vaiiations, i any, in tle iisk pioile as
ievealed by tle iisk-based inteinal andit :|-s-:| tle iisk pioile as docnmented intle andit plan
slonld also be looked into to evalnate tle ieasonableness o iisk assessment metlodology o tle
inteinal andit nnction.
0ommuaicaIioa
PorIormaacoovaluaIioa
RolaIioashipwiIh IhooxIoraal audiIor
?.1 Wlile tle exteinal anditoi las tle inal iesponsibility oi tle andit iepoit signed by limand oi
deteimination o tle natnie, timing and extent o tle anditing piocednies, mncl o tle woik o
tle inteinal andit nnctionmay be nsenl to limin lis examinationo tle inancial inoimation.
1owaids tlis end, tle Anditing and Assniance 8tandaid , 'kelying Lpon 1le Woik O An
Inteinal Anditoi" piovides oi a iamewoik o ielationslipbetweentle inteinal anditoi and tle
exteinal anditoi, wliclslonld be consideied wlile deteimining tle iisk-based andit plan.
29 Otlei consideiations
1le Way Alead
kisk-based inteinal andit is expected to be an aid to tle ongoing iisk management in banks by pioviding
necessaiy clecks and balances intle system. Howevei, since iisk-based inteinal andit will be a aiily new
exeicise oi most o tle Indian banks, a giadnal bnt eective appioacl wonld be necessaiy oi its
implementation.
In tlis connection, it is impoitant to note tlat tle IcAI las come ont witl seveial andit piononncements
inclnding cnidance Note on Andit o Ianks, wlicl will piovide gnidance on iisk assessment and its
impoitance to tle andit nnction. 1le giowing concein o inteinal contiols paiticnlaily in a post-
8aibanes Oxley eia and its applicability to tle banking indnstiy is a pioessional oppoitnnity oi tle
membeis o tle Institnte to contiibnte to tle enteipiise-wide iisk management initiatives o tle banks
nsing tle inteinal andit nnction.
fnitlei, tle iisk management peispective o tle opeiations is being given dne impoitance nndei tle
pioposed Iasel Inteinational capital Adeqnacy iamewoik wleieby tle banks witlincieased iisk
claptei 1
mitigant stiategies aie iewaided snitably witl tle lowei capital ieqniiements wleieas tle ligl iisk
banks aie snbject to stiingent capital ieqniiements.
fnitlei, tle kII las advised tlat initially tle iisk-based inteinal andit may be nsed as a
management/andit tool in addition to tle existing inteinal andit/inspection. Once tle iisk-based
inteinal andit stabilizes and tle inteinal andit sta oi tle team (wleie tle inteinal andit nnction is
ontsoniced) attains pioiciency, it slonld ieplace tle conventional inteinal andit appioacl/inspection.
3l 1le Way Alead
keseive Iank o India ciicnlais
on kisk-based Inteinal Andit
I DI8.cO/kI8/5S/?0.u!.uu2/2uu!-u2
dated Angnst !?, 2uu!
II DI8.cO.PP.Ic.!u/!!.u!.uu5/2uu2-u?
dated Decembei 2, 2uu2
III DI8.cO.PP.Ic.!/!!.u!.uu5/2uu1-u5
dated febinaiy !, 2uu5
Appendices
Appoadix - |
Hovo Iowards Risk basod 8uporvisioa (RB8) oI baaks -
0iscussioa Papor
!?tl Angnst 2uu!
DI8.cO/ kI8/5S/?0.u!.uu2/2uu!-u2
All 8clednled commeicial Ianks
(fxcept kegional knial Ianks)
Deai 8iis,
Please ieei to paiagiapl 0 o oni coveinoi's statement on 'Monetaiy and ciedit Policy oi tle
yeai 2uuu-2uu!' wleiein it las been stated tlat tle keseive Iank wonld be developing an
oveiall plan oi moving towaids kisk-based 8npeivision (kI8) witl tle assistance o
inteinational consnltants. Accoidingly, Piice watei lonse coopeis (Pwc), a iimo consnltants
based in Iondon, weie engaged to nndeitake a ieview o tle cniient iegnlatoiy and snpeivisoiy
iegime and piepaie tle blne piint oi tle tiansition to a moie soplisticated system o kI8
incoipoiating inteinational best piactices. A discnssion papei on tle 'Move towaids kisk-based
8npeivision o banks' las been piepaied snmmaiizing tle iecommendations o tle consnltants
and is enclosed.
2. It may be obseived iomtle discnssion papei tlat tle keseive Iank wonld ocns its snpeivisoiy
attention on tle banks in accoidance witl tle iisk eacl bank poses to itsel as well as to tle
system. 1le iisk pioile o eacl bank wonld deteimine tle snpeivisoiy piogiamme compiising
o-site sniveillance, taigeted on-site inspections, stinctnied meetings witl banks,
commissioned exteinal andits, speciic snpeivisoiy diiections and new policy notices in
conjnnction witl close monitoiing tliongl a Monitoiable Action Plan (MAP) ollowed by
enoicement action, as waiianted. 1le snccessnl implementation o tle piocess o kI8 entails
adeqnate piepaiation, botlontle pait o tle keseive Iank and tle commeicial banks.
?. 1le intiodnctiono kI8 wonld ieqniie tle banks to ieoiient tleii oiganisational set np towaids
kI8 and pnt in place an eicient iisk management aiclitectnie, adopt iisk ocnsed inteinal
andit, stiengtlen tle management inoimation system, and set np compliance nnits . 1le banks
wonld also be ieqniied to addiess HkD issnes like manpowei planning, selection and
deployment o sta and tleii tiaining in iisk management and iisk based andit. It is evident tlat
clange management is a key element inkI8 and tle banks slonld lave cleaily deined standaids
o coipoiate goveinance, well docnmented policies and eicient piactices inplace so as to
33 Appendices
cleaily demaicate tle lines o iesponsibility and acconntability so tlat tley align tlemselves to
meet tle ieqniiements o kI8.
1. 1le discnssion papei may please be placed beoie tle Ioaid o Diiectois oi delibeiation in tle
next meeting. 1le comments o tle bank on tle vaiions aspects o tle discnssion papei may
please be oiwaided to ns as eaily as possible bnt beoie 8eptembei ?u, 2uu!.On tle basis o tle
eed back ieceived iomtle banks nitlei discnssions wonld be leld.
5. Intle meanwlile, kindly acknowledge ieceipt.
(A.I.Naiasimlan)
clie ceneial Managei-in-claige
fncl: Discnssionpapei on'Move towaids iisk based 8npeivisiono banks"
!. 1le inteinational banking scene las in iecent yeais witnessed stiong tiends towaids
globalization and consolidation o tle inancial system. 8tability o tle inancial system las
become tle cential clallenge to bank iegnlatois and snpeivisois tlionglont tle woild. 1le
mnlti-lateial initiatives leading to evolntiono inteinational standaids and codes and evalnation
o adleience tleieto iepiesent iesolnte attempts to addiess tlis clallenge.
2. 1le Indian banking scene las witnessed piogiessive deiegnlation, institntion o pindential
noimand an emnlation o inteinational snpeivisoiy best piactices. 1le snpeivisoiy piocesses
lave also concomitantly evolved and lave acqniied a ceitain level o iobnstness and
! 2
soplistication witl tle adoption o tle cAMfI8 /cAIc8 appioacl to snpeivisoiy iisk
assessments and iating. 1le tigltening o exposnie and pindential noims and enlancement in
disclosnie standaids in plases ovei a peiiod o time lave moie closely aligned tle Indian
banking systemto inteinational best piactices. keseive Iank o India (kII) las been constantly
endeavoniing to enlance tle soplisticationand eiciency levels o its snpeivisoiy piocesses.
?. 1le annonncement made by tle coveinoi, kII, as pait o tle monetaiy and ciedit policy
Rosorvo Baak oI |adia
0oparImoaI oI Baakiag 8uporvisioa - 0oaIral 0IIico
Hovo Iowards Risk-basod 8uporvisioa oI Baaks - A 0iscussioa Papor
ParI |
Backgrouad
statement oi 2uuu-2uu!tlat kII wonld be developing anoveiall planoi moving towaids iisk-
based snpeivision (kI8) witl tle assistance o inteinational consnltants signiied tle lanncl o
a new initiative in tlis diiection. Piicewateilonse coopeis (PWc) based in Iondon, weie
selected to nndeitake a ieview o tle cniient iegnlatoiy and snpeivisoiy piocesses o tle kII
witla view to assisting intle intiodnctiono iisk based iegnlationand snpeivisioninIndia. 1le
kI8 will be a iegime inwliclkII's iesonices will be diiected towaids tle aieas o gieatei iisk to
its snpeivisoiy objectives. 1leie aie two legs to implementing eective iisk-based piocesses:
iist, explicit snpeivisoiy objectives mnst be set and secondly, tle iisks posed to tlese objectives
by tle activities o commeicial banks mnst be assessed and addiessed. 1le cniient ieview
iepiesents nitlei stage in tle oveiall development o kII's appioacl to iegnlating and
snpeivising banks in tle liglt o tle eailiei Padmanablan committee and Naiasimlam
committee iepoits. Iased on tle woik o tle inteinational consnltants, kII intends to move
towaids a kI8 systeminstages.
1. 1le cniient snpeivisoiy piocess adopted by tle Depaitment o Ianking 8npeivision (DI8) is
applied nnioimly to all snpeivised institntions. 1longl scintiny o systems and piocednies
pievailing in snpeivised institntion is an integial pait o on-site inspection, tleie is scope oi
moie ocns on tle iisk pioile o tle institntions. 1le cniient appioacl is laigely on-site
inspection diiven snpplemented by o-site monitoiing and tle snpeivisoiy ollow-np
commences witl tle detailed indings o annnal inancial inspection. 1le piocess is based on
cAMfI8/cAIc8 appioacl wleie capital adeqnacy, asset qnality, management aspects,
eainings, liqnidity and systems and contiol aie examined keeping in view tle ieqniiements o
8ection 22 o tle Ianking kegnlation Act, !u1u. 1le on-site inspections aie condncted, to a
laige extent witl ieeience to tle andited balance sleet dates. 1le o-site and maiket
intelligence play a snpplemental iole. Wlile in seveial exteinal jniisdictions, tle snpeivisoiy
piocess extensively leveiages on tle woik done by otleis, sncl as tle inteinal and exteinal
anditois, tle nse made o tlese iesonices inIndia is iatlei limited. No legal iamewoik exists oi
tle exteinal anditois to iepoit to tle snpeivisoi tleii adveise indings onissnes laving
snpeivisoiy implications.
5. consideiing tle giowing diveisities and complexities o banking bnsiness, tle spate o piodnct
innovation witl complex iisk plenomena, tle contagion eects tlat a ciisis can spiead and tle
conseqnential piessnies on snpeivisoiy iesonices, tle kI8 appioacl, tle onndation o wlicl
wonld be based on tle cAMfI8 based appioacl, wonld be moie appiopiiate. Iy optimizing tle
syneigies iom tle dieient activities, inclnding tle iegnlatoiy and snpeivisoiy nnctions, tle
0urroaI approach
Risk-basodsuporvisioa- ANowapproach
35 Appendices
oveiall eiciency and eectiveness o tle snpeivisoiy piocess canbe snbstantially enlanced.
0. 1le kI8 appioacl essentially entails tle allocation o snpeivisoiy iesonices and paying
snpeivisoiy attention in accoidance witl tle iisk pioile o eacl institntion. 1le appioacl is
expected to optimize ntilisation o snpeivisoiy iesonices and minimize tle impact o ciisis
sitnation in tle inancial system. 1le kI8 piocess essentially involves continnons monitoiing
and evalnation o tle iisk pioiles o tle snpeivised institntions in ielation to tleii bnsiness
stiategy and exposnies. 1lis assessment will be acilitated by tle constinction o a kisk matiix
oi eaclinstitntion.
. 1le instinments o kI8 will be by way o enlancement as well as ieining o tle snpeivisoiy
tools ovei tlose tiaditionally employed nndei tle cAMfI8 appioacl viz. on-site examination
and o-site monitoiing. 1le kI8 piocesses and tle ontcome will be oiwaid looking beyond
ocnsing attention on tle iectiication o deiciencies witl ieeience to tle on-site inspection
date. 1le extent o on-site inspection wonld be laigely deteimined by tle qnality and ieliability
o o-site data, and tle ieliability o tle iisk pioile bnilt np by banks. 1le eectiveness o tle
kI8 wonld cleaily depend on banks' piepaiedness in ceitain ciitical aieas, sncl as qnality and
ieliability o data, sonndness o systems and teclnology, appiopiiateness o iisk contiol
meclanism, snppoiting lnmaniesonices and oiganisational back-np.
1le majoi elements o kI8 appioaclaie set ont below:
S. 1le cential plank oi kI8 is an accniate iisk pioiling oi eacl bank. 1le iisk pioile wonld be a
docnment, wlicl wonld contain vaiions kinds o inancial and non-inancial iisks aced by a
banking institntion. 1le iisk assessment wonld entail tle identiication o inancial activities in
wlicl a bank las closen to engage and tle deteimination o tle types and qnantities o iisks to
wlicl tlese activities expose tle banking institntion. 1le type o iisk tlat banking institntion
ace individnally oi in combination inclnde, bnt aie not limited to, ciedit, maiket, liqnidity,
opeiational, legal and iepntational iisks. 1le qnantity o iisks associated witl a given activity
may be assessed by tle volnme o assets and tle o-balance sleet items tlat tle activity
iepiesents oi tle poition o ievenne deiived iom tlat activity. Activities tlat aie new to an
institntion oi oi wlicl exposnie is not ieadily qnantiiable may also iepiesent ligl iisk to an
institntion tlat wonld also be evalnated and inclnded in tle iisk pioile docnment. 1le iisk
0bjocIivos oI RB8
8uporvisioaprocoss
Risk proIiliag oI baaks
pioile will also be designed to piovide a systematic assessment iomtle snpeivisoi's peispective
o tle adeqnacy and eectiveness o tle bank's oiganisation, management and contiols. 1le
main iisk-pioiling device at piesent is tle cAMfI8 iating based on on-site inspection, wlicl in
conise o time will be deiived iom o-site ietnins and otlei inoimation. cAMfI8 iating
wonld continne to be tle coie o iisk pioile compilation, bnt tle snccessive iatings wonld be
nsed to ielect tiends incontiast to being nsed as a static annnal indicatoi o iisk.
u. 1le iisk pioile o eacl bank will diaw npon a wide iange o sonices o inoimation, besides
cAMfI8 iating, sncl as, o-site sniveillance and monitoiing (O8MO8) data, maiket
intelligence iepoits, ad-loc data iom exteinal and inteinal anditois, inoimation iom otlei
domestic and oveiseas snpeivisois, on-site indings, sanctions applied etc. 1le data inpnts
wonld be assessed oi its signiicance and qnality beoie being ed into tle iisk pioile. All
ontlieis i.e. banks wlicl all ontside tle noimal distiibntion based on claiacteiistics sncl as
pioitability, new bnsiness activity, balance sleet giowtl etc. wonld be identiied on tle basis o
a two-tailed test (i.e. too good oi too bad) and investigated on a iegnlai basis. 1le iisk pioile
wonld be constantly npdated.
!u. 1le key components o tle iisk pioile docnment wonld be tle ollowing: cAMfI8 iating witl
tiends
Naiiative desciiptiono key iisk eatnies captnied nndei eaclcAMfI8 component
8nmmaiy o key bnsiness iisks inclnding volatility o tiends inkey bnsiness iisk actois
Monitoiable actionplanand bank`s piogiess to date
8tiengtl, Weaknesses, Oppoitnnities, 1lieats (8WO1) analysis
8ensitivity analysis.
kII wonld nndeitake a oimal assessment o tle iisk pioile o eacl bank on a iegnlai basis. 1le
peiiod between assessments wonld vaiy depending on tle mateiiality o tle iisk pioile o a
bank, witl an aveiage peiiod o one yeai. Howevei, moie ieqnent assessments wonld be
iesoited to oi liglei iisk banks and less ieqnent assessment oi lowei iisk banks.
!!. 1le snpeivisoiy piocess wonld commence witl tle piepaiation o tle bank iisk pioile (based
on data ninisled by banks to tle DI8 o kII, besides data iomotlei sonices). 1le snpeivision
cycle will vaiy accoiding to iisk pioile o eacl bank, tle piinciple being tle liglei tle iisk tle
sloitei will be tle cycle. 1le snpeivision cycle will iemain at !2 montls in tle sloit-teimand
will be extended beyond !2 montls oi low iisk banks at a snitable stage. In cases wleie moie
ieqnent applicationo snpeivisoiy piocess will be necessaiy, tle cycle conld evenbe lessei tlan
!2montls.
8uporvisory cyclo
3? Appendices
8uporvisory programmo
|aspocIioaprocoss
!2. kII wonld piepaie a bank speciic snpeivisoiy piogiamme wlicl will set ont tle detailed woik
plan oi tle bank. 1le scope and objectives o tle inspection piogiamme will deiive iom
analysis o iisk pioile. 1le snpeivisoiy piogiamme wonld be tailoied to individnal banks and
wonld ocns on tle liglest iisk aieas as well as speciy tle need oi nitlei investigation in
identiied pioblem aieas. 1le snpeivisoiy piogiamme wonld be piepaied at tle beginning o
tle snpeivisoiy cycle and wonld yet be lexible enongl to peimit amendments waiianted by
snbseqnent majoi developments. 1le snpeivisoiy piogiamme wonld also identiy tle package
o snpeivisoiy tools to be deployed ioma iange consisting o:
gieatei o-site sniveillance
taigeted on-site inspection
stinctnied meetings witlbanks
commissioned exteinal andits
speciic snpeivisoiy diiections
new policy notices (i.e. new policy diiections to banks emanating iomindividnal bank level
conceins wliclaie ielevant oi tle indnstiy).
On-site inspection wonld be laigely taigeted to speciic aieas nnless a nll scope inspection is
waiianted as pei tle bank-speciic snpeivisoiy piogamme. A monitoiable action plan (MAP),
tle details o wliclaie givenlatei, to mitigate iisks to snpeivisoiy objectives posed by individnal
banks wonld be diawn np oi ollow-np. Vaiiable snpeivisoiy cycles and vaiiable ieqnency o
inspections wonld tleieoie claiacteiise tle snpeivisoiy piocess nndei kI8.
!?. 1le iisk assessment o individnal banks wonld be peioimed in advance o on-site snpeivisoiy
activities. 1le iisk assessment piocess wonld liglliglt botl tle stiengtls and vnlneiabilities o
an institntion and wonld piovide a onndation iom wlicl to deteimine tle piocednies to be
condncted dniing tle inspection. 1le cniient nll-scope on-site inspections, wlicl aie caiiied
ont annnally covei a snbstantive asset evalnation. 1le inspections nndei tle new appioacl
wonld be laigely systems based iatlei tlan laying emplasis on nndeilying tiansactions and
asset valnations. 1le inspection wonld taiget identiied ligl-iisk aieas iom tle snpeivisoiy
peispective and wonld ocns on tle eectiveness o meclanism in captniing, measniing,
monitoiing and contiolling vaiions iisks. 1le inspection piocednie wonld continne to inclnde
tiansaction testing and evalnation tle extent o wlicl will depend on tle mateiiality o an
activity and tle integiity o tle iisk management systemand tle contiol piocess.
Roviow, ovaluaIioa aadIollow-up
HoaiIorabloacIioaplaa
8uporvisory orgaaisaIioa
!1. An evalnation will be nndeitaken to ensnie tlat tle snpeivisoiy piogiamme las indeed been
completed and been eective in impioving tle iisk pioile o tle bank conceined. I need be,
nitlei tools will be employed inclnding additional inspection visits. 1le indings o inspection
and otlei snpeivisoiy inoimation on iecoids wonld be nsed to piodnce a compielensive
docnment o snpeivisoiy iisks and tle bank`s assigned iatings oi ollow-np o snpeivisoiy
conceins. 1le iisk pioile docnment o tle bank will accoidingly be npdated in tle liglt o new
inoimation. 1lis piocess will snppoit tle issne o tle snpeivisoiy lettei to tle bank, wlicl
wonld be discnssed witltle bank`s management oi tle Ioaid o Diiectois.
!5. 1le aimo snpeivisoiy ollow-np wonld be to ensnie tlat banks take coiiective actionintime to
iemedy oi mitigate any signiicant iisks tlat lave been identiied dniing tle snpeivisoiy
piocess. 1le majoi device in tlis iespect wonld be tle MAP. MAPs aie alieady nsed by kII to set
ont tle impiovements ieqniied in tle aieas identiied dniing tle cniient on-site and o-site
snpeivisoiy piocess. Howevei, MAPs wonld be made moie iobnst in a nnmbei o ways. MAPs
will in many cases inclnde diiections to banks on actions to be taken. 1le iemedial actions tlat
wonld be ontlined, wonld be tied explicitly to tle aieas o ligl iisks identiied in tle iisk
pioiling as well as tle snpeivisoiy piocess and slonld lead to impiovements in tle systems and
contiols enviionment at tle bank. Ley individnals at tle bank wonld lave to be made
acconntable oi eaclo tle actionpoints. I actions and timetable set ont intle MAP aie not met,
kII wonld considei issning nitlei diiections to tle deanlting banks and even impose sanctions
and penalties.
!0. Witlin tle kII, tle iegnlatoiy and snpeivisoiy stinctnie nnction sepaiately at piesent making
it necessaiy oi banks to lave moie tlan one contact point witl tle kII kegnlation (DIOD) and
8npeivision (DI8) depaitments oi tleii inteiaction on snpeivisoiy and iegnlatoiy issnes. As
tle bank speciic issnes wonld be witl ieeience to tle bioad iegnlatoiy iamewoik in place, a
cential Point o contact inkII wonld be o convenience to banks. Lndei tle kI8, tleie wonld be
a ocal point oi all contacts by banks botl at tle cential Oice o kII and its kOs, in iespect o
all matteis ielating to iegnlatoiy/snpeivisoiy issnes. 1lis ocal point wonld be tle main condnit
oi inoimationand commnnicationbetweentle banks and kII.
39 Appendices
LaIorcomoaI procoss aadiacoaIivoIramowork
RolooI oxIoraal audiIors iabaakiag suporvisioa
0haagomaaagomoaI implicaIioas
!. Wlile tle aimo snpeivisoiy ollow-np is to ensnie tlat banks take coiiective action to mitigate
signiicant iisks, tle peisistence o deiciencies wonld pose a iisk to kII`s snpeivisoiy objectives.
A system o incentives and disincentives las been contemplated nndei tle kI8 to bettei seive
attainment o tlese objectives. Ianks witl a bettei compliance iecoid and a good iisk
management and contiol systemconld be entitled to an incentive package wlicl conld be in tle
oim o longei snpeivisoiy cycle and lessei snpeivisoiy inteivention. 1le banks, wlicl ail to
slow impiovement iniesponse to tle MAP, wonld be snbjected to a disincentive package snclas,
moie ieqnent snpeivisoiy examination and liglei snpeivisoiy inteivention inclnding
diiections, sanctions and penalties. 1le mandatoiy and discietionaiy actions as ensliined intle
Piompt coiiective Action (PcA) iamewoik wonld be a pait o tle snpeivisoiy enoicement
action. 1le enoicement nnction wonld be caiiied ont tliongl an independent fnoicement
cell to be set np at tle I8D to ensnie consistency o tieatment, maintain objectivity and
nentiality o enoicement action.
!S. 1le nse o specialist tliid paities, sncl as, exteinal anditois can be o signiicant aid to tle bank
snpeivisois. In some conntiies, exteinal anditois aie ieqniied to peioim an eaily waining
nnction and inoim snpeivisois witlont delay o inoimation mateiial to tle snpeivisoi. 1le
Iasel consnltative papei Inteinal andit in banks and tle ielationslip o tle snpeivisoiy
antloiities witlinteinal and exteinal anditois` discnsses tle commonality o ocns and concein
o exteinal anditois and bank snpeivisois. 1le snpeivisoiy piocess instead o dnplicating tle
eoits o tle exteinal and inteinal anditois in some aieas slonld seek to leveiage o tle woik
done by tlese agencies. 1owaids pait aclievement o tlis goal, tle IfAk oimat, wlicl is
cniiently nndei ievision, will lave to be bionglt into nse at tle eailiest. kII wonld look oiwaid
to make moie nse o exteinal anditois as a snpeivisoiy tool by widening tle iange o tasks and
activities wlicl exteinal anditois peioim at piesent. kII wonld entei into dialogne witl tle
Institnte o claiteied Acconntants o India and tle bank management to clalk ont an action
plan.
!u. clange management is a key element in ensniing tlat switclovei to kI8 takes place in an
oideily and eective mannei. Ianks slonld lave cleaily deined standaids o coipoiate
goveinance and docnmented policies and piactices in place so as to cleaily demaicate tle lines
o iesponsibility and acconntability. 1ley will lave to addiess seveial oiganisational issnes to
iealign tlemselves to meet tle ieqniiements o kI8. 1le details o actions tlat need to be taken
by banks aie ennmeiated inPait II.
Witl tle piogiessive deiegnlation o tle inancial systemas also to addiess systemic conceins
on tle saety and sonndness o tle banking system, kII advised banks in India in febinaiy !uuu
to intiodnce, eective iom Apiil !, !uuu, a scientiic system o Asset- Iiability Management.
kII also issned in Octobei !uuu compielensive gnidelines oi pntting in place an eective and
compielensive kisk Management 8ystem. 1le gnidelines envisaged tlat banks wonld set np
piopei oiganizational stinctnie, policies, piocednies, limits oi ciedit, maiket and opeiational
iisk management. Lndei tle AIM gnidelines banks weie expected to covei !uu o tleii assets
and liabilities by Apiil !, 2uuu. A ieview nndeitaken by kII las ievealed tlat most o tle banks
aie yet to covei !uu pei cent o tleii assets and liabilities oi AIM oi set np piopei iisk
management systems and policies oi managing ciedit, maiket, opeiational and otlei iisks.
As stated eailiei inpaiagiapl!?, snpeivisoiy iesonices wonld be ocnsed ontle aieas o liglei
iisks to a bank. 1le iisk pioile wonld liglliglt botl tle stiengtls and vnlneiabilities o a bank
and wonld piovide a onndation iom wlicl to deteimine tle piocednies to be condncted
dniing an on-site examination. Lndei a iisk-ocnsed on-site examination appioacl, tle degiee
o tiansaction testing wonld be iednced wlen inteinal iisk management piocesses aie
deteimined to be adeqnate oi iisks aie consideied minimal. Wlen, lowevei, iisk management
piocesses oi inteinal contiols aie consideied inappiopiiate, additional tiansaction testing
snicient to nlly assess tle degiee o iisk exposnie ina nnctionoi activity wonld be peioimed.
It wonld be necessaiy oi banks to caiiy ont a iesl ieview o tleii cniient statns o iisk
management aiclitectnie by anexpeit teamand initiate measnies to biidge tle gaps.
Inteinal Andit is anindependent activity designed to impiove tle bank's opeiations. 1le inteinal
andit nnction is a pait o tle ongoing monitoiing o tle systemo inteinal contiol and assists
tle sta in eective disclaige o tleii iesponsibilities. 1le snccess o inteinal andit nnction
depends laigely on tle extent o ieliance tle bank management wonld place in gniding tle
bank's opeiations. 1le Inteinal Andit Depaitment will tleieoie lave to be independent iom
tle inteinal contiol piocess and be given an appiopiiate standing witlin tle bank to caiiy ont
ParI ||
20. Baak lovol proparaIioas
(a) 8oIIiag up oI risk maaagomoaI archiIocIuro
(b) AdopIioa oI risk IocusodiaIoraal audiI
4l Appendices
its assignments witl objectivity and impaitiality. 1le Inteinal Andit Depaitment slonld
tleieoie be piovided witl appiopiiate iesonices and sta to aclieve its objectives. Histoiically,
tle inteinal andit systemin banks las been concentiating on: (i) tiansaction testing, accniacy
and ieliability o acconnting iecoids and inancial iepoits, (ii) testing o integiity, ieliability and
timeliness o contiol iepoit, and (iii) adleiance to legal and iegnlatoiy ieqniiements. 1longl
tiansaction testing wonld iemain a ieliable and essential examination aspect o inteinal
anditing, in tle clanging scenaiio sncl testing by itsel wonld not be snicient. Ovei tle yeais,
tle evolvement o inancial instinments and maikets lave enabled banks to ieposition tleii
poitolio iisk exposnie. It las become cleai tlat peiiodic assessment based ontiansactiontesting
alone cannot keep pace witl tle iapid clanges occniiing in inancial iisk pioiles. In tlis
context tle widening o tle scope o inteinal anditing assnmes signiicance. 1le inteinal andit
wonld lave to captnie in a laigei way tle application and eectiveness o iisk management
piocednies and iisk assessment metlodology and ciitical evalnation o tle adeqnacy and
eectiveness o tle inteinal contiol systems. 1le inteinal andit depaitment slonld pay special
attention to anditing tle banking activity in all tle places tliongl wlicl tle activity is
nndeitaken. 1le piecise scope o woik o inteinal anditing mnst be deteimined by eacl bank
bnt as a minimnm, mnst ieview and iepoit npon tle contiol enviionment as a wlole, tle
piocess by wlicl iisks aie identiied, analysed and managed, tle line o contiols ovei key
piocesses, tle ieliability and integiity o coipoiate management nnction, saegnaiding o
assets and compliance witlinles and iegnlations.
1o aclieve tlese objectives, banks wonld lave to giadnally move towaids iisk ocnsed anditing,
in addition to tle system o selective tiansaction based anditing. 1le implementation o iisk
based anditing wonld mean tlat gieatei emplasis is placed on tle inteinal anditoi's iole o
mitigating iisks. Iy ocnssing on eective iisk management tle inteinal anditoi wonld not only
oei iemedies oi cniient tionble aieas bnt also anticipate pioblems and play an impoitant iole
in piotecting tle bank iom iisk lazaids. 1le kisk based anditing wonld not only covei
assessment o iisks at tle biancl level bnt wonld also covei, as an independent assessing
antloiity, assessment o iisks at tle coipoiate level and tle oveiall piocess in place to identiy,
measnie, monitoi and contiol tle iisks. In oidei to ocns attention on aieas o gieatei iisk to tle
bank, a location-wise and activity-wise iisk assessment slonld be peioimed in advance o on-
site kisk based anditing. 1lis wonld allow identiication o ligl iisk aieas wlicl wonld enable
piioiitising tle activities and locations oi kisk based andit. I initial inqniiies into tle iisk
management systemiaise mateiial donbt as to tle system's eectiveness, no signiicant ieliance
slonld be placed on tle system and a moie extensive seiies o tests need to be nndeitaken to
ensnie tlat tle bank's exposnie to iisk ioma given nnction oi activity is accniately captnied
and monitoied. 1le ligl-iisk aieas need to be looked into moie ieqnently tlan tle low iisk
aieas. kisk based andit wonld be an aid to tle ongoing iisk management by banks, as it wonld
piovide clecks and balances in tle system. 1le banks conld oim a small committee o
execntives and entinst tlemwitl tle iesponsibility to clalk ont an action plan, implement and
43
monitoi tle piogiess in adoption o iisk management systems and iisk ocnsed andit and iepoit
to tle 1opManagement and Ioaid o Diiectois peiiodically.
A piincipal onndation oi kI8 is tle availability o detailed data. Lndei kI8 tle monitoiing
needs o kII will diei based on tle iisk pioile o a bank and accoidingly kII may ieqniie
banks to piovide inoimationinadditionto tle data now being ninisled intle O8MO8 ietnins.
conseqnently, tleie is a need to devise a policy oi backnp and stoiage o vaiions databases on
iegnlai inteivals. 1le policy slonld speciy details like ieqnency o backnps, media to be nsed,
o-site stoiage aieas, depaitments and oicials (Data Manageis) iesponsible oi tlese actions.
1le accniacy, completeness and tle timeliness o data aie veiy impoitant and wonld lave to be
ensnied by banks tliongl np-giadation o tleii management inoimation and inoimation
teclnology systems. 1le Data Managei's iole slonld be cieated in oidei to ensnie tlat tle data
las integiity, is stoied incoiiect place, compielensive and timely. 1le Data Manageis slonld be
made iesponsible oi speciic databases. Ianks slonld ieview tle piesent statns o tle
management inoimation and inoimation teclnology systems and initiate necessaiy measnies
to ensnie tlat kII data needs as well as snpeivisoiy iepoiting systems aie stieamlined.
A majoi tiansitional task towaids completion o iisk management set np and intiodnction o
kisk based andit will be tle ieoiientation o tle sta to meet tle ieqniied objectives. 1le
potential piimaiy obstacles will be tle skill oimation o tle sta and placement in appiopiiate
positions. Ianks may lave to cieate a dedicated iisk management team at lead oice and
ieoiient tle Inteinal Andit Depaitment to nndeitake iisk-based andit. 1lese objectives conld be
attained tliongl addiessing seveial HkD issnes like manpowei planning, selection and
deployment o sta and extensive tiaining in iisk management inclnding asset liability
management and kisk based andit. 1le banks will lave to adopt a oiwaid looking tiaining
aiiangement tliongl appiopiiate conise designing and compilation o tiaining mateiials
keeping inview tle best inteinational piactices and piocednies.
Ianks aie ieqniied to take coiiective action to iemedy oi mitigate any signiicant iisks wlicl
lave been identiied in tle eailiei pait o tle snpeivisoiy cycle and wlicl lave been
incoipoiated into tle cniient iisk pioile. kII will issne bank speciic MAP wlicl will inclnde
diiections to banks onactions to be taken. I tle actions and timetable set ont intle MAP ail to be
(c) 8IroagIhoaiag oI HaaagomoaI |aIormaIioa 8ysIomaad|aIormaIioaTochaology
(d) Addrossiag HR0issuos
(o) 8oIIiag up oI 0ompliaacoUaiI
Appendices
44
met, kII may issne nitlei diiections oi impose sanctions oi take mandatoiy and discietionaiy
actions, i deiciencies continne to peisist. It is tleieoie necessaiy oi banks to set npa dedicated
compliance nnit to cooidinate vaiions actions o tle bank oi compliance and oi peiiodical
iepoiting to kII, and ensnie tle completion o compliance action witlin tle time peiiod
indicated in tle MAP. 1le compliance nnit slonld be leaded by a clie compliance Oicei o
tle iank o not less tlan a ceneial Managei wlo will be iesponsible and acconntable oi
timeliness and accniacy o tle compliance.
2!. 1le majoi tiansitional task wonld be tle ieoiientation o oiganizational set np by banks in line
witltle iecommendations oi bank level piepaiation. 1le mainobstacle dniing tle tiansitional
peiiod wonld be skill oimation, attitndinal clanges, development and ietention o specialist
sta, extensive tiaining and iedeployment o sta. It is not contemplated to clange ovei to kI8
appioacl in one go. It will be implemented in a giadnal mannei. Howevei, tle slit to kI8
appioacl wonld not necessaiily await tle completion o bank level piepaiation. 1le concept is
intended to be iolled ont at tle eailiest, as tle inadeqnacies iniisk management systems inbanks
will tlemselves be a snpeivisoiy iisk. As tle cAMfI8 iating wonld be an impoitant inpnt in
bank iisk pioiling, tle cAMfI8 appioacl tliongl on-site inspection wonld concniiently be
ollowed along witl tle kI8 appioacl in tle sloitei teim. 1le piocednie wonld be ieviewed at
tle appiopiiate time in tle liglt o tle qnality o Management Inoimation 8ystemin banks and
tle accniacy and completeness o ielevant o-site data ninisled to tle I8D o kII wliclwonld
tlen oim tle basis oi compilation o cAMfI8 iating. At tlat stage, tle on-site inspection oi
cAMfI8 iating wonld be by way o exception.
22. It is intended to ioll ont tle kI8 piocess in plases beginning iom tle last qnaitei o tle
inancial yeai 2uu2-2uu?. It is, tleieoie, necessaiy oi banks to initiate immediate measnies
oi completion o tle tasks indicated in paiagiapl 2! o tlis docnment by tle end o tle
calendai yeai 2uu2. Ianks may like to set np an in-lonse clange management teamto monitoi
tle piogiess o implementationand snggest ways and means to oveicome tle obstacles.
1. Cuptu udoquucy, Assot quuty, Munugomont, Lurnngs,Lqudty, Systoms und contro. (uppcubo to u domostc
bunks)
2. Cuptu udoquucy, Assot quuty, Lqudty, Compunco und Systoms. (uppcubo to lndun oporutons of bunks
ncorporutod outsdo lndu)
ParI |||
|mplomoaIaIioa8chodulo
45
Appoadix - ||
Risk-basod |aIoraal AudiI
DI8.cO.PP.Ic. !u/!!.u!.uu5/2uu2-u?
Decembei 2, 2uu2
Deai 8iis,
Please ieei to Pait II o tle discnssion papei on `Move towaids iisk-based snpeivision o banks'
oiwaided to yon vide lettei No. DI8. cO. kI8.5S/ ?0.u!.uu2/ 2uu!-u2 dated Angnst !?, 2uu!
wleiein ive aieas o bank level piepaiation lad been identiied, wlicl will be signiicant in
acilitating a smootl switclovei to iisk-based snpeivision (kI8) o banks by tle keseive Iank.
One o tle aieas ielate to tle intiodnction o a iisk-based inteinal andit systemby banks. 1le
gnidelines lave now been inalised and tle gnidance note ielating to iisk-based inteinal andit
systemis enclosed.
2. 1le gnidance note may please be placed beoie tle Ioaid o Diiectois oi delibeiation at tle
next meeting, and banks may immediately initiate necessaiy steps to ieview tleii cniient
inteinal andit systems and piepaie oi tiansition to a iisk-based inteinal andit system in a
plased mannei, keeping in view tleii iisk management piactices, bnsiness ieqniiements,
manpowei availability, etc.
?. Ianks slonld oim a 1ask foice compiising senioi execntives and entinst tlem witl tle
iesponsibility o clalking ont an action plan oi switcling ovei to iisk-based inteinal andit. 1le
task oice may identiy and addiess tiansitional and clange management issnes, implement tle
action plan, monitoi tle piogiess in tle tiansitional peiiod and iepoit peiiodically to tle Ioaid
o Diiectois and 1op Management. A qnaiteily iepoit beginning iom tle qnaitei ending
Maicl?!, 2uu?ontle piogiess made inimplementationo iiskbased inteinal andit may be
Appendices
46
snbmitted to ns as also to tle kegional Oice o Depaitment o Ianking 8npeivision nndei
wlose jniisdictiontle Head Oice o tle bank is sitnated.
1. Lindly acknowledge ieceipt.
Yonis aitlnlly,
8d/-
(P. V. 8nbba kao)
clie ceneial Managei-inclaige
fncl: cnidance note oniisk-based inteinal andit
!.!. 1le evolvement o inancial instinments and maikets las enabled banks to nndeitake vaiied
iisk exposnies. In tle context o tlese developments and tle piogiessive deiegnlation and
libeialisation o tle Indian inancial sectoi, laving in place eective iisk management and
inteinal contiol systems las become cincial to tle condnct o banking bnsiness. 1lis is also
signiicant in view o pioposed intiodnction o tle New Iasel capital Accoid nndei wlicl
capital maintained by a bank will be moie closely aligned to tle iisks nndeitaken and keseive
Iank's pioposed move towaids iisk-based snpeivision (kI8) o banks. Lndei tle pioposed kI8
appioacl, tle snpeivisoiy piocess wonld seek to leveiage tle woik done by inteinal anditois o
banks. In tlis iegaid, tle discnssion papei on `Move towaids iisk-based snpeivision o banks'
dated Angnst !?, 2uu! may be ieeiied. Pait II o tle discnssion papei cleaily identiies ive
signiicant aieas oi action on tle pait o banks, inclnding pntting in place iisk-based inteinal
andit systemby Decembei 2uu2, to acilitate a smootlswitclovei to kI8.
!.2. A sonnd inteinal andit nnction plays an impoitant iole in contiibnting to tle eectiveness o
tle inteinal contiol system. 1le andit nnction slonld piovide ligl qnality connsel to
management on tle eectiveness o iisk management and inteinal contiols inclnding
iegnlatoiy compliance by tle bank. Histoiically, tle inteinal andit system in banks las been
concentiating on tiansaction testing, testing o accniacy and ieliability o acconnting iecoids
Aaaoxuro
0uidaaco NoIo oa Risk-basod |aIoraal AudiI
!. |aIroducIioa
4?
and inancial iepoits, integiity, ieliability and timeliness o contiol iepoits, and adleience to
legal and iegnlatoiy ieqniiements. Howevei, in tle clanging scenaiio sncl testing by itsel
wonld not be snicient. 1leie is a need oi widening as well as iediiecting tle scope o inteinal
andit to evalnate tle adeqnacy and eectiveness o iisk management piocednies and inteinal
contiol systems intle banks.
!.?. 1o aclieve tlese objectives, banks will lave to giadnally move towaids iisk-based inteinal andit
wlicl will inclnde, in addition to selective tiansaction testing, an evalnation o tle iisk
management systems and contiol piocednies pievailing in vaiions aieas o a bank's opeiations.
1le implementationo iisk-based inteinal andit wonld meantlat gieatei emplasis is placed on
tle inteinal anditoi's iole in mitigating iisks. Wlile ocnsing on eective iisk management and
contiols, in addition to appiopiiate tiansaction testing, tle iisk-based inteinal andit wonld not
only oei snggestions oi mitigating cniient iisks bnt also anticipate aieas o potential iisks and
play animpoitant iole inpiotecting tle bank iomvaiions iisks.
!.1 1le nnctions o tle kisk Management committee/Depaitment (kMc/kMD) and tle iole o
iisk-based inteinal andit need to be distingnisled. 1le kMc/kMD ocnses on aieas sncl as
identiication, monitoiing and measniement o iisks, development o policies and piocednies,
nse o iisk management models, etc., as ontlined in paiagiapl 2 o tle gnidelines on kisk
Management systems in Ianks enclosed witl oni ciicnlai DIOD No. IP.(8c).Ic.uS/2!.u1.
!u?/uu dated Octobei , !uuu. 1le iisk-based inteinal andit, on tle otlei land, nndeitakes an
independent iisk assessment solely oi tle pnipose o oimnlating tle iisk-based andit plan
keeping in view tle inleient bnsiness iisks o an activity/location and tle eectiveness o tle
contiol systems oi monitoiing tle inleient iisks o tle bnsiness activity. It needs to be
emplasized tlat wlile oimnlating tle andit 2 plan, eveiy activity/location o tle bank,
inclnding tle iisk management nnction, slonld be snbjected to iisk assessment by tle iisk-
based inteinal andit.
2.!. Lndei iisk-based inteinal andit, tle ocns will slit iom tle piesent system o nll-scale
tiansaction testing to iisk identiication, piioiitization o andit aieas and allocation o andit
iesonices in accoidance witl tle iisk assessment. Ianks will, tleieoie, need to develop a well
deined policy, dnly appioved by tle Ioaid, oi nndeitaking iisk-based inteinal andit. 1le
policy slonld inclnde tle iisk assessment metlodology oi identiying tle iisk aieas based on
wlicl tle andit plan wonld be oimnlated. 1le policy slonld also lay down tle maximnmtime
peiiod beyond wlicl even tle low iisk bnsiness activities/locations slonld not iemain
nnandited.
2. Policy Ior risk-basodiaIoraal audiI
Appendices
48
8. |uacIioaal iadopoadoaco
4. Risk assossmoaI
?.!. 1le Inteinal Andit Depaitment slonld be independent iom tle inteinal contiol piocess in
oidei to avoid any conlict o inteiest and slonld be given an appiopiiate standing witlin tle
bank to caiiy ont its assignments. It slonld not be assigned tle iesponsibility o peioiming
otlei acconnting oi opeiational nnctions. 1le management slonld ensnie tlat tle inteinal
andit sta peioim tleii dnties witl objectivity and impaitiality. Noimally, tle inteinal andit
lead slonld iepoit to tle Ioaid o Diiectois/Andit committee o tle Ioaid!.
?.2. 1le Ioaid o Diiectois2and topmanagement will be iesponsible oi laving inplace aneective
iisk-based inteinal andit system and ensnie tlat its impoitance is nndeistood tlionglont tle
bank. 1le snccess o inteinal andit nnction depends laigely on tle extent o ieliance placed on
it by tle management oi gniding tle bank's opeiations.
1.!. As indicated at paiagiapl !.1 above, tle iisk-based inteinal andit nndeitakes iisk assessment
solely oi tle pnipose o oimnlating tle iisk-based andit plan. 1le iisk assessment wonld, as an
independent activity, covei iisks at vaiions levels (coipoiate and biancl; tle poitolio and
individnal tiansactions, etc.) as also tle piocesses in place to identiy, measnie, monitoi and
contiol tle iisks. 1le inteinal andit depaitment slonld devise tle iisk assessment metlodology,
witl tle appioval o tle Ioaid o Diiectois, keeping in view tle size and complexity o tle
bnsiness nndeitakenby tle bank.
1.2. 1le iisk assessment piocess slonld, intei alia, inclnde tle ollowing :-
Identiicationo inleient bnsiness iisks invaiions activities nndeitakenby tle bank.
fvalnation o tle eectiveness o tle contiol systems oi monitoiing tle inleient iisks o
tle bnsiness activities (`contiol iisk').
Diawing np a iisk-matiix oi taking into acconnt botl tle actois viz., inleient bnsiness
iisks and contiol iisks. Anillnstiative iisk-matiix is slownas a box item.
1le basis oi deteimination o tle level (ligl, medinm, low) and tiend (incieasing, stable,
decieasing) o inleient bnsiness iisks and contiol iisks slonld be cleaily spelt ont.
1le iisk assessment may make nse o botl qnantitative and qnalitative appioacles. Wlile tle
qnantnm o ciedit, maiket, and opeiational iisks conld laigely be deteimined by qnantitative
assessment, tle qnalitative appioacl may be adopted oi assessing tle qnality o contiols in
vaiions bnsiness activities. In oidei to ocns attention on aieas o ? gieatei iisk to tle bank, an
activity-wise and location-wise identiicationo iisk slonld be nndeitaken.
49
1le iisk assessment metlodology slonld inclnde, intei alia, tle ollowing paiameteis:
Pievions inteinal andit iepoits and compliance
Pioposed clanges inbnsiness lines oi clange inocns
8igniicant clange inmanagement / key peisonnel
kesnlts o latest iegnlatoiy examinationiepoit
kepoits o exteinal anditois
Indnstiy tiends and otlei enviionmental actois
1ime lapsed since last andit
Volnme o bnsiness and complexity o activities
8nbstantial peioimance vaiiations iomtle bndget
1.?. foi tle iisk assessment to be accniate, it will be necessaiy to lave in place piopei MI8 and data
integiity. 1le inteinal andit nnction slonld be kept inoimed o all developments sncl as
intiodnction o new piodncts, clanges in iepoiting lines, clanges in acconnting
piactices/policies etc. 1le iisk assessment slonld invaiiably be nndeitaken on a yeaily basis.
1le assessment slonld also be peiiodically npdated to take into acconnt clanges in bnsiness
enviionment, activities and woik piocesses, etc.
Inleient bnsiness iisks indicate tle intiinsic iisk in a paiticnlai aiea/activity o tle bank and
conld be gionped into low, medinmand liglcategoiies depending ontle seveiity o iisk.
contiol iisks aiise ont o inadeqnate contiol systems, deiciencies/gaps and/oi likely ailnies in
tle existing contiol piocesses. 1le contiol iisks conld also be classiied into low, medinm and
liglcategoiies.
In tle oveiall iisk assessment botl tle inleient bnsiness iisks and contiol iisks slonld be
actoied in. 1le oveiall iisk assessment as ielected in eacl cell o tle iisk matiix is explained
below:
a. Higl kisk- Altlongl tle contiol iisk is low, tlis is a Higl kisk aiea dne to ligl inleient
bnsiness iisks.
b. Veiy Higl kisk- 1le ligl inleient bnsiness iisk conpled witl medinmcontiol iisk makes
tlis a Veiy Higlkisk aiea.
c. fxtiemely Higlkisk Iotltle inleient bnsiness iisk and contiol iisk aie liglwliclmakes
tlis an fxtiemely Higl kisk aiea. 1lis aiea wonld ieqniie immediate andit attention,
maximnm allocation o andit iesonices besides ongoing monitoiing by tle bank's top
management.
d. Medinm kisk Altlongl tle contiol iisk is low tlis is a Medinm kisk aiea dne to medinm
inleient bnsiness iisks.
e. Higl kisk Altlongl tle inleient bnsiness iisk is medinmtlis is a Higl kisk aiea becanse o
contiol iisk also being medinm.
Appendices
50
. Veiy Higl kisk Altlongl tle inleient bnsiness iisk is medinm, tlis is a Veiy Higl kisk aiea
dne to liglcontiol iisk.
g. Iow kisk Iotltle inleient bnsiness iisk and contiol iisk aie low.
l. Medinmkisk - 1le inleient bnsiness iisk is low and tle contiol iisk is medinm.
i. Higlkisk Altlongltle inleient bnsiness iisk is low, dne to liglcontiol iisk tlis becomes a
Higlkisk aiea.
1le banks slonld also analyse tle inleient bnsiness iisks and contiol iisks witl a view to assess
wletlei tlese aie slowing a stable, incieasing oi decieasing tiend. Illnstiatively, i an aiea alls
witlin cell 'I' oi 'f' o tle kisk Matiix and tle iisks aie slowing an incieasing tiend, tlese aieas
wonld also ieqniie immediate andit attention, maximnmallocation o andit iesonices besides
ongoing monitoiing by tle bank's top management (as applicable oi cell 'c'). 1le kisk Matiix
slonld be piepaied oi eaclbnsiness activity/location.
1.1 All banks need to pnt in place an independent iisk assessment system in tle inteinal andit
depaitment oi ocnsing on tle mateiial iisk aieas and piioiitizing tle andit woik. 1le
metlodology may iange iom a simple analysis o wly ceitain aieas slonld be andited moie
ieqnently tlan otleis in tle case o small sized banks nndeitaking tiaditional banking
bnsiness, to moie soplisticated assessment systems in laige sized banks nndeitaking complex
bnsiness activities.
5.!. 1le annnal andit plan, appioved by tle Ioaid, slonld inclnde tle sclednle and tle iationale oi
andit woik planned. It slonld also inclnde all iisk aieas and tleii piioiitisation based on tle
level and diiection o iisk. Illnstiatively, tle aieas oi activities identiied as ligl, veiy ligl oi
extiemely ligl iisk (based on iisk matiix) may be andited at sloitei inteivals as compaied to
medinm oi low iisk aieas, wlicl may be andited at longei inteivals snbject to iegnlatoiy
gnidelines, as applicable.
0.!. 1le piimaiy ocns o iisk-based inteinal andit will be to piovide ieasonable assniance to tle
Ioaid and top management abont tle adeqnacy and eectiveness o tle iisk management and
contiol iamewoik in tle banks' opeiations. Wlile examining tle eectiveness o contiol
iamewoik, tle iisk-based inteinal andit slonld iepoit on piopei iecoiding and iepoiting o
majoi exceptions and excesses. 1iansactiontesting wonld continne to iemain an essential aspect
o iisk-based inteinal andit. 1le extent o tiansaction testing will lave to be deteimined based
on tle iisk assessment. Illnstiatively, tle bank slonld nndeitake !uu pei cent tiansactiontesting
5. AudiI Plaa
. 8copo
5l
i anaiea alls incell 'cfxtiemely Higlkisk" o tle iisk matiix. 1le bank may also considei !uu
pei cent tiansactiontesting i anaiea alls incell 'I- Veiy Higlkisk" oi 'f- Veiy Higlkisk", and
tle iisks aie slowing anincieasing tiend. 1le banks may also considei tiansaction5testing witl
an element o snipiise in iespect o low iisk aieas wlicl wonld be andited at ielatively longei
inteivals.
1le banks may piepaie a kisk Andit Matiix as slownbelow:
1le Andit Planslonld piioiitize andit woik to give gieatei attentionto tle aieas o:
i. HiglMagnitnde and liglieqnency
ii. HiglMagnitnde and medinmieqnency
iii. Medinmmagnitnde and liglieqnency
iv. Higlmagnitnde and low ieqnency
v. MedinmMagnitnde and medinmieqnency.
0.2. 1le piecise scope o iisk-based inteinal andit mnst be deteimined by eacl bank oi low,
medinm, ligl, veiy ligl and extiemely ligl iisk aieas. Howevei, at tle minimnm, it mnst
ieview/iepoit on:-
piocess by wlicliisks aie identiied and managed invaiions aieas;
tle contiol enviionment invaiions aieas;
gaps, i any, incontiol meclanismwliclmiglt lead to iands, identiicationo iand pione
aieas;
data integiity, ieliability and integiity o MI8;
inteinal, iegnlatoiy and statntoiy compliance;
bndgetaiy contiol and peioimance ieviews;
tiansactiontesting/veiiicationo assets to tle extent consideied necessaiy
monitoiing compliance witltle iisk-based inteinal andit iepoit
vaiiation, i any, in tle assessment o iisks nndei tle andit plan vis-a-vis tle iiskbased
inteinal andit.
0.?. 1le scope o iisk-based inteinal andit slonld also inclnde a ieview o tle systems in place oi
ensniing compliance witl money lanndeiing contiols; identiying potential inleient bnsiness
iisks and contiol iisks, i any; snggesting vaiions coiiective measnies and nndeitaking ollow
npieviews to monitoi tle actiontakentleieon.
Risk AudiI HaIrix
Appendices
52
I. 0ommuaicaIioa
8. PorIormaacoovaluaIioa
9. AudiI rosourcos
!0. 0uIsourcodiaIoraal audiI arraagomoaIs
.!. 1le commnnication clannels between tle iisk-based inteinal andit sta and management
slonld enconiage iepoiting o negative and sensitive indings. All seiions deiciencies slonld be
iepoited to tle appiopiiate level o management as soonas tley aie identiied. 8igniicant issnes
posing a tlieat to tle bank's bnsiness slonld be piomptly 0 bionglt to tle notice o tle Ioaid o
Diiectois, Andit committee oi topmanagement, as appiopiiate.
S.!. 1le Inteinal Andit Depaitment slonld condnct peiiodical ieviews, annnally oi moie ieqnently,
o tle iisk-based inteinal andit nndeitaken by it vis-a-vis tle appioved andit plan. 1le
peioimance ieview slonld also inclnde anevalnationo tle eectiveness o iisk-based inteinal
andit inmitigating identiied iisks.
S.2. 1le Ioaid o Diiectois/Andit committee o Ioaid slonld peiiodically assess 1le peioimance
o tle iisk-based inteinal andit oi ieliability, accniacy and objectivity. Vaiiations, i any, in tle
iisk pioile as ievealed by tle iisk-based inteinal andit vis-a-vis tle iisk pioile as docnmented
in tle andit plan slonld also be looked into to evalnate tle ieasonableness o iisk assessment
metlodology o tle Inteinal Andit Depaitment.
u.!. 1le Inteinal Andit Depaitment slonld be piovided witl appiopiiate iesonices and sta to
aclieve its objectives nndei tle iisk-based inteinal andit system. 1le sta possessing tle
ieqnisite skills slonld be assigned tle job o nndeitaking iisk-based inteinal andit. 1ley slonld
also be tiained peiiodically to enable tlem to nndeistand tle bank's bnsiness activities,
opeiating piocednies, iisk management and contiol systems, MI8, etc.
!u.! 1le Ioaid o Diiectois and top management aie iesponsible oi ensniing tlat tle iisk-based
inteinal andit continnes to nnctioneectively eventlonglit is ontsoniced.
1le ollowing aspects may, intei-alia, be kept in view to pievent any iisk o bieakdown in
inteinal contiols onacconnt o ontsonicing aiiangements:-
a. Ieoie enteiing into an ontsonicing aiiangement oi iisk-based inteinal andit, tle bank slonld
peioimdne diligence to satisy itsel tlat tle ontsonicing vendoi las tle necessaiy expeitise to
53
nndeitake tle contiacted woik. 1le contiact, in wiiting, slonld at tle minimnm, speciy tle
ollowing:
tle scope and ieqnency o woik to be peioimed by tle vendoi
tle mannei and ieqnency o iepoiting to tle bank tle mannei o deteimining tle cost o
damages aiising iomeiiois, omissions and negligence ontle pait o tle vendoi
tle aiiangements oi incoipoiation o clanges in tle teims o contiact, slonld tle need
aiise
tle locations wleie tle woik papeis will be stoied
tle inteinal andit iepoits aie tle piopeity o tle bank and tlat all woik papeis aie to be
piovided to tle bank wlenieqniied
tle employees antloiized by tle bank aie to lave ieasonable and timely access to tle woik
papeis
tle snpeivisois aie to be gianted immediate and nll access to ielated woik papeis
b. 1le management slonld continne to satisy itsel tlat tle ontsoniced activity is being
competently managed.
c. All woik done by tle vendoi slonld be docnmented and iepoited to tle top management
tliongltle inteinal andit depaitment.
d. 1o avoid signiicant opeiational iisk tlat may aiise on acconnt o a sndden teimination o tle
ontsonicing aiiangement, tle bank slonld lave in place a contingency plan to mitigate any
discontinnity inandit coveiage.
kisk-based inteinal andit is expected to be an aid to tle ongoing iisk management in banks by
pioviding necessaiy clecks and balances in tle system. Howevei, since iisk based inteinal andit
will be a aiily new exeicise oi most o tle Indianbanks, a giadnal bnt eective appioaclwonld
be necessaiy oi its implementation. Initially tle iisk-based inteinal andit may be nsed as a
management/andit tool in addition to tle existing inteinal andit/inspection. Once tle iisk-
based inteinal andit stabilizes and tle sta attains pioiciency, it slonld ieplace tle existing
inteinal andit/inspection. 1le inoimation systems andit (I8 Andit) slonld also be caiiied ont
nsing tle iisk-based appioacl.
Ianks slonld oima 1ask foice o senioi execntives and entinst tlemwitl tle iesponsibility to
clalk ont an action plan oi switcling ovei to iisk-based inteinal andit, identiying and
addiessing tiansitional and clange management issnes, implementing tle plan and monitoiing
tle piogiess dniing tle tiansitional peiiod and iepoit to tle Ioaid o Diiectois, peiiodically.
1. ln cuso of forogn bunks tho roportng coud bo to tho CLCfor lndun oporutons.
2. ln ths documont tho oxprosson ourd/Audt Commttoo of ourd shoud bo tukon to moun tho Locu Advsory
ourd n cuso of forogn bunks, unoss othorwso spocfod.
!!.
!2.
Appendices
54
Appoadix - |||
RL8LRVL BANK 0| |N0|A
|mplomoaIaIioa oI Risk-basod |aIoraal AudiI (RB|A) ia Baaks
www.ibi.oig.in
ke. kII 2uu1-u5/?50
DI8.cO.PP.Ic. !/!!.u!.uu5/2uu1-u5 febinaiy !, 2uu5
Deai 8iis,
As yon wonld iecall tle gnidelines ielating to iisk-based inteinal andit weie issned by ns on
Decembei 2, 2uu2 vide oni lettei DI8.cO.PP.Ic.!u /!!.u!.uu5/2uu2-u?. A ieview o tle
implementation o tle iisk-based inteinal andit in vaiions banks las ievealed tlat tleie aie
ceitain gaps/deiciencies wlicl need to be addiessed in oidei to ensnie tlat tle kIIA
iamewoik is eective. 8ome o tle gaps/deiciencies obseived by ns aie as nndei:
!) 1le iisk assessment o biancles slonld be caiiied ont on tle basis o tle 'inleient bnsiness
iisks" and 'contiol iisks", as indicated in paiagiapl 1.2 o oni 'cnidance note on iisk based
inteinal andit'.
2) 1le iisk assessment slonld not only indicate tle level o iisk as Higl, Medinmand Iow bnt also
tle tiend o iisk in teims o incieasing, decieasing oi stable. (paiagiapl 1.2 o tle 'cnidance
note oniisk based inteinal andit'.)
?) 1le iisk assessment slonld invaiiably be nndeitaken on a yeaily basis (paiagiapl 1.? o tle
'cnidance note oniisk based inteinal andit'.)
1) As mentioned in paiagiapl 0.! o tle 'cnidance note on kisk-based inteinal andit', tle bank
slonld nndeitake !uu pei cent tiansaction testing i an aiea alls in cell 'c- fxtiemely Higl
kisk" o tle iisk matiix. 1le bank may also considei !uu pei cent tiansaction testing i an aiea
alls in cell 'I-Veiy Higl kisk" oi 'f- Veiy Higl kisk", and tle iisks aie slowing an |a:r.s|a
tiend. 1le banks may also considei tiansaction testing witl an element o snipiise in iespect o
low iisk aieas wlicl wonld be andited at ielatively longei inteivals. As iegaids tle aieas alling
inotlei cells (viz., A-Higlkisk`, D-Medinmkisk`, f-Higlkisk`, c-Iow kisk`, H-Medinm
55
kisk`, I-Higl kisk`) o tle iisk matiix, tle bank las to decide on tle level o tiansaction testing
based onits iisk based inteinal andit policy dnly appioved by tle Ioaid.
5) As indicated inpaiagiapl0.!o tle 'cnidance note oniisk based inteinal andit', tle bank las to
piepaie a kisk Andit Matiix wlicl wonld be based on tle magnitnde and ieqnency o iisk.
Piepaiation o tle kisk Andit Matiix can also enable tle bank to move towaids tle Advanced
Measniement Appioacloi Opeiational kisk nndei Iasel II.
2. Ianks aie advised to ieview tle metlodology o condncting tle iisk-based inteinal andit and tle
policy in tlis iegaid so as to align tle same witl tle gnidelines issned by kII. As alieady
indicated in paiagiapl ? o oni lettei dated Decembei 2, 2uu2, mentioned above, banks
slonld oima 1ask foice compiising senioi execntives and entinst tlemwitl tle iesponsibility
o clalking ont an action plan oi switcling ovei to iisk-based inteinal andit. 1lis piocess may
be expedited and compliance witloni gnidelines ensnied at aneaily date.
Yonis aitlnlly,
(Amaiendia Molan)
ceneial Managei
Appendices
The Inst|tute of
Chartered Accountants of Ind|a
lndraprastha Marg, P B No. 7100
New De|h| - 110 002 lNDlA
542 TG RB
S8N 81-88437-73-5

Guide To Bank Audit

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guide To Bank Audit

Uploaded by

Copyright:

Available Formats

The Inst|tute of

Chartered Accountants of Ind|a

|aIoraal AudiI - 0oIiaiIioa, 0bjocIivos aad8copo

|aIoraal AudiI iaBaaks

Risk-basod|aIoraal AudiI Risk HaaagomoaI |uacIioa

fstablisl tle Pioject

l2 1eclnical cnide on kisk-based Inteinal Andit in Ianks

l3 8teps in kisk-based Inteinal Andit o Ianks

|ahoroaI Busiaoss Risks

kepoits o exteinal anditois

|aIoraal audiI aadcoaIrol risk

Indgetaiy contiol and peioimance ieviews

24 1eclnical cnide on kisk-based Inteinal Andit in Ianks

You might also like