Professional Documents
Culture Documents
Risk-basod|aIoraal AudiI
0osI-boaoIiI Aaalysis
4 1eclnical cnide on kisk-based Inteinal Andit in Ianks
analysis o tle inteinal andit nnction. In tlis connection, it slonld be noted tlat inteinal andit
is invaiiably a cost centei in any oiganisation. It is, tleieoie, necessaiy tlat tle inteinal andit
nnctiondevelops and implements aneective, long iange inteinal andit planso tlat tle beneits
deiived tleieiomeectively exceed tle costs allocated to tle nnction.
!.!5 1le piimaiy objective o inteinal andit is to piovide anobjective assniance ontle nnctioning o
inteinal contiols in tle bank. Howevei, tleie is an inleient iisk tlat tle inteinal andit nnction
may not ieveal all tle weaknesses in tle inteinal contiols. 1lis may lead to iisk o losses in teims
o iand, inclnding embezzlement, and misappiopiiation o assets. 1o minimize tlese iisks, one
snggestive appioacl is to make tle inteinal andit nnction moie continnons, i.e., andit tle
dieient depaitments moie ieqnently. foi example, inciease in ieqnency o inteinal andit
may iesnlt in iednction in expected losses bnt incieases tle cost o andit nnction. On tle otlei
land, deciease in ieqnency o inteinal andit, tlongl may iednce tle costs o andit nnction,
iesnlts in iisk o iands and eiiois leading to inancial and otlei losses to tle bank. 1lns, tle
decision to inciease tle ieqnency o inteinal andit slonld be based on a caienl analysis o tle
tiade-o between tle cost associated witl caiiying ont ieqnent inteinal andits :| s :| tle
expected losses aiising ont o not caiiying ont inteinal andit. 1lis tiade-o canbe best aclieved
witl tle iisk-based inteinal andit, wlicl aims at optimal ntilization o inteinal andit iesonices
witlanenteipiise-wide iisk management peispective.
!.!0 In tle above diagiam, tle cnive AI denotes tle iisk cnive, wlicl iepiesents tlat as tle
ieqnency o inteinal andit incieases, tle iisk o non-detection o ineective inteinal contiols
(and conseqnently tle expected losses) decieases. 1le cnive cD denotes tle cost cnive, wlicl
1lis can be pictoiially depicted as ollows:
Risk oI lossos
duo Io aoa-audiI/
cosI oI iaIoraal
audiI rosourcos
A f f D
c
c
I
|roquoacy oI iaIoraal audiI
5 Intiodnction
iepiesents tlat as tle ieqnency o inteinal andit incieases, tle costs associated witl caiiying
ont inteinal andit inciease. 1le cnive ff denotes tle total cost cnive (wlicl inclndes tle cost o
non-detection o ineective inteinal contiols in teims o expected losses and tle cost o
iesonices allocated to inteinal andit nnction), wlicl decieases npto a ceitain level and
tleieatei incieases. Point cis wleie tle total cost is at its minimnmand is ideal oi a iisk-based
scenaiio.
!.! Leeping tle above tleoietical backgionnd in mind, it is impoitant to note tlat tle iisk-based
inteinal andit is animpoitant tool inaiding tle management decisioninielationto tle ollowing
aspects o inteinal andit nnction.
!.!S 1le iisk-based appioacl o inteinal andit assists tle management in deciding tle ieqnency o
tle andit. Atei nndeitaking tle iisk assessment o tle anditee nnits in tle andit nniveise, tlese
nnits can be categoiized on tle basis o tle iisk paiameteis as ligl, medinmoi low iisk nnits.
1lese nnits can tlen be snbjected to tle inteinal andit at a ieqnency snited to tleii iisk pioile.
1lis can be aclieved by snbjecting tle nnits witl a ligl-iisk pioile to inteinal andit moie
ieqnently tlan tle nnits tlat exlibit a low-iisk pioile. 1lns, iisk assessments o andit nnits
deteimine tle ieqnency o tle inteinal andit and tlns assist in optimal allocation o andit
iesonices.
!.!u 8cope o inteinal andit ieeis to tle extent to wlicltle testing o inteinal contiols inaninteinal
andit assignment slonld be nndeitaken. As a geneial piinciple, ligl-iisk andit nnits sncl as
tieasniy divisiono tle bank slonld be snbject to !uu tiansactions testing. Howevei, nnits witl
a ielatively low-iisk pioile activity sncl as allocation o tle lockeis to tle cnstomeis may be
snbject to a sample testing. In tlis connection, membeis aie also advised to ieei to tle Anditing
and Assniance 8tandaid (AA8) !5, Andit 8ampling, oi gnidance on nsing statistical sampling
teclniqnes oi nndeitaking andit assignments. Howevei, tle sampling teclniqne pioposed to be
so adopted slonld iist be placed oi tle appioval o tle andit committee, i any.
!.2u It is a known act tlat no inteinal andit nnction las tle iesonices to andit all tle anditable nnits
Koy AudiI 0ocisioas oI a Risk-basod|aIoraal AudiI
|roquoacy oI AudiI
8copooI AudiI
Timiag oI |aIoraal AudiI
6 1eclnical cnide on kisk-based Inteinal Andit in Ianks
simnltaneonsly. 1leieoie, tle tliid key decision tlat can be taken nsing tle iisk-based inteinal
andit is to ensnie tlat tle iiskiei nnit is snbject to andit soonei tlantle less iisky andit nnits. 1lis
can be aclieved by adoption o a /|v.1 /|r|a //|:y o inteinal andit wleieby tle less iisky nnits
aie snbject to inteinal andit at known ixed inteivals. Howevei, tle ligl-iisk andit nnits can be
snbject to a rsa1r /|r|a //|:y (wleie tle ieqnency and timing o andits is nnpiedictable to
tle anditable nnit). 8nipiise visits and snap andits, in addition to nll-scale inteinal andit, aie
components o iandom timing policy. foi anditable nnits witl medinm-iisk pioile, inteinal
andit slonld be based on conditional timing policy, nndei wlicl inteinal andits aie sclednled
wlen nnits exlibit a deteiioiation o contiols oi peioimance along witl some key dimension.
1le deteiioiation can be obseived on tle basis o analysis and scintiny o tle key ietnins on tle
peioimance o tle anditable nnit.
!.2! kisk-based inteinal andit appioaclassists tle management (wleie tle inteinal andit nnctionis
in-lonse) and tle andit iim(wleie tle inteinal andit nnction is ontsoniced) in deteimination
o tle size o tle inteinal andit team. I iisk actois ielect tle management conceins, tlen tley
can be nsed as a basis oi establisling tle size o tle inteinal andit team appiopiiate to addiess
tle most impoitant andit nnits.
!.22 1o ensnie tlat tle cost actois aie eectively actoied into andit decision and tle key andit
decisions, as explained above, aie moie iisk-based, banks aie advised by tle kII to make a
giadnal move towaids iisk-based inteinal andit systemwlicl inclndes, in addition to selective
tiansaction testing, an evalnation o tle iisk management systems and contiol piocednies
pievailing in vaiions aieas o a bank's opeiations. 1le implementation o iisk-based inteinal
andit wonld mean tlat gieatei emplasis is placed on tle inteinal anditoi's iole in mitigating
iisks. Wlile ocnsing on eective iisk management and contiols, in addition to appiopiiate
tiansaction testing, tle iisk-based inteinal andit wonld not only oei snggestions oi mitigating
cniient iisks bnt also anticipate aieas o potential iisks and play an impoitant iole in piotecting
tle bank iomvaiions iisks.
!.2? 1le advantages o iisk-based appioaclo tle inteinal andit nnctionaie as ollows:
It appiopiiately deines tle andit nniveise and identiies tle anditable nnits witlin tle
entity oi wlicltlese analyses wonld be caiiied ont.
It assists tle management in identiication o appiopiiate iisk actois to ielect tle
management's conceins.
8izooI Iho|aIoraal AudiI Toam
AdvaaIagos oI Risk-basod|aIoraal AudiI
? Intiodnction
Identiy tle
anditable nnits
Deteimine tle iisk
o non-andit o
nnidentiiable
anditable nnits
categoiize
tle iisks
8Iop 8.
Identiy tle
anditable nnits
condnct iisk
assessment o
anditable nnit
categoiize tle
anditable nnit
8Iop 4.
finalization o
tle iisk-based
inteinal andit plan
8nbmission and
appioval iom tle
Andit committee
8Iop 4.
Risk-basod
|aIoraal AudiI
Plaa
8teps in kisk-based Inteinal Andit o Ianks
2.!.!u faclo tle above steps aie desciibed as ollows:
2.!.!! 1le iist step involves tle initiation o tle iisk-based inteinal andit piocess at tle bank. 1le idea
at tlis stage is to tieat tle iisk-based andit concept as a distinct pioject witl an objective o
oimnlation o andit plan witl moie iisk ocns at tle end o tle pioject. foi tlis pnipose, it is
absolntely necessaiy at tlis stage to:
fstablisltle pioject team
claiiy tle ioles and iesponsibilities o tle pioject team
8clednling tle pioject tasks
commnnication
2.!.!2 Depending npon tle size o tle bank, tle iisk-based inteinal andit pioject can be landled by a
small teamo andit pioessionals oi by an individnal. Wlile cloosing tle pioessionals oi tlis
assignment, it slonld be ensnied tlat tley lave adeqnate inteinal andit and iisk management
expeitise. few ciiteiia oi selection o pioessionals oi tlis assignment inclnde, expeiience in
condncting iisk assessments, andit planning expeiience and ability to analyze and syntlesize a
wide iange o inoimation.
2.!.!? Atei cloosing appiopiiate pioessionals oi tle assignment, it is impoitant to claiiy tle ioles
and iesponsibilities o tle team membeis o tle iisk-based inteinal andit assignment. 1lis
involves designation o a senioi pioessional as tle pioject antloiity, laving oveiall
iesponsibility oi tle entiie pioject. 1le team leadei wonld be assisted by tle team membeis
wlo wonld be iesponsible oi pioposing and execnting an appioacl oi implementation o tle
pioject. 1le team wonld lave extensive inteiactions witl tle senioi management o tle
anditable nnits wlo wonld be iesponsible oi paiticipation in meetings oi identiication and
assessing tle key iisks aced by tle anditable nnits.
2.!.!1 As tle pioject gets staited, it is impoitant to ensnie tlat tle pioject is accomplisled witl tiglt
deadlines and iepoiting iesponsibilities. 1lis ieqniies oimnlation o a pioject plan and
pioviding tle teammembeis witl appiopiiate tools sncl as policies/piocednies, clecklists oi
evalnation and tle sotwaie, i any, necessaiy to execnte tle plan and docnment tle iesnlts.
fective planning demands commnnication o tle establisled appioacl to all tle paiticipant
nnits sncltlat all tle membeis o tle teamaie at tle same wavelengtl.
2.!.!5 1le next steptowaids iisk-based inteinal andit is to identiy all tle activities tlat aie snsceptible
ProparaIioa
|doaIiIicaIioaoI audiIablouaiIs
L.s/ sa1 r.a/s/ry r|/ kisk o ailing to comply witllaws and iegnlations.
R./a/s/|as/ r|/ 1le iisk o loss o tle iepntation o tle bank in tle geneial pnblic dne to
tle ailnie to condnct its bnsiness npto tle standaids expected.
L:.a/ r|/ kisk o nnanticipated clanges in exteinal enviionment otlei tlan macio
economic actois.
2.1.! Once tle iisks aie identiied as above, it slonld be ensnied tlat tle bank las appiopiiate iisk
management systems in place, wlicl deine tle contiol enviionment and piesciibe tle contiol
piocednies oi mitigation o tle above iisks. In tlis context, it is ielevant to nndeistand tle
concept o tle contiol enviionment and tle contiol piocednies as iisk management tools.
Ca/r/ La:|rar.a/
2.1.2 1le Anditing and Assniance 8tandaid 0, kisk Assessments and Inteinal contiol deines tle teim
'contiol enviionment' as 'tle oveiall attitnde, awaieness and actions o diiectois and
management iegaiding tle inteinal contiol system and its impoitance in tle entity". 1le
contiol enviionment las an eect on tle eectiveness o tle speciic contiol piocednies and
piovides tle backgionnd against wlicl otlei contiols aie opeiated. A stiong contiol
enviionment, oi example, one witl tiglt bndgetaiy contiols and an eective inteinal andit
nnction, cansigniicantly complement speciic contiol piocednies.
2.1.? Ina banking oiganisation, tle actois ielected intle contiol enviionment inclnde:
Oiganizational stinctnie o tle bank and tle metlods o assigning antloiity and
iesponsibility inclnding segiegationo dnties and snpeivisoiy nnctions
kole o Ioaid o Diiectois and its committees indeining contiol enviionment and adopting
appiopiiate contiol piocednies
Management's plilosoply and opeiating style
Management's contiol systeminclnding tle inteinal andit nnction, peisonnel policies and
piocednies
Ca/r/ Pr:.1ar.
2.1.1 1le Anditing and Assniance 8tandaid 0, kisk Assessments and Inteinal contiol deines tle teim
'contiol piocednies' as 'tlose policies and piocednies, in addition to tle contiol enviionment,
wlicl tle management las establisled to aclieve tle entity's speciic objectives". In tle context
0oaIrol Risk
l6 1eclnical cnide on kisk-based Inteinal Andit in Ianks
o banking oiganisation, tle speciic contiol piocednies inclnde:
Appioving and contiolling o docnments
8egiegationo dnties and snpeivisoiy nnctions
Decision making snbject to tle 'oni eyes' (tlose o tle makei and tle cleckei) concept o
management
kepoiting and ieviewing o exceptions
compaiing tle inteinal data witlexteinal sonices o inoimation
kestiicting diiect access to assets, iecoids and inoimation
Inoimation system contiols, wlicl inclnde contiols ovei clanges to compntei piogiams
and access to data iles
2.1.5 As obseived above, wlile tle establislment o tle contiol enviionment is tle iesponsibility o
tle top management o tle bank, designing o appiopiiate contiol piocednies oi mitigation o
iisks is tle iesponsibility o tle iisk management depaitment. Anindependent iisk management
nnction, opeiating in a pioactive contiol enviionment, designs tle contiol piocednies, wlicl
aie to be implemented ona bank-wide basis.
2.1.0 1le inteinal anditoi, wlile developing a iisk-based inteinal andit plan slonld obtain an
nndeistanding o tle contiol enviionment snicient to assess management's attitndes,
awaieness and actions iegaiding inteinal contiols and tleii impoitance in tle bank. 1le
inteinal anditoi slonld also obtain an nndeistanding o tle contiol piocednies snicient to
developtle iisk-based andit plan.
2.1. fiomtle point o view o iisks, tle iole o inteinal andit at tlis jnnctnie is twoold:
Asceitaining tle inleient iisk o tle iisk management nnction and identiying tle extent
o tle aieas wleie tle contiol piocednies aie not establisled by tle iisk management
nnction
fvalnating tle iisk involved intle contiol piocednies designed oi mitigationo iisks
2.1.S Atei obtaining an nndeistanding o tle contiol enviionment and contiol piocednies and
laving satisied limsel tlat contiol piocednies aie existent in all tle anditable nnits, tle
inteinal anditoi slonld make a pieliminaiy assessment o contiol iisk. 1le pieliminaiy
assessment o contiol iisk is tle piocess o evalnating tle likely eectiveness o anentity's
2.5.! Once tle iisk assessment exeicise is nndeitaken by tle inteinal anditoi and tle anditable nnits
aie aiianged as pei tle iisk matiix as explained above, tle next step is to devise tle iisk-based
andit plan detailing ont tle piioiities, natnie, timing and extent o inteinal andit piocednies in
an anditable nnit witl ieeience to tle iisk categoiization o tle anditable nnit. Inteinal andit
piioiities aie diiven piimaiily by tle need to assess tle iisk management piactices and contiols
to vaiying levels o assniance oi by a need oi advice.
2.5.2 1le piecise scope o iisk-based inteinal andit mnst be deteimined by eacl bank oi low,
medinm, ligl, veiy ligl and extiemely ligl iisk aieas. Howevei, as pei tle extant gnidelines o
kII, at tle minimnm, it mnst ieview/iepoit on:
Piocess by wlicliisks aie identiied and managed invaiions aieas
1le contiol enviionment invaiions aieas
caps, i any, incontiol meclanismwliclmiglt lead to iands, identiicationo iand pione
aieas
Data integiity, ieliability and integiity o MI8
Inteinal, iegnlatoiy and statntoiy compliance
8copo
5. f Higl
kisk
0. f Veiy
Higl kisk
. c Iow kisk
S. H Medinm
kisk
u. I Higl
kisk
Altlongl tle inleient bnsiness iisk is medinmtlis
is a Higlkisk aiea becanse o contiol iisk also being
medinm.
Altlongl tle inleient bnsiness iisk is medinm, tlis
is a Veiy Higlkisk aiea dne to liglcontiol iisk.
Iotl tle inleient bnsiness iisk and contiol iisk aie
low.
1le inleient bnsiness iisk is low and tle contiol
iisk is medinm.
Altlongl tle inleient bnsiness iisk is low, dne to
liglcontiol iisk tlis becomes a Higlkisk aiea.
2l 8teps in kisk-based Inteinal Andit o Ianks
stiategies and piactices, management contiol iamewoiks and piactices and inoimation
nsed oi decisionmaking and iepoiting.
0oasulIiag. consnlting assignments aie designed to piovide senioi management witl
assistance. 1lese assignments aie not designed to piovide assniance as mentioned above.
(iv) |roquoacy. 1le iisk-based inteinal andit plan slonld also ontline tle ieqnency witlin wlicl
tle anditable nnits aie snbject to tle inteinal andit. It slonld be noted tlat tle ieqnency o tle
andit is a nnction o tle inteinal andit piioiities as ontlined above and tle available inteinal
andit iesonices etc. Howevei, all tle anditable nnits slonld be snbject to one oim oi otlei o
inteinal andit at inteivals as decided by tle management bnt pieeiably, at least once in tliee
yeais.
(v) LxIoaI oI IosIiag. 1le piimaiy ocns o iisk-based inteinal andit will be to piovide ieasonable
assniance to tle Ioaid and top management abont tle adeqnacy and eectiveness o tle iisk
management and contiol iamewoik in tle banks' opeiations. Wlile examining tle
eectiveness o tle contiol iamewoik, tle iisk-based inteinal andit slonld iepoit on piopei
iecoiding and iepoiting o majoi exceptions and excesses. As pei tle extant gnidelines o kII,
tiansaction testing wonld continne to iemain an essential aspect o iisk-based inteinal andit o
banks. 1le extent o tiansaction testing wonld be deteimined on tle basis o iisk assessment.
Illnstiatively, tle bank slonld nndeitake !uu pei cent tiansaction testing i an aiea alls in cell
'fxtiemely Higl kisk" o tle iisk matiix. 1le bank may also considei !uu pei cent tiansaction
testing i anaiea alls incell 'I-Veiy Higlkisk" oi 'f-Veiy Higlkisk", and tle iisks aie slowing
anincieasing tiend. 1le banks may also considei tiansactiontesting witlanelement o snipiise
iniespect o low iisk aieas, wliclwonld be andited at ielatively longei inteivals.
(vi) Rosourco roquiromoaIs. 1le plan oi iisk-ocnsed andit slonld also speciy an estimated iange
o level o eoit ieqniied to caiiy ont tle pioject. 1le eoit estimate slonld take into
consideiationtle ollowing actois:
Natnie o inteinal andit assignment (consnlting, assniance)
1le scope o tle inteinal andit assignment (inclnding consideiations o andit peiiod,
bnsiness piocess and tle bnsiness objectives to be assessed)
1le complexity o anditable nnit, bnsiness piocesses and systems inscope
1le availability o inteinal andit and snbject mattei expeitise
1le qnality and qnantity o existing docnmentationintle snbject aiea
1le andit appioacl and teclniqnes to be nsed (e.g., inteiviews, tiansaction sampling,
woikslops, compntei assisted andit tools, etc.).
As pei tle gnidelines o kII, tle inteinal andit nnction slonld be piovided witl appiopiiate
iesonices and sta to aclieve its objectives nndei tle iisk-based inteinal andit system. 1le sta
23 8teps in kisk-based Inteinal Andit o Ianks
possessing tle ieqnisite skills slonld be assigned tle job o nndeitaking iisk-based inteinal
andit. 1ley slonld also be tiained peiiodically to enable tlemto nndeistand tle bank's bnsiness
activities, opeiating piocednies, iisk management and contiol systems, MI8, etc.
(vii) 8ubmissioa oI Iho iaIoraal audiI plaa. 1le iesnlts o tle above piocess inclnding toolset
ieqniiements oi tle iisk-based inteinal andit slonld be piesented and validated by tle senioi
management. It is impoitant to engage senioi management in tlis piocess to seek tleii inal
inpnt on tle liglest piioiities oi inteinal andit and to ensnie tlat tleie is adeqnate snppoit oi
tle iationale piovided. It is, tleieoie, iecommended to seek tle views o tle senioi
management o tle anditable nnits on tle iisk-based inteinal andit plan and incoipoiate tle
necessaiy snggestions in tle andit plan. 1le inal plan as acceptable to tle inteinal andit
nnction and tle anditable nnits is to be placed beoie tle Andit committee o tle Ioaid o
Diiectois oi tleii inal appioval.
Iet ns considei, oi example, one o tle identiied anditable nnits by tle inteinal anditoi as 'ketail Ioan
depaitment". 1lis inclndes nitlei snb-nnits sncl as lome loans, commeicial velicle loans, peisonal
loans, anto loans and two wleelei loans depaitments. Once tle anditable nnit is identiied, tle ollowing
steps aie to be nndeitakenoi ensniing tle iisk appetite o tle ietail loandepaitment.
I1.a/|/|:s/|a / |a/.r.a/ /a|a. r|/ In ietail loan poitolio, tle majoi inleient bnsiness iisk is tle ciedit
iisk, i.e., iisk o deanlt by a ietail boiiowei.
I1.a/|/|:s/|a / :a/r/ /r:.1ar. 1o ensnie tlat tle ciedit iisk is appiopiiately taken caie o, adeqnate
contiol policies and piocednies aie to be oimnlated by tle ietail iisk management depaitment o tle
bank. 1lese piocednies miglt inclnde:
Devising tle scoiecaid appioacles speciying tle ciiteiia oi acceptance o cnstomei.
8egiegationo tle nnctions o sonicing tle boiioweis and sanctioning o tle loans.
fstablislment o an independent iisk contiol nnit, wlicl nndeitakes tle veiiication o tle
accniacy o tle loan docnments along witl tle necessaiy snpplements docnments snbmitted by
tle boiiowei inclnding tleii antlenticity itsel.
Designing a piopei MI8 iamewoik iesnlting in appiopiiate monitoiing o tle poitolio
inclnding peiiodic, exceptioniepoits being geneiated.
0A8L 8TU0Y
Risk AssossmoaI oI aa AudiIablo UaiI-RoIail Loaa 0oparImoaI
fnsniing adeqnate peisonnel to nndeitake tle stndy o tle movement o tle ietail loanpoitolio
witl paiticnlai emplasis on tle tiend o tle delinqnency iatios being obseived ovei a peiiod o
time.
cieationo a sepaiate loancollectionnetwoik oi ollowing npwitltle delinqnent boiioweis.
1le oimnlation o tle above contiol piocednies is, as mentioned above, tle iesponsibility o tle iisk
management depaitment. Howevei, once tle piocednies aie oimnlated tleie is a iisk tlat tley may not
be piopeily implemented dne to ailnie o people, piocess oi systems. 1lis iisk is teclnically teimed as
opeiational iisk.
1le inteinal anditoi wlo is nndeitaking tle iisk assessment o tle ietail loandepaitment o a bank las to
piimaiily nndeistand tle piocednies deteimined oi mitigating tle ciedit iisk inleient in tle ietail loan
poitolio. Wlile nndeistanding tle piocednies, le may come acioss ceitain aieas in tle ietail loan
poitolio, wlicl may not be coveied by tle above piocednies. foi example, tle sonicing o tle boiioweis
nnction las been entinsted to an exteinal agency by tle bank. In tlat sitnation, tle ontsonicing iisks
aiising ont o tle exteinal agency aiiangement may be o paiticnlai concein oi deteimining tle
opeiational iisk o tle ietail loan depaitment. 1lese ontsonicing iisks inclnde, iisk o ake ield
investigation, dnbions iepoits being snbmitted by tle exteinal agency, etc. 1le inteinal anditoi in sncl
case can snggest to tle iisk management depaitment, tle iisk mitigants to be oimnlated to obviate tle
ontsonicing iisks. Howevei, it slonld be noted tlat tle nltimate iesponsibility o designing appiopiiate
contiol piocednies lies witltle iisk management depaitment.
Wlile nndeitaking tle pieliminaiy assessment o tle contiol iisk, tle inteinal anditoi slonld deteimine
tle likelilood o tle iisk o a paiticnlai piocess oi nnction not adeqnately coveied by tle contiol
piocednies. He slonld also, in sncl ciicnmstances, nndeistand tle qnantnmo tle iisk being identiied
and docnment tle inteinal andit piocednies nndeitakento ieaclsnclconclnsion.
foi tle pnipose o iisk assessment, tle inteinal anditoi may adopt a iating ciiteiia oi assessing tle iisks,
botl inleient and contiol, wlicl wonld assist lim in objective evalnation o tle iisks in tle anditable
nnit. 1lis exeicise ieqniies tle inteinal anditoi to iate tle iisk posed by tle anditable nnit on a pie-
deined iating scale wleie tle low iating wonld indicate a low iisk and :|:. :.rs 8nclanexeicise wonld
iesnlt in tle standaidization o tle iisk assessment and assist tle inteinal anditoi in docnmenting tle
steps nndeitakenoi tle iisk assessment.
Prolimiaary assossmoaI oI IhocoaIrol risk
Risk RaIiag
25 8teps in kisk-based Inteinal Andit o Ianks
TosIs oI coaIrols
Risk Happiag
Atei tle pieliminaiy assessment, tle inteinal anditoi, i le eels tlat tle sitnation demands tlat tle tests
o contiols slonld be nndeitaken, slonld take appiopiiate steps to independently test tle opeiationo tle
inteinal contiol piocednies. foi tlis pnipose, le may take np appiopiiate ciedit iles and tiy to evidence
tle obseivance o tle piesciibed piocednies. 1lese tests o contiols nitlei snpplement tle pieliminaiy
assessment o inteinal contiol in ieacling a conclnsion abont tle contiol iisk o tle ietail loan
depaitment.
Atei identiication o tle inleient and tle contiol iisks o tle ietail loan depaitment, tle inteinal
anditoi is ieqniied to make a jndgment abont tle natnie o tlese iisks as ligl, medinmoi low depending
on tle iesnlts o tle andit piocednies as above, inclnding tle iesnlts o tle tests o tle contiol
nndeitaken, i any, and docnment tle decisiono tle iisk assessment o tle ietail loandepaitment.
26 1eclnical cnide on kisk-based Inteinal Andit in Ianks
Otlei consideiations
1le ollowing actois slonld also be consideied wlile nndeitaking tle iisk-based inteinal andit
assignments as pei tle extant gnidelines o kII:
?.!.! 1le inteinal andit nnction slonld be independent iomtle inteinal contiol piocess in oidei to
avoid any conlict o inteiest and slonld be given an appiopiiate standing witlin tle bank to
caiiy ont its assignments. It slonld not be assigned tle iesponsibility o peioiming otlei
acconnting oi opeiational nnctions. 1le management slonld ensnie tlat tle inteinal andit
sta peioims tleii dnties witl objectivity and impaitiality. Noimally, tle inteinal andit lead
slonld iepoit to tle Ioaid o Diiectois tlionglAndit committee o tle Ioaid.
?.!.2 1le Ioaid o Diiectois and topmanagement will be iesponsible oi laving inplace aneective
|uacIioaal iadopoadoaco
claptei ?
iisk-based inteinal andit system and ensnie tlat its impoitance is nndeistood tlionglont tle
bank. 1le snccess o inteinal andit nnction depends laigely on tle extent o ieliance placed on
it by tle management oi gniding tle bank's opeiations.
?.!.? In tlis context, attention is invited to tle Anditing and Assniance 8tandaid , 'kelying Lpon tle
Woik o An Inteinal Anditoi" wlicl piovides tlat tle geneial evalnation o tle inteinal andit
nnction will assist tle exteinal anditoi in deteimining tle extent to wlicl le can place tle
ieliance on tle woik o inteinal anditoi. 1le 8tandaid also ieqniies tle oiganizational statns o
tle inteinal andit nnctionto be examined as a pait o tle geneial evalnationand piovides tlat:
'W/.//.r |a/.ras/ sa1|/ | aa1.r/s/.a /y sa a/|1. s.a:y r /y sa |a/.ras/ sa1|/ 1./sr/r.a/ w|//|a //.
.a/|/y |/.// //. |a/.ras/ sa1|/r r./r/ / //. rsas.r.a/ Ia sa |1.s/ |/as/|a /. r./r/ / //. /|/./
/.:./ / rsas.r.a/ sa1 | /r.. / say //.r /.rs/|a r./a|/|/|/y Aay :a/rs|a/ r r./r|:/|a //s:.1
a/a /| wr/ /y rsas.r.a/ /a/1 /. :sr./a//y .:s/as/.1
?.2 1le commnnication clannels between tle iisk-based inteinal andit sta and management
slonld enconiage iepoiting o negative and sensitive indings. All seiions deiciencies slonld be
iepoited to tle appiopiiate level o management as soonas tley aie identiied. 8igniicant issnes
posing a tlieat to tle bank's bnsiness slonld be piomptly bionglt to tle notice o tle Andit
committee oi top management, as appiopiiate. In paiticnlai, tle inteinal anditoi slonld be iee
to commnnicate nlly witltle exteinal anditoi.
?.?.! 1le Inteinal andit nnction slonld condnct peiiodical ieviews, annnally oi moie ieqnently, o
tle iisk-based inteinal andit nndeitaken by it :|-s-:| tle appioved andit plan. 1le
peioimance ieview slonld also inclnde anevalnationo tle eectiveness o iisk-based inteinal
andit inmitigating identiied iisks.
?.?.2 1le Andit committee o Ioaid slonld peiiodically assess tle peioimance o tle iisk-based
inteinal andit oi ieliability, accniacy and objectivity. Vaiiations, i any, in tle iisk pioile as
ievealed by tle iisk-based inteinal andit :|-s-:| tle iisk pioile as docnmented intle andit plan
slonld also be looked into to evalnate tle ieasonableness o iisk assessment metlodology o tle
inteinal andit nnction.
0ommuaicaIioa
PorIormaacoovaluaIioa
28 1eclnical cnide on kisk-based Inteinal Andit in Ianks
RolaIioashipwiIh IhooxIoraal audiIor
?.1 Wlile tle exteinal anditoi las tle inal iesponsibility oi tle andit iepoit signed by limand oi
deteimination o tle natnie, timing and extent o tle anditing piocednies, mncl o tle woik o
tle inteinal andit nnctionmay be nsenl to limin lis examinationo tle inancial inoimation.
1owaids tlis end, tle Anditing and Assniance 8tandaid , 'kelying Lpon 1le Woik O An
Inteinal Anditoi" piovides oi a iamewoik o ielationslipbetweentle inteinal anditoi and tle
exteinal anditoi, wliclslonld be consideied wlile deteimining tle iisk-based andit plan.
29 Otlei consideiations
1le Way Alead
kisk-based inteinal andit is expected to be an aid to tle ongoing iisk management in banks by pioviding
necessaiy clecks and balances intle system. Howevei, since iisk-based inteinal andit will be a aiily new
exeicise oi most o tle Indian banks, a giadnal bnt eective appioacl wonld be necessaiy oi its
implementation.
In tlis connection, it is impoitant to note tlat tle IcAI las come ont witl seveial andit piononncements
inclnding cnidance Note on Andit o Ianks, wlicl will piovide gnidance on iisk assessment and its
impoitance to tle andit nnction. 1le giowing concein o inteinal contiols paiticnlaily in a post-
8aibanes Oxley eia and its applicability to tle banking indnstiy is a pioessional oppoitnnity oi tle
membeis o tle Institnte to contiibnte to tle enteipiise-wide iisk management initiatives o tle banks
nsing tle inteinal andit nnction.
fnitlei, tle iisk management peispective o tle opeiations is being given dne impoitance nndei tle
pioposed Iasel Inteinational capital Adeqnacy iamewoik wleieby tle banks witlincieased iisk
claptei 1
mitigant stiategies aie iewaided snitably witl tle lowei capital ieqniiements wleieas tle ligl iisk
banks aie snbject to stiingent capital ieqniiements.
fnitlei, tle kII las advised tlat initially tle iisk-based inteinal andit may be nsed as a
management/andit tool in addition to tle existing inteinal andit/inspection. Once tle iisk-based
inteinal andit stabilizes and tle inteinal andit sta oi tle team (wleie tle inteinal andit nnction is
ontsoniced) attains pioiciency, it slonld ieplace tle conventional inteinal andit appioacl/inspection.
3l 1le Way Alead
keseive Iank o India ciicnlais
on kisk-based Inteinal Andit
I DI8.cO/kI8/5S/?0.u!.uu2/2uu!-u2
dated Angnst !?, 2uu!
II DI8.cO.PP.Ic.!u/!!.u!.uu5/2uu2-u?
dated Decembei 2, 2uu2
III DI8.cO.PP.Ic.!/!!.u!.uu5/2uu1-u5
dated febinaiy !, 2uu5
Appendices
Appoadix - |
Hovo Iowards Risk basod 8uporvisioa (RB8) oI baaks -
0iscussioa Papor
!?tl Angnst 2uu!
DI8.cO/ kI8/5S/?0.u!.uu2/2uu!-u2
All 8clednled commeicial Ianks
(fxcept kegional knial Ianks)
Deai 8iis,
Please ieei to paiagiapl 0 o oni coveinoi's statement on 'Monetaiy and ciedit Policy oi tle
yeai 2uuu-2uu!' wleiein it las been stated tlat tle keseive Iank wonld be developing an
oveiall plan oi moving towaids kisk-based 8npeivision (kI8) witl tle assistance o
inteinational consnltants. Accoidingly, Piice watei lonse coopeis (Pwc), a iimo consnltants
based in Iondon, weie engaged to nndeitake a ieview o tle cniient iegnlatoiy and snpeivisoiy
iegime and piepaie tle blne piint oi tle tiansition to a moie soplisticated system o kI8
incoipoiating inteinational best piactices. A discnssion papei on tle 'Move towaids kisk-based
8npeivision o banks' las been piepaied snmmaiizing tle iecommendations o tle consnltants
and is enclosed.
2. It may be obseived iomtle discnssion papei tlat tle keseive Iank wonld ocns its snpeivisoiy
attention on tle banks in accoidance witl tle iisk eacl bank poses to itsel as well as to tle
system. 1le iisk pioile o eacl bank wonld deteimine tle snpeivisoiy piogiamme compiising
o-site sniveillance, taigeted on-site inspections, stinctnied meetings witl banks,
commissioned exteinal andits, speciic snpeivisoiy diiections and new policy notices in
conjnnction witl close monitoiing tliongl a Monitoiable Action Plan (MAP) ollowed by
enoicement action, as waiianted. 1le snccessnl implementation o tle piocess o kI8 entails
adeqnate piepaiation, botlontle pait o tle keseive Iank and tle commeicial banks.
?. 1le intiodnctiono kI8 wonld ieqniie tle banks to ieoiient tleii oiganisational set np towaids
kI8 and pnt in place an eicient iisk management aiclitectnie, adopt iisk ocnsed inteinal
andit, stiengtlen tle management inoimation system, and set np compliance nnits . 1le banks
wonld also be ieqniied to addiess HkD issnes like manpowei planning, selection and
deployment o sta and tleii tiaining in iisk management and iisk based andit. It is evident tlat
clange management is a key element inkI8 and tle banks slonld lave cleaily deined standaids
o coipoiate goveinance, well docnmented policies and eicient piactices inplace so as to
33 Appendices
cleaily demaicate tle lines o iesponsibility and acconntability so tlat tley align tlemselves to
meet tle ieqniiements o kI8.
1. 1le discnssion papei may please be placed beoie tle Ioaid o Diiectois oi delibeiation in tle
next meeting. 1le comments o tle bank on tle vaiions aspects o tle discnssion papei may
please be oiwaided to ns as eaily as possible bnt beoie 8eptembei ?u, 2uu!.On tle basis o tle
eed back ieceived iomtle banks nitlei discnssions wonld be leld.
5. Intle meanwlile, kindly acknowledge ieceipt.
(A.I.Naiasimlan)
clie ceneial Managei-in-claige
fncl: Discnssionpapei on'Move towaids iisk based 8npeivisiono banks"
!. 1le inteinational banking scene las in iecent yeais witnessed stiong tiends towaids
globalization and consolidation o tle inancial system. 8tability o tle inancial system las
become tle cential clallenge to bank iegnlatois and snpeivisois tlionglont tle woild. 1le
mnlti-lateial initiatives leading to evolntiono inteinational standaids and codes and evalnation
o adleience tleieto iepiesent iesolnte attempts to addiess tlis clallenge.
2. 1le Indian banking scene las witnessed piogiessive deiegnlation, institntion o pindential
noimand an emnlation o inteinational snpeivisoiy best piactices. 1le snpeivisoiy piocesses
lave also concomitantly evolved and lave acqniied a ceitain level o iobnstness and
! 2
soplistication witl tle adoption o tle cAMfI8 /cAIc8 appioacl to snpeivisoiy iisk
assessments and iating. 1le tigltening o exposnie and pindential noims and enlancement in
disclosnie standaids in plases ovei a peiiod o time lave moie closely aligned tle Indian
banking systemto inteinational best piactices. keseive Iank o India (kII) las been constantly
endeavoniing to enlance tle soplisticationand eiciency levels o its snpeivisoiy piocesses.
?. 1le annonncement made by tle coveinoi, kII, as pait o tle monetaiy and ciedit policy
Rosorvo Baak oI |adia
0oparImoaI oI Baakiag 8uporvisioa - 0oaIral 0IIico
Hovo Iowards Risk-basod 8uporvisioa oI Baaks - A 0iscussioa Papor
ParI |
Backgrouad
34 1eclnical cnide on kisk-based Inteinal Andit in Ianks
statement oi 2uuu-2uu!tlat kII wonld be developing anoveiall planoi moving towaids iisk-
based snpeivision (kI8) witl tle assistance o inteinational consnltants signiied tle lanncl o
a new initiative in tlis diiection. Piicewateilonse coopeis (PWc) based in Iondon, weie
selected to nndeitake a ieview o tle cniient iegnlatoiy and snpeivisoiy piocesses o tle kII
witla view to assisting intle intiodnctiono iisk based iegnlationand snpeivisioninIndia. 1le
kI8 will be a iegime inwliclkII's iesonices will be diiected towaids tle aieas o gieatei iisk to
its snpeivisoiy objectives. 1leie aie two legs to implementing eective iisk-based piocesses:
iist, explicit snpeivisoiy objectives mnst be set and secondly, tle iisks posed to tlese objectives
by tle activities o commeicial banks mnst be assessed and addiessed. 1le cniient ieview
iepiesents nitlei stage in tle oveiall development o kII's appioacl to iegnlating and
snpeivising banks in tle liglt o tle eailiei Padmanablan committee and Naiasimlam
committee iepoits. Iased on tle woik o tle inteinational consnltants, kII intends to move
towaids a kI8 systeminstages.
1. 1le cniient snpeivisoiy piocess adopted by tle Depaitment o Ianking 8npeivision (DI8) is
applied nnioimly to all snpeivised institntions. 1longl scintiny o systems and piocednies
pievailing in snpeivised institntion is an integial pait o on-site inspection, tleie is scope oi
moie ocns on tle iisk pioile o tle institntions. 1le cniient appioacl is laigely on-site
inspection diiven snpplemented by o-site monitoiing and tle snpeivisoiy ollow-np
commences witl tle detailed indings o annnal inancial inspection. 1le piocess is based on
cAMfI8/cAIc8 appioacl wleie capital adeqnacy, asset qnality, management aspects,
eainings, liqnidity and systems and contiol aie examined keeping in view tle ieqniiements o
8ection 22 o tle Ianking kegnlation Act, !u1u. 1le on-site inspections aie condncted, to a
laige extent witl ieeience to tle andited balance sleet dates. 1le o-site and maiket
intelligence play a snpplemental iole. Wlile in seveial exteinal jniisdictions, tle snpeivisoiy
piocess extensively leveiages on tle woik done by otleis, sncl as tle inteinal and exteinal
anditois, tle nse made o tlese iesonices inIndia is iatlei limited. No legal iamewoik exists oi
tle exteinal anditois to iepoit to tle snpeivisoi tleii adveise indings onissnes laving
snpeivisoiy implications.
5. consideiing tle giowing diveisities and complexities o banking bnsiness, tle spate o piodnct
innovation witl complex iisk plenomena, tle contagion eects tlat a ciisis can spiead and tle
conseqnential piessnies on snpeivisoiy iesonices, tle kI8 appioacl, tle onndation o wlicl
wonld be based on tle cAMfI8 based appioacl, wonld be moie appiopiiate. Iy optimizing tle
syneigies iom tle dieient activities, inclnding tle iegnlatoiy and snpeivisoiy nnctions, tle
0urroaI approach
Risk-basodsuporvisioa- ANowapproach
35 Appendices
oveiall eiciency and eectiveness o tle snpeivisoiy piocess canbe snbstantially enlanced.
0. 1le kI8 appioacl essentially entails tle allocation o snpeivisoiy iesonices and paying
snpeivisoiy attention in accoidance witl tle iisk pioile o eacl institntion. 1le appioacl is
expected to optimize ntilisation o snpeivisoiy iesonices and minimize tle impact o ciisis
sitnation in tle inancial system. 1le kI8 piocess essentially involves continnons monitoiing
and evalnation o tle iisk pioiles o tle snpeivised institntions in ielation to tleii bnsiness
stiategy and exposnies. 1lis assessment will be acilitated by tle constinction o a kisk matiix
oi eaclinstitntion.
. 1le instinments o kI8 will be by way o enlancement as well as ieining o tle snpeivisoiy
tools ovei tlose tiaditionally employed nndei tle cAMfI8 appioacl viz. on-site examination
and o-site monitoiing. 1le kI8 piocesses and tle ontcome will be oiwaid looking beyond
ocnsing attention on tle iectiication o deiciencies witl ieeience to tle on-site inspection
date. 1le extent o on-site inspection wonld be laigely deteimined by tle qnality and ieliability
o o-site data, and tle ieliability o tle iisk pioile bnilt np by banks. 1le eectiveness o tle
kI8 wonld cleaily depend on banks' piepaiedness in ceitain ciitical aieas, sncl as qnality and
ieliability o data, sonndness o systems and teclnology, appiopiiateness o iisk contiol
meclanism, snppoiting lnmaniesonices and oiganisational back-np.
1le majoi elements o kI8 appioaclaie set ont below:
S. 1le cential plank oi kI8 is an accniate iisk pioiling oi eacl bank. 1le iisk pioile wonld be a
docnment, wlicl wonld contain vaiions kinds o inancial and non-inancial iisks aced by a
banking institntion. 1le iisk assessment wonld entail tle identiication o inancial activities in
wlicl a bank las closen to engage and tle deteimination o tle types and qnantities o iisks to
wlicl tlese activities expose tle banking institntion. 1le type o iisk tlat banking institntion
ace individnally oi in combination inclnde, bnt aie not limited to, ciedit, maiket, liqnidity,
opeiational, legal and iepntational iisks. 1le qnantity o iisks associated witl a given activity
may be assessed by tle volnme o assets and tle o-balance sleet items tlat tle activity
iepiesents oi tle poition o ievenne deiived iom tlat activity. Activities tlat aie new to an
institntion oi oi wlicl exposnie is not ieadily qnantiiable may also iepiesent ligl iisk to an
institntion tlat wonld also be evalnated and inclnded in tle iisk pioile docnment. 1le iisk
0bjocIivos oI RB8
8uporvisioaprocoss
Risk proIiliag oI baaks
36 1eclnical cnide on kisk-based Inteinal Andit in Ianks
pioile will also be designed to piovide a systematic assessment iomtle snpeivisoi's peispective
o tle adeqnacy and eectiveness o tle bank's oiganisation, management and contiols. 1le
main iisk-pioiling device at piesent is tle cAMfI8 iating based on on-site inspection, wlicl in
conise o time will be deiived iom o-site ietnins and otlei inoimation. cAMfI8 iating
wonld continne to be tle coie o iisk pioile compilation, bnt tle snccessive iatings wonld be
nsed to ielect tiends incontiast to being nsed as a static annnal indicatoi o iisk.
u. 1le iisk pioile o eacl bank will diaw npon a wide iange o sonices o inoimation, besides
cAMfI8 iating, sncl as, o-site sniveillance and monitoiing (O8MO8) data, maiket
intelligence iepoits, ad-loc data iom exteinal and inteinal anditois, inoimation iom otlei
domestic and oveiseas snpeivisois, on-site indings, sanctions applied etc. 1le data inpnts
wonld be assessed oi its signiicance and qnality beoie being ed into tle iisk pioile. All
ontlieis i.e. banks wlicl all ontside tle noimal distiibntion based on claiacteiistics sncl as
pioitability, new bnsiness activity, balance sleet giowtl etc. wonld be identiied on tle basis o
a two-tailed test (i.e. too good oi too bad) and investigated on a iegnlai basis. 1le iisk pioile
wonld be constantly npdated.
!u. 1le key components o tle iisk pioile docnment wonld be tle ollowing: cAMfI8 iating witl
tiends
Naiiative desciiptiono key iisk eatnies captnied nndei eaclcAMfI8 component
8nmmaiy o key bnsiness iisks inclnding volatility o tiends inkey bnsiness iisk actois
Monitoiable actionplanand bank`s piogiess to date
8tiengtl, Weaknesses, Oppoitnnities, 1lieats (8WO1) analysis
8ensitivity analysis.
kII wonld nndeitake a oimal assessment o tle iisk pioile o eacl bank on a iegnlai basis. 1le
peiiod between assessments wonld vaiy depending on tle mateiiality o tle iisk pioile o a
bank, witl an aveiage peiiod o one yeai. Howevei, moie ieqnent assessments wonld be
iesoited to oi liglei iisk banks and less ieqnent assessment oi lowei iisk banks.
!!. 1le snpeivisoiy piocess wonld commence witl tle piepaiation o tle bank iisk pioile (based
on data ninisled by banks to tle DI8 o kII, besides data iomotlei sonices). 1le snpeivision
cycle will vaiy accoiding to iisk pioile o eacl bank, tle piinciple being tle liglei tle iisk tle
sloitei will be tle cycle. 1le snpeivision cycle will iemain at !2 montls in tle sloit-teimand
will be extended beyond !2 montls oi low iisk banks at a snitable stage. In cases wleie moie
ieqnent applicationo snpeivisoiy piocess will be necessaiy, tle cycle conld evenbe lessei tlan
!2montls.
8uporvisory cyclo
3? Appendices
8uporvisory programmo
|aspocIioaprocoss
!2. kII wonld piepaie a bank speciic snpeivisoiy piogiamme wlicl will set ont tle detailed woik
plan oi tle bank. 1le scope and objectives o tle inspection piogiamme will deiive iom
analysis o iisk pioile. 1le snpeivisoiy piogiamme wonld be tailoied to individnal banks and
wonld ocns on tle liglest iisk aieas as well as speciy tle need oi nitlei investigation in
identiied pioblem aieas. 1le snpeivisoiy piogiamme wonld be piepaied at tle beginning o
tle snpeivisoiy cycle and wonld yet be lexible enongl to peimit amendments waiianted by
snbseqnent majoi developments. 1le snpeivisoiy piogiamme wonld also identiy tle package
o snpeivisoiy tools to be deployed ioma iange consisting o:
gieatei o-site sniveillance
taigeted on-site inspection
stinctnied meetings witlbanks
commissioned exteinal andits
speciic snpeivisoiy diiections
new policy notices (i.e. new policy diiections to banks emanating iomindividnal bank level
conceins wliclaie ielevant oi tle indnstiy).
On-site inspection wonld be laigely taigeted to speciic aieas nnless a nll scope inspection is
waiianted as pei tle bank-speciic snpeivisoiy piogamme. A monitoiable action plan (MAP),
tle details o wliclaie givenlatei, to mitigate iisks to snpeivisoiy objectives posed by individnal
banks wonld be diawn np oi ollow-np. Vaiiable snpeivisoiy cycles and vaiiable ieqnency o
inspections wonld tleieoie claiacteiise tle snpeivisoiy piocess nndei kI8.
!?. 1le iisk assessment o individnal banks wonld be peioimed in advance o on-site snpeivisoiy
activities. 1le iisk assessment piocess wonld liglliglt botl tle stiengtls and vnlneiabilities o
an institntion and wonld piovide a onndation iom wlicl to deteimine tle piocednies to be
condncted dniing tle inspection. 1le cniient nll-scope on-site inspections, wlicl aie caiiied
ont annnally covei a snbstantive asset evalnation. 1le inspections nndei tle new appioacl
wonld be laigely systems based iatlei tlan laying emplasis on nndeilying tiansactions and
asset valnations. 1le inspection wonld taiget identiied ligl-iisk aieas iom tle snpeivisoiy
peispective and wonld ocns on tle eectiveness o meclanism in captniing, measniing,
monitoiing and contiolling vaiions iisks. 1le inspection piocednie wonld continne to inclnde
tiansaction testing and evalnation tle extent o wlicl will depend on tle mateiiality o an
activity and tle integiity o tle iisk management systemand tle contiol piocess.
38 1eclnical cnide on kisk-based Inteinal Andit in Ianks
Roviow, ovaluaIioa aadIollow-up
HoaiIorabloacIioaplaa
8uporvisory orgaaisaIioa
!1. An evalnation will be nndeitaken to ensnie tlat tle snpeivisoiy piogiamme las indeed been
completed and been eective in impioving tle iisk pioile o tle bank conceined. I need be,
nitlei tools will be employed inclnding additional inspection visits. 1le indings o inspection
and otlei snpeivisoiy inoimation on iecoids wonld be nsed to piodnce a compielensive
docnment o snpeivisoiy iisks and tle bank`s assigned iatings oi ollow-np o snpeivisoiy
conceins. 1le iisk pioile docnment o tle bank will accoidingly be npdated in tle liglt o new
inoimation. 1lis piocess will snppoit tle issne o tle snpeivisoiy lettei to tle bank, wlicl
wonld be discnssed witltle bank`s management oi tle Ioaid o Diiectois.
!5. 1le aimo snpeivisoiy ollow-np wonld be to ensnie tlat banks take coiiective actionintime to
iemedy oi mitigate any signiicant iisks tlat lave been identiied dniing tle snpeivisoiy
piocess. 1le majoi device in tlis iespect wonld be tle MAP. MAPs aie alieady nsed by kII to set
ont tle impiovements ieqniied in tle aieas identiied dniing tle cniient on-site and o-site
snpeivisoiy piocess. Howevei, MAPs wonld be made moie iobnst in a nnmbei o ways. MAPs
will in many cases inclnde diiections to banks on actions to be taken. 1le iemedial actions tlat
wonld be ontlined, wonld be tied explicitly to tle aieas o ligl iisks identiied in tle iisk
pioiling as well as tle snpeivisoiy piocess and slonld lead to impiovements in tle systems and
contiols enviionment at tle bank. Ley individnals at tle bank wonld lave to be made
acconntable oi eaclo tle actionpoints. I actions and timetable set ont intle MAP aie not met,
kII wonld considei issning nitlei diiections to tle deanlting banks and even impose sanctions
and penalties.
!0. Witlin tle kII, tle iegnlatoiy and snpeivisoiy stinctnie nnction sepaiately at piesent making
it necessaiy oi banks to lave moie tlan one contact point witl tle kII kegnlation (DIOD) and
8npeivision (DI8) depaitments oi tleii inteiaction on snpeivisoiy and iegnlatoiy issnes. As
tle bank speciic issnes wonld be witl ieeience to tle bioad iegnlatoiy iamewoik in place, a
cential Point o contact inkII wonld be o convenience to banks. Lndei tle kI8, tleie wonld be
a ocal point oi all contacts by banks botl at tle cential Oice o kII and its kOs, in iespect o
all matteis ielating to iegnlatoiy/snpeivisoiy issnes. 1lis ocal point wonld be tle main condnit
oi inoimationand commnnicationbetweentle banks and kII.
39 Appendices
LaIorcomoaI procoss aadiacoaIivoIramowork
RolooI oxIoraal audiIors iabaakiag suporvisioa
0haagomaaagomoaI implicaIioas
!. Wlile tle aimo snpeivisoiy ollow-np is to ensnie tlat banks take coiiective action to mitigate
signiicant iisks, tle peisistence o deiciencies wonld pose a iisk to kII`s snpeivisoiy objectives.
A system o incentives and disincentives las been contemplated nndei tle kI8 to bettei seive
attainment o tlese objectives. Ianks witl a bettei compliance iecoid and a good iisk
management and contiol systemconld be entitled to an incentive package wlicl conld be in tle
oim o longei snpeivisoiy cycle and lessei snpeivisoiy inteivention. 1le banks, wlicl ail to
slow impiovement iniesponse to tle MAP, wonld be snbjected to a disincentive package snclas,
moie ieqnent snpeivisoiy examination and liglei snpeivisoiy inteivention inclnding
diiections, sanctions and penalties. 1le mandatoiy and discietionaiy actions as ensliined intle
Piompt coiiective Action (PcA) iamewoik wonld be a pait o tle snpeivisoiy enoicement
action. 1le enoicement nnction wonld be caiiied ont tliongl an independent fnoicement
cell to be set np at tle I8D to ensnie consistency o tieatment, maintain objectivity and
nentiality o enoicement action.
!S. 1le nse o specialist tliid paities, sncl as, exteinal anditois can be o signiicant aid to tle bank
snpeivisois. In some conntiies, exteinal anditois aie ieqniied to peioim an eaily waining
nnction and inoim snpeivisois witlont delay o inoimation mateiial to tle snpeivisoi. 1le
Iasel consnltative papei Inteinal andit in banks and tle ielationslip o tle snpeivisoiy
antloiities witlinteinal and exteinal anditois` discnsses tle commonality o ocns and concein
o exteinal anditois and bank snpeivisois. 1le snpeivisoiy piocess instead o dnplicating tle
eoits o tle exteinal and inteinal anditois in some aieas slonld seek to leveiage o tle woik
done by tlese agencies. 1owaids pait aclievement o tlis goal, tle IfAk oimat, wlicl is
cniiently nndei ievision, will lave to be bionglt into nse at tle eailiest. kII wonld look oiwaid
to make moie nse o exteinal anditois as a snpeivisoiy tool by widening tle iange o tasks and
activities wlicl exteinal anditois peioim at piesent. kII wonld entei into dialogne witl tle
Institnte o claiteied Acconntants o India and tle bank management to clalk ont an action
plan.
!u. clange management is a key element in ensniing tlat switclovei to kI8 takes place in an
oideily and eective mannei. Ianks slonld lave cleaily deined standaids o coipoiate
goveinance and docnmented policies and piactices in place so as to cleaily demaicate tle lines
o iesponsibility and acconntability. 1ley will lave to addiess seveial oiganisational issnes to
iealign tlemselves to meet tle ieqniiements o kI8. 1le details o actions tlat need to be taken
40 1eclnical cnide on kisk-based Inteinal Andit in Ianks
by banks aie ennmeiated inPait II.
Witl tle piogiessive deiegnlation o tle inancial systemas also to addiess systemic conceins
on tle saety and sonndness o tle banking system, kII advised banks in India in febinaiy !uuu
to intiodnce, eective iom Apiil !, !uuu, a scientiic system o Asset- Iiability Management.
kII also issned in Octobei !uuu compielensive gnidelines oi pntting in place an eective and
compielensive kisk Management 8ystem. 1le gnidelines envisaged tlat banks wonld set np
piopei oiganizational stinctnie, policies, piocednies, limits oi ciedit, maiket and opeiational
iisk management. Lndei tle AIM gnidelines banks weie expected to covei !uu o tleii assets
and liabilities by Apiil !, 2uuu. A ieview nndeitaken by kII las ievealed tlat most o tle banks
aie yet to covei !uu pei cent o tleii assets and liabilities oi AIM oi set np piopei iisk
management systems and policies oi managing ciedit, maiket, opeiational and otlei iisks.
As stated eailiei inpaiagiapl!?, snpeivisoiy iesonices wonld be ocnsed ontle aieas o liglei
iisks to a bank. 1le iisk pioile wonld liglliglt botl tle stiengtls and vnlneiabilities o a bank
and wonld piovide a onndation iom wlicl to deteimine tle piocednies to be condncted
dniing an on-site examination. Lndei a iisk-ocnsed on-site examination appioacl, tle degiee
o tiansaction testing wonld be iednced wlen inteinal iisk management piocesses aie
deteimined to be adeqnate oi iisks aie consideied minimal. Wlen, lowevei, iisk management
piocesses oi inteinal contiols aie consideied inappiopiiate, additional tiansaction testing
snicient to nlly assess tle degiee o iisk exposnie ina nnctionoi activity wonld be peioimed.
It wonld be necessaiy oi banks to caiiy ont a iesl ieview o tleii cniient statns o iisk
management aiclitectnie by anexpeit teamand initiate measnies to biidge tle gaps.
Inteinal Andit is anindependent activity designed to impiove tle bank's opeiations. 1le inteinal
andit nnction is a pait o tle ongoing monitoiing o tle systemo inteinal contiol and assists
tle sta in eective disclaige o tleii iesponsibilities. 1le snccess o inteinal andit nnction
depends laigely on tle extent o ieliance tle bank management wonld place in gniding tle
bank's opeiations. 1le Inteinal Andit Depaitment will tleieoie lave to be independent iom
tle inteinal contiol piocess and be given an appiopiiate standing witlin tle bank to caiiy ont
ParI ||
20. Baak lovol proparaIioas
(a) 8oIIiag up oI risk maaagomoaI archiIocIuro
(b) AdopIioa oI risk IocusodiaIoraal audiI
4l Appendices
its assignments witl objectivity and impaitiality. 1le Inteinal Andit Depaitment slonld
tleieoie be piovided witl appiopiiate iesonices and sta to aclieve its objectives. Histoiically,
tle inteinal andit systemin banks las been concentiating on: (i) tiansaction testing, accniacy
and ieliability o acconnting iecoids and inancial iepoits, (ii) testing o integiity, ieliability and
timeliness o contiol iepoit, and (iii) adleiance to legal and iegnlatoiy ieqniiements. 1longl
tiansaction testing wonld iemain a ieliable and essential examination aspect o inteinal
anditing, in tle clanging scenaiio sncl testing by itsel wonld not be snicient. Ovei tle yeais,
tle evolvement o inancial instinments and maikets lave enabled banks to ieposition tleii
poitolio iisk exposnie. It las become cleai tlat peiiodic assessment based ontiansactiontesting
alone cannot keep pace witl tle iapid clanges occniiing in inancial iisk pioiles. In tlis
context tle widening o tle scope o inteinal anditing assnmes signiicance. 1le inteinal andit
wonld lave to captnie in a laigei way tle application and eectiveness o iisk management
piocednies and iisk assessment metlodology and ciitical evalnation o tle adeqnacy and
eectiveness o tle inteinal contiol systems. 1le inteinal andit depaitment slonld pay special
attention to anditing tle banking activity in all tle places tliongl wlicl tle activity is
nndeitaken. 1le piecise scope o woik o inteinal anditing mnst be deteimined by eacl bank
bnt as a minimnm, mnst ieview and iepoit npon tle contiol enviionment as a wlole, tle
piocess by wlicl iisks aie identiied, analysed and managed, tle line o contiols ovei key
piocesses, tle ieliability and integiity o coipoiate management nnction, saegnaiding o
assets and compliance witlinles and iegnlations.
1o aclieve tlese objectives, banks wonld lave to giadnally move towaids iisk ocnsed anditing,
in addition to tle system o selective tiansaction based anditing. 1le implementation o iisk
based anditing wonld mean tlat gieatei emplasis is placed on tle inteinal anditoi's iole o
mitigating iisks. Iy ocnssing on eective iisk management tle inteinal anditoi wonld not only
oei iemedies oi cniient tionble aieas bnt also anticipate pioblems and play an impoitant iole
in piotecting tle bank iom iisk lazaids. 1le kisk based anditing wonld not only covei
assessment o iisks at tle biancl level bnt wonld also covei, as an independent assessing
antloiity, assessment o iisks at tle coipoiate level and tle oveiall piocess in place to identiy,
measnie, monitoi and contiol tle iisks. In oidei to ocns attention on aieas o gieatei iisk to tle
bank, a location-wise and activity-wise iisk assessment slonld be peioimed in advance o on-
site kisk based anditing. 1lis wonld allow identiication o ligl iisk aieas wlicl wonld enable
piioiitising tle activities and locations oi kisk based andit. I initial inqniiies into tle iisk
management systemiaise mateiial donbt as to tle system's eectiveness, no signiicant ieliance
slonld be placed on tle system and a moie extensive seiies o tests need to be nndeitaken to
ensnie tlat tle bank's exposnie to iisk ioma given nnction oi activity is accniately captnied
and monitoied. 1le ligl-iisk aieas need to be looked into moie ieqnently tlan tle low iisk
aieas. kisk based andit wonld be an aid to tle ongoing iisk management by banks, as it wonld
piovide clecks and balances in tle system. 1le banks conld oim a small committee o
execntives and entinst tlemwitl tle iesponsibility to clalk ont an action plan, implement and
42 1eclnical cnide on kisk-based Inteinal Andit in Ianks
43
monitoi tle piogiess in adoption o iisk management systems and iisk ocnsed andit and iepoit
to tle 1opManagement and Ioaid o Diiectois peiiodically.
A piincipal onndation oi kI8 is tle availability o detailed data. Lndei kI8 tle monitoiing
needs o kII will diei based on tle iisk pioile o a bank and accoidingly kII may ieqniie
banks to piovide inoimationinadditionto tle data now being ninisled intle O8MO8 ietnins.
conseqnently, tleie is a need to devise a policy oi backnp and stoiage o vaiions databases on
iegnlai inteivals. 1le policy slonld speciy details like ieqnency o backnps, media to be nsed,
o-site stoiage aieas, depaitments and oicials (Data Manageis) iesponsible oi tlese actions.
1le accniacy, completeness and tle timeliness o data aie veiy impoitant and wonld lave to be
ensnied by banks tliongl np-giadation o tleii management inoimation and inoimation
teclnology systems. 1le Data Managei's iole slonld be cieated in oidei to ensnie tlat tle data
las integiity, is stoied incoiiect place, compielensive and timely. 1le Data Manageis slonld be
made iesponsible oi speciic databases. Ianks slonld ieview tle piesent statns o tle
management inoimation and inoimation teclnology systems and initiate necessaiy measnies
to ensnie tlat kII data needs as well as snpeivisoiy iepoiting systems aie stieamlined.
A majoi tiansitional task towaids completion o iisk management set np and intiodnction o
kisk based andit will be tle ieoiientation o tle sta to meet tle ieqniied objectives. 1le
potential piimaiy obstacles will be tle skill oimation o tle sta and placement in appiopiiate
positions. Ianks may lave to cieate a dedicated iisk management team at lead oice and
ieoiient tle Inteinal Andit Depaitment to nndeitake iisk-based andit. 1lese objectives conld be
attained tliongl addiessing seveial HkD issnes like manpowei planning, selection and
deployment o sta and extensive tiaining in iisk management inclnding asset liability
management and kisk based andit. 1le banks will lave to adopt a oiwaid looking tiaining
aiiangement tliongl appiopiiate conise designing and compilation o tiaining mateiials
keeping inview tle best inteinational piactices and piocednies.
Ianks aie ieqniied to take coiiective action to iemedy oi mitigate any signiicant iisks wlicl
lave been identiied in tle eailiei pait o tle snpeivisoiy cycle and wlicl lave been
incoipoiated into tle cniient iisk pioile. kII will issne bank speciic MAP wlicl will inclnde
diiections to banks onactions to be taken. I tle actions and timetable set ont intle MAP ail to be
(c) 8IroagIhoaiag oI HaaagomoaI |aIormaIioa 8ysIomaad|aIormaIioaTochaology
(d) Addrossiag HR0issuos
(o) 8oIIiag up oI 0ompliaacoUaiI
Appendices
44
met, kII may issne nitlei diiections oi impose sanctions oi take mandatoiy and discietionaiy
actions, i deiciencies continne to peisist. It is tleieoie necessaiy oi banks to set npa dedicated
compliance nnit to cooidinate vaiions actions o tle bank oi compliance and oi peiiodical
iepoiting to kII, and ensnie tle completion o compliance action witlin tle time peiiod
indicated in tle MAP. 1le compliance nnit slonld be leaded by a clie compliance Oicei o
tle iank o not less tlan a ceneial Managei wlo will be iesponsible and acconntable oi
timeliness and accniacy o tle compliance.
2!. 1le majoi tiansitional task wonld be tle ieoiientation o oiganizational set np by banks in line
witltle iecommendations oi bank level piepaiation. 1le mainobstacle dniing tle tiansitional
peiiod wonld be skill oimation, attitndinal clanges, development and ietention o specialist
sta, extensive tiaining and iedeployment o sta. It is not contemplated to clange ovei to kI8
appioacl in one go. It will be implemented in a giadnal mannei. Howevei, tle slit to kI8
appioacl wonld not necessaiily await tle completion o bank level piepaiation. 1le concept is
intended to be iolled ont at tle eailiest, as tle inadeqnacies iniisk management systems inbanks
will tlemselves be a snpeivisoiy iisk. As tle cAMfI8 iating wonld be an impoitant inpnt in
bank iisk pioiling, tle cAMfI8 appioacl tliongl on-site inspection wonld concniiently be
ollowed along witl tle kI8 appioacl in tle sloitei teim. 1le piocednie wonld be ieviewed at
tle appiopiiate time in tle liglt o tle qnality o Management Inoimation 8ystemin banks and
tle accniacy and completeness o ielevant o-site data ninisled to tle I8D o kII wliclwonld
tlen oim tle basis oi compilation o cAMfI8 iating. At tlat stage, tle on-site inspection oi
cAMfI8 iating wonld be by way o exception.
22. It is intended to ioll ont tle kI8 piocess in plases beginning iom tle last qnaitei o tle
inancial yeai 2uu2-2uu?. It is, tleieoie, necessaiy oi banks to initiate immediate measnies
oi completion o tle tasks indicated in paiagiapl 2! o tlis docnment by tle end o tle
calendai yeai 2uu2. Ianks may like to set np an in-lonse clange management teamto monitoi
tle piogiess o implementationand snggest ways and means to oveicome tle obstacles.
1. Cuptu udoquucy, Assot quuty, Munugomont, Lurnngs,Lqudty, Systoms und contro. (uppcubo to u domostc
bunks)
2. Cuptu udoquucy, Assot quuty, Lqudty, Compunco und Systoms. (uppcubo to lndun oporutons of bunks
ncorporutod outsdo lndu)
ParI |||
|mplomoaIaIioa8chodulo
1eclnical cnide on kisk-based Inteinal Andit in Ianks
45
Appoadix - ||
Risk-basod |aIoraal AudiI
DI8.cO.PP.Ic. !u/!!.u!.uu5/2uu2-u?
Decembei 2, 2uu2
All 8clednled commeicial Ianks
(fxcept kegional knial Ianks)
Deai 8iis,
Please ieei to Pait II o tle discnssion papei on `Move towaids iisk-based snpeivision o banks'
oiwaided to yon vide lettei No. DI8. cO. kI8.5S/ ?0.u!.uu2/ 2uu!-u2 dated Angnst !?, 2uu!
wleiein ive aieas o bank level piepaiation lad been identiied, wlicl will be signiicant in
acilitating a smootl switclovei to iisk-based snpeivision (kI8) o banks by tle keseive Iank.
One o tle aieas ielate to tle intiodnction o a iisk-based inteinal andit systemby banks. 1le
gnidelines lave now been inalised and tle gnidance note ielating to iisk-based inteinal andit
systemis enclosed.
2. 1le gnidance note may please be placed beoie tle Ioaid o Diiectois oi delibeiation at tle
next meeting, and banks may immediately initiate necessaiy steps to ieview tleii cniient
inteinal andit systems and piepaie oi tiansition to a iisk-based inteinal andit system in a
plased mannei, keeping in view tleii iisk management piactices, bnsiness ieqniiements,
manpowei availability, etc.
?. Ianks slonld oim a 1ask foice compiising senioi execntives and entinst tlem witl tle
iesponsibility o clalking ont an action plan oi switcling ovei to iisk-based inteinal andit. 1le
task oice may identiy and addiess tiansitional and clange management issnes, implement tle
action plan, monitoi tle piogiess in tle tiansitional peiiod and iepoit peiiodically to tle Ioaid
o Diiectois and 1op Management. A qnaiteily iepoit beginning iom tle qnaitei ending
Maicl?!, 2uu?ontle piogiess made inimplementationo iiskbased inteinal andit may be
Appendices
46
snbmitted to ns as also to tle kegional Oice o Depaitment o Ianking 8npeivision nndei
wlose jniisdictiontle Head Oice o tle bank is sitnated.
1. Lindly acknowledge ieceipt.
Yonis aitlnlly,
8d/-
(P. V. 8nbba kao)
clie ceneial Managei-inclaige
fncl: cnidance note oniisk-based inteinal andit
!.!. 1le evolvement o inancial instinments and maikets las enabled banks to nndeitake vaiied
iisk exposnies. In tle context o tlese developments and tle piogiessive deiegnlation and
libeialisation o tle Indian inancial sectoi, laving in place eective iisk management and
inteinal contiol systems las become cincial to tle condnct o banking bnsiness. 1lis is also
signiicant in view o pioposed intiodnction o tle New Iasel capital Accoid nndei wlicl
capital maintained by a bank will be moie closely aligned to tle iisks nndeitaken and keseive
Iank's pioposed move towaids iisk-based snpeivision (kI8) o banks. Lndei tle pioposed kI8
appioacl, tle snpeivisoiy piocess wonld seek to leveiage tle woik done by inteinal anditois o
banks. In tlis iegaid, tle discnssion papei on `Move towaids iisk-based snpeivision o banks'
dated Angnst !?, 2uu! may be ieeiied. Pait II o tle discnssion papei cleaily identiies ive
signiicant aieas oi action on tle pait o banks, inclnding pntting in place iisk-based inteinal
andit systemby Decembei 2uu2, to acilitate a smootlswitclovei to kI8.
!.2. A sonnd inteinal andit nnction plays an impoitant iole in contiibnting to tle eectiveness o
tle inteinal contiol system. 1le andit nnction slonld piovide ligl qnality connsel to
management on tle eectiveness o iisk management and inteinal contiols inclnding
iegnlatoiy compliance by tle bank. Histoiically, tle inteinal andit system in banks las been
concentiating on tiansaction testing, testing o accniacy and ieliability o acconnting iecoids
Aaaoxuro
0uidaaco NoIo oa Risk-basod |aIoraal AudiI
!. |aIroducIioa
1eclnical cnide on kisk-based Inteinal Andit in Ianks
4?
and inancial iepoits, integiity, ieliability and timeliness o contiol iepoits, and adleience to
legal and iegnlatoiy ieqniiements. Howevei, in tle clanging scenaiio sncl testing by itsel
wonld not be snicient. 1leie is a need oi widening as well as iediiecting tle scope o inteinal
andit to evalnate tle adeqnacy and eectiveness o iisk management piocednies and inteinal
contiol systems intle banks.
!.?. 1o aclieve tlese objectives, banks will lave to giadnally move towaids iisk-based inteinal andit
wlicl will inclnde, in addition to selective tiansaction testing, an evalnation o tle iisk
management systems and contiol piocednies pievailing in vaiions aieas o a bank's opeiations.
1le implementationo iisk-based inteinal andit wonld meantlat gieatei emplasis is placed on
tle inteinal anditoi's iole in mitigating iisks. Wlile ocnsing on eective iisk management and
contiols, in addition to appiopiiate tiansaction testing, tle iisk-based inteinal andit wonld not
only oei snggestions oi mitigating cniient iisks bnt also anticipate aieas o potential iisks and
play animpoitant iole inpiotecting tle bank iomvaiions iisks.
!.1 1le nnctions o tle kisk Management committee/Depaitment (kMc/kMD) and tle iole o
iisk-based inteinal andit need to be distingnisled. 1le kMc/kMD ocnses on aieas sncl as
identiication, monitoiing and measniement o iisks, development o policies and piocednies,
nse o iisk management models, etc., as ontlined in paiagiapl 2 o tle gnidelines on kisk
Management systems in Ianks enclosed witl oni ciicnlai DIOD No. IP.(8c).Ic.uS/2!.u1.
!u?/uu dated Octobei , !uuu. 1le iisk-based inteinal andit, on tle otlei land, nndeitakes an
independent iisk assessment solely oi tle pnipose o oimnlating tle iisk-based andit plan
keeping in view tle inleient bnsiness iisks o an activity/location and tle eectiveness o tle
contiol systems oi monitoiing tle inleient iisks o tle bnsiness activity. It needs to be
emplasized tlat wlile oimnlating tle andit 2 plan, eveiy activity/location o tle bank,
inclnding tle iisk management nnction, slonld be snbjected to iisk assessment by tle iisk-
based inteinal andit.
2.!. Lndei iisk-based inteinal andit, tle ocns will slit iom tle piesent system o nll-scale
tiansaction testing to iisk identiication, piioiitization o andit aieas and allocation o andit
iesonices in accoidance witl tle iisk assessment. Ianks will, tleieoie, need to develop a well
deined policy, dnly appioved by tle Ioaid, oi nndeitaking iisk-based inteinal andit. 1le
policy slonld inclnde tle iisk assessment metlodology oi identiying tle iisk aieas based on
wlicl tle andit plan wonld be oimnlated. 1le policy slonld also lay down tle maximnmtime
peiiod beyond wlicl even tle low iisk bnsiness activities/locations slonld not iemain
nnandited.
2. Policy Ior risk-basodiaIoraal audiI
Appendices
48
8. |uacIioaal iadopoadoaco
4. Risk assossmoaI
?.!. 1le Inteinal Andit Depaitment slonld be independent iom tle inteinal contiol piocess in
oidei to avoid any conlict o inteiest and slonld be given an appiopiiate standing witlin tle
bank to caiiy ont its assignments. It slonld not be assigned tle iesponsibility o peioiming
otlei acconnting oi opeiational nnctions. 1le management slonld ensnie tlat tle inteinal
andit sta peioim tleii dnties witl objectivity and impaitiality. Noimally, tle inteinal andit
lead slonld iepoit to tle Ioaid o Diiectois/Andit committee o tle Ioaid!.
?.2. 1le Ioaid o Diiectois2and topmanagement will be iesponsible oi laving inplace aneective
iisk-based inteinal andit system and ensnie tlat its impoitance is nndeistood tlionglont tle
bank. 1le snccess o inteinal andit nnction depends laigely on tle extent o ieliance placed on
it by tle management oi gniding tle bank's opeiations.
1.!. As indicated at paiagiapl !.1 above, tle iisk-based inteinal andit nndeitakes iisk assessment
solely oi tle pnipose o oimnlating tle iisk-based andit plan. 1le iisk assessment wonld, as an
independent activity, covei iisks at vaiions levels (coipoiate and biancl; tle poitolio and
individnal tiansactions, etc.) as also tle piocesses in place to identiy, measnie, monitoi and
contiol tle iisks. 1le inteinal andit depaitment slonld devise tle iisk assessment metlodology,
witl tle appioval o tle Ioaid o Diiectois, keeping in view tle size and complexity o tle
bnsiness nndeitakenby tle bank.
1.2. 1le iisk assessment piocess slonld, intei alia, inclnde tle ollowing :-
Identiicationo inleient bnsiness iisks invaiions activities nndeitakenby tle bank.
fvalnation o tle eectiveness o tle contiol systems oi monitoiing tle inleient iisks o
tle bnsiness activities (`contiol iisk').
Diawing np a iisk-matiix oi taking into acconnt botl tle actois viz., inleient bnsiness
iisks and contiol iisks. Anillnstiative iisk-matiix is slownas a box item.
1le basis oi deteimination o tle level (ligl, medinm, low) and tiend (incieasing, stable,
decieasing) o inleient bnsiness iisks and contiol iisks slonld be cleaily spelt ont.
1le iisk assessment may make nse o botl qnantitative and qnalitative appioacles. Wlile tle
qnantnm o ciedit, maiket, and opeiational iisks conld laigely be deteimined by qnantitative
assessment, tle qnalitative appioacl may be adopted oi assessing tle qnality o contiols in
vaiions bnsiness activities. In oidei to ocns attention on aieas o ? gieatei iisk to tle bank, an
activity-wise and location-wise identiicationo iisk slonld be nndeitaken.
1eclnical cnide on kisk-based Inteinal Andit in Ianks
49
1le iisk assessment metlodology slonld inclnde, intei alia, tle ollowing paiameteis:
Pievions inteinal andit iepoits and compliance
Pioposed clanges inbnsiness lines oi clange inocns
8igniicant clange inmanagement / key peisonnel
kesnlts o latest iegnlatoiy examinationiepoit
kepoits o exteinal anditois
Indnstiy tiends and otlei enviionmental actois
1ime lapsed since last andit
Volnme o bnsiness and complexity o activities
8nbstantial peioimance vaiiations iomtle bndget
1.?. foi tle iisk assessment to be accniate, it will be necessaiy to lave in place piopei MI8 and data
integiity. 1le inteinal andit nnction slonld be kept inoimed o all developments sncl as
intiodnction o new piodncts, clanges in iepoiting lines, clanges in acconnting
piactices/policies etc. 1le iisk assessment slonld invaiiably be nndeitaken on a yeaily basis.
1le assessment slonld also be peiiodically npdated to take into acconnt clanges in bnsiness
enviionment, activities and woik piocesses, etc.
Inleient bnsiness iisks indicate tle intiinsic iisk in a paiticnlai aiea/activity o tle bank and
conld be gionped into low, medinmand liglcategoiies depending ontle seveiity o iisk.
contiol iisks aiise ont o inadeqnate contiol systems, deiciencies/gaps and/oi likely ailnies in
tle existing contiol piocesses. 1le contiol iisks conld also be classiied into low, medinm and
liglcategoiies.
In tle oveiall iisk assessment botl tle inleient bnsiness iisks and contiol iisks slonld be
actoied in. 1le oveiall iisk assessment as ielected in eacl cell o tle iisk matiix is explained
below:
a. Higl kisk- Altlongl tle contiol iisk is low, tlis is a Higl kisk aiea dne to ligl inleient
bnsiness iisks.
b. Veiy Higl kisk- 1le ligl inleient bnsiness iisk conpled witl medinmcontiol iisk makes
tlis a Veiy Higlkisk aiea.
c. fxtiemely Higlkisk Iotltle inleient bnsiness iisk and contiol iisk aie liglwliclmakes
tlis an fxtiemely Higl kisk aiea. 1lis aiea wonld ieqniie immediate andit attention,
maximnm allocation o andit iesonices besides ongoing monitoiing by tle bank's top
management.
d. Medinm kisk Altlongl tle contiol iisk is low tlis is a Medinm kisk aiea dne to medinm
inleient bnsiness iisks.
e. Higl kisk Altlongl tle inleient bnsiness iisk is medinmtlis is a Higl kisk aiea becanse o
contiol iisk also being medinm.
Appendices
50
. Veiy Higl kisk Altlongl tle inleient bnsiness iisk is medinm, tlis is a Veiy Higl kisk aiea
dne to liglcontiol iisk.
g. Iow kisk Iotltle inleient bnsiness iisk and contiol iisk aie low.
l. Medinmkisk - 1le inleient bnsiness iisk is low and tle contiol iisk is medinm.
i. Higlkisk Altlongltle inleient bnsiness iisk is low, dne to liglcontiol iisk tlis becomes a
Higlkisk aiea.
1le banks slonld also analyse tle inleient bnsiness iisks and contiol iisks witl a view to assess
wletlei tlese aie slowing a stable, incieasing oi decieasing tiend. Illnstiatively, i an aiea alls
witlin cell 'I' oi 'f' o tle kisk Matiix and tle iisks aie slowing an incieasing tiend, tlese aieas
wonld also ieqniie immediate andit attention, maximnmallocation o andit iesonices besides
ongoing monitoiing by tle bank's top management (as applicable oi cell 'c'). 1le kisk Matiix
slonld be piepaied oi eaclbnsiness activity/location.
1.1 All banks need to pnt in place an independent iisk assessment system in tle inteinal andit
depaitment oi ocnsing on tle mateiial iisk aieas and piioiitizing tle andit woik. 1le
metlodology may iange iom a simple analysis o wly ceitain aieas slonld be andited moie
ieqnently tlan otleis in tle case o small sized banks nndeitaking tiaditional banking
bnsiness, to moie soplisticated assessment systems in laige sized banks nndeitaking complex
bnsiness activities.
5.!. 1le annnal andit plan, appioved by tle Ioaid, slonld inclnde tle sclednle and tle iationale oi
andit woik planned. It slonld also inclnde all iisk aieas and tleii piioiitisation based on tle
level and diiection o iisk. Illnstiatively, tle aieas oi activities identiied as ligl, veiy ligl oi
extiemely ligl iisk (based on iisk matiix) may be andited at sloitei inteivals as compaied to
medinm oi low iisk aieas, wlicl may be andited at longei inteivals snbject to iegnlatoiy
gnidelines, as applicable.
0.!. 1le piimaiy ocns o iisk-based inteinal andit will be to piovide ieasonable assniance to tle
Ioaid and top management abont tle adeqnacy and eectiveness o tle iisk management and
contiol iamewoik in tle banks' opeiations. Wlile examining tle eectiveness o contiol
iamewoik, tle iisk-based inteinal andit slonld iepoit on piopei iecoiding and iepoiting o
majoi exceptions and excesses. 1iansactiontesting wonld continne to iemain an essential aspect
o iisk-based inteinal andit. 1le extent o tiansaction testing will lave to be deteimined based
on tle iisk assessment. Illnstiatively, tle bank slonld nndeitake !uu pei cent tiansactiontesting
5. AudiI Plaa
. 8copo
1eclnical cnide on kisk-based Inteinal Andit in Ianks
5l
i anaiea alls incell 'cfxtiemely Higlkisk" o tle iisk matiix. 1le bank may also considei !uu
pei cent tiansactiontesting i anaiea alls incell 'I- Veiy Higlkisk" oi 'f- Veiy Higlkisk", and
tle iisks aie slowing anincieasing tiend. 1le banks may also considei tiansaction5testing witl
an element o snipiise in iespect o low iisk aieas wlicl wonld be andited at ielatively longei
inteivals.
1le banks may piepaie a kisk Andit Matiix as slownbelow:
1le Andit Planslonld piioiitize andit woik to give gieatei attentionto tle aieas o:
i. HiglMagnitnde and liglieqnency
ii. HiglMagnitnde and medinmieqnency
iii. Medinmmagnitnde and liglieqnency
iv. Higlmagnitnde and low ieqnency
v. MedinmMagnitnde and medinmieqnency.
0.2. 1le piecise scope o iisk-based inteinal andit mnst be deteimined by eacl bank oi low,
medinm, ligl, veiy ligl and extiemely ligl iisk aieas. Howevei, at tle minimnm, it mnst
ieview/iepoit on:-
piocess by wlicliisks aie identiied and managed invaiions aieas;
tle contiol enviionment invaiions aieas;
gaps, i any, incontiol meclanismwliclmiglt lead to iands, identiicationo iand pione
aieas;
data integiity, ieliability and integiity o MI8;
inteinal, iegnlatoiy and statntoiy compliance;
bndgetaiy contiol and peioimance ieviews;
tiansactiontesting/veiiicationo assets to tle extent consideied necessaiy
monitoiing compliance witltle iisk-based inteinal andit iepoit
vaiiation, i any, in tle assessment o iisks nndei tle andit plan vis-a-vis tle iiskbased
inteinal andit.
0.?. 1le scope o iisk-based inteinal andit slonld also inclnde a ieview o tle systems in place oi
ensniing compliance witl money lanndeiing contiols; identiying potential inleient bnsiness
iisks and contiol iisks, i any; snggesting vaiions coiiective measnies and nndeitaking ollow
npieviews to monitoi tle actiontakentleieon.
Risk AudiI HaIrix
Appendices
52
I. 0ommuaicaIioa
8. PorIormaacoovaluaIioa
9. AudiI rosourcos
!0. 0uIsourcodiaIoraal audiI arraagomoaIs
.!. 1le commnnication clannels between tle iisk-based inteinal andit sta and management
slonld enconiage iepoiting o negative and sensitive indings. All seiions deiciencies slonld be
iepoited to tle appiopiiate level o management as soonas tley aie identiied. 8igniicant issnes
posing a tlieat to tle bank's bnsiness slonld be piomptly 0 bionglt to tle notice o tle Ioaid o
Diiectois, Andit committee oi topmanagement, as appiopiiate.
S.!. 1le Inteinal Andit Depaitment slonld condnct peiiodical ieviews, annnally oi moie ieqnently,
o tle iisk-based inteinal andit nndeitaken by it vis-a-vis tle appioved andit plan. 1le
peioimance ieview slonld also inclnde anevalnationo tle eectiveness o iisk-based inteinal
andit inmitigating identiied iisks.
S.2. 1le Ioaid o Diiectois/Andit committee o Ioaid slonld peiiodically assess 1le peioimance
o tle iisk-based inteinal andit oi ieliability, accniacy and objectivity. Vaiiations, i any, in tle
iisk pioile as ievealed by tle iisk-based inteinal andit vis-a-vis tle iisk pioile as docnmented
in tle andit plan slonld also be looked into to evalnate tle ieasonableness o iisk assessment
metlodology o tle Inteinal Andit Depaitment.
u.!. 1le Inteinal Andit Depaitment slonld be piovided witl appiopiiate iesonices and sta to
aclieve its objectives nndei tle iisk-based inteinal andit system. 1le sta possessing tle
ieqnisite skills slonld be assigned tle job o nndeitaking iisk-based inteinal andit. 1ley slonld
also be tiained peiiodically to enable tlem to nndeistand tle bank's bnsiness activities,
opeiating piocednies, iisk management and contiol systems, MI8, etc.
!u.! 1le Ioaid o Diiectois and top management aie iesponsible oi ensniing tlat tle iisk-based
inteinal andit continnes to nnctioneectively eventlonglit is ontsoniced.
1le ollowing aspects may, intei-alia, be kept in view to pievent any iisk o bieakdown in
inteinal contiols onacconnt o ontsonicing aiiangements:-
a. Ieoie enteiing into an ontsonicing aiiangement oi iisk-based inteinal andit, tle bank slonld
peioimdne diligence to satisy itsel tlat tle ontsonicing vendoi las tle necessaiy expeitise to
1eclnical cnide on kisk-based Inteinal Andit in Ianks
53
nndeitake tle contiacted woik. 1le contiact, in wiiting, slonld at tle minimnm, speciy tle
ollowing:
tle scope and ieqnency o woik to be peioimed by tle vendoi
tle mannei and ieqnency o iepoiting to tle bank tle mannei o deteimining tle cost o
damages aiising iomeiiois, omissions and negligence ontle pait o tle vendoi
tle aiiangements oi incoipoiation o clanges in tle teims o contiact, slonld tle need
aiise
tle locations wleie tle woik papeis will be stoied
tle inteinal andit iepoits aie tle piopeity o tle bank and tlat all woik papeis aie to be
piovided to tle bank wlenieqniied
tle employees antloiized by tle bank aie to lave ieasonable and timely access to tle woik
papeis
tle snpeivisois aie to be gianted immediate and nll access to ielated woik papeis
b. 1le management slonld continne to satisy itsel tlat tle ontsoniced activity is being
competently managed.
c. All woik done by tle vendoi slonld be docnmented and iepoited to tle top management
tliongltle inteinal andit depaitment.
d. 1o avoid signiicant opeiational iisk tlat may aiise on acconnt o a sndden teimination o tle
ontsonicing aiiangement, tle bank slonld lave in place a contingency plan to mitigate any
discontinnity inandit coveiage.
kisk-based inteinal andit is expected to be an aid to tle ongoing iisk management in banks by
pioviding necessaiy clecks and balances in tle system. Howevei, since iisk based inteinal andit
will be a aiily new exeicise oi most o tle Indianbanks, a giadnal bnt eective appioaclwonld
be necessaiy oi its implementation. Initially tle iisk-based inteinal andit may be nsed as a
management/andit tool in addition to tle existing inteinal andit/inspection. Once tle iisk-
based inteinal andit stabilizes and tle sta attains pioiciency, it slonld ieplace tle existing
inteinal andit/inspection. 1le inoimation systems andit (I8 Andit) slonld also be caiiied ont
nsing tle iisk-based appioacl.
Ianks slonld oima 1ask foice o senioi execntives and entinst tlemwitl tle iesponsibility to
clalk ont an action plan oi switcling ovei to iisk-based inteinal andit, identiying and
addiessing tiansitional and clange management issnes, implementing tle plan and monitoiing
tle piogiess dniing tle tiansitional peiiod and iepoit to tle Ioaid o Diiectois, peiiodically.
1. ln cuso of forogn bunks tho roportng coud bo to tho CLCfor lndun oporutons.
2. ln ths documont tho oxprosson ourd/Audt Commttoo of ourd shoud bo tukon to moun tho Locu Advsory
ourd n cuso of forogn bunks, unoss othorwso spocfod.
!!.
!2.
Appendices
54
Appoadix - |||
RL8LRVL BANK 0| |N0|A
|mplomoaIaIioa oI Risk-basod |aIoraal AudiI (RB|A) ia Baaks
www.ibi.oig.in
ke. kII 2uu1-u5/?50
DI8.cO.PP.Ic. !/!!.u!.uu5/2uu1-u5 febinaiy !, 2uu5
All 8clednled commeicial Ianks
(fxcept kegional knial Ianks)
Deai 8iis,
As yon wonld iecall tle gnidelines ielating to iisk-based inteinal andit weie issned by ns on
Decembei 2, 2uu2 vide oni lettei DI8.cO.PP.Ic.!u /!!.u!.uu5/2uu2-u?. A ieview o tle
implementation o tle iisk-based inteinal andit in vaiions banks las ievealed tlat tleie aie
ceitain gaps/deiciencies wlicl need to be addiessed in oidei to ensnie tlat tle kIIA
iamewoik is eective. 8ome o tle gaps/deiciencies obseived by ns aie as nndei:
!) 1le iisk assessment o biancles slonld be caiiied ont on tle basis o tle 'inleient bnsiness
iisks" and 'contiol iisks", as indicated in paiagiapl 1.2 o oni 'cnidance note on iisk based
inteinal andit'.
2) 1le iisk assessment slonld not only indicate tle level o iisk as Higl, Medinmand Iow bnt also
tle tiend o iisk in teims o incieasing, decieasing oi stable. (paiagiapl 1.2 o tle 'cnidance
note oniisk based inteinal andit'.)
?) 1le iisk assessment slonld invaiiably be nndeitaken on a yeaily basis (paiagiapl 1.? o tle
'cnidance note oniisk based inteinal andit'.)
1) As mentioned in paiagiapl 0.! o tle 'cnidance note on kisk-based inteinal andit', tle bank
slonld nndeitake !uu pei cent tiansaction testing i an aiea alls in cell 'c- fxtiemely Higl
kisk" o tle iisk matiix. 1le bank may also considei !uu pei cent tiansaction testing i an aiea
alls in cell 'I-Veiy Higl kisk" oi 'f- Veiy Higl kisk", and tle iisks aie slowing an |a:r.s|a
tiend. 1le banks may also considei tiansaction testing witl an element o snipiise in iespect o
low iisk aieas wlicl wonld be andited at ielatively longei inteivals. As iegaids tle aieas alling
inotlei cells (viz., A-Higlkisk`, D-Medinmkisk`, f-Higlkisk`, c-Iow kisk`, H-Medinm
1eclnical cnide on kisk-based Inteinal Andit in Ianks
55
kisk`, I-Higl kisk`) o tle iisk matiix, tle bank las to decide on tle level o tiansaction testing
based onits iisk based inteinal andit policy dnly appioved by tle Ioaid.
5) As indicated inpaiagiapl0.!o tle 'cnidance note oniisk based inteinal andit', tle bank las to
piepaie a kisk Andit Matiix wlicl wonld be based on tle magnitnde and ieqnency o iisk.
Piepaiation o tle kisk Andit Matiix can also enable tle bank to move towaids tle Advanced
Measniement Appioacloi Opeiational kisk nndei Iasel II.
2. Ianks aie advised to ieview tle metlodology o condncting tle iisk-based inteinal andit and tle
policy in tlis iegaid so as to align tle same witl tle gnidelines issned by kII. As alieady
indicated in paiagiapl ? o oni lettei dated Decembei 2, 2uu2, mentioned above, banks
slonld oima 1ask foice compiising senioi execntives and entinst tlemwitl tle iesponsibility
o clalking ont an action plan oi switcling ovei to iisk-based inteinal andit. 1lis piocess may
be expedited and compliance witloni gnidelines ensnied at aneaily date.
Yonis aitlnlly,
(Amaiendia Molan)
ceneial Managei
Appendices
The Inst|tute of
Chartered Accountants of Ind|a
lndraprastha Marg, P B No. 7100
New De|h| - 110 002 lNDlA
542 TG RB
S8N 81-88437-73-5