Risk Management

and Internal Audit for MFI

&'

Summarized by Hong Ry,

Senor Internal Auditor
2007
 OPERATIONAL RISK
Vulnerabilities that MFI faces in it’s
operations: portfolio quality, fraud
risk and theft.
There are 3 types of operational risk
I.Credit Risk
II.Fraud Risk
III.Security Risk
 Reduced Risk Factors

Operational risk can be reduced

through developing policies and
procedures that form organization’s
Internal control system.

These controls usually included

preventive and detective aspects
 Preventive Controls
Preventive Controls inhibit undesirable outcome
from happening:
¾Hiring trustworthy employees who can make
good credit decision
¾Ensure that loan are backed by collateral
¾Segregating staff duties
¾Requiring authorization to prevent improper
use of resources
¾Maintaining proper record keeping procedures
to deter improper transactions
¾Installing sufficient security measures to
protect cash and other assets
 Detective Controls
Detective Controls identify undesirable outcome
when they do happen
¾Reconciling bank statement with cash receipts
¾Monitoring early warning signals for signs of
pending portfolio quality problems
¾Implementing delinquency management policies to
prevent late payments from escalating into bad debts
¾Monitoring staff performance to ensure policies and
procedure are followed
¾Visiting clients to ensure that their loan and saving
account balances and transaction dates correspond
with the MFI’s records
 I. Credit Risk
Deterioration in loan portfolio quality
that result in loan losses and high
delinquency management cost. Credit
risk related to client failure to meet the
terms of a loan contract.
This risk can be livestock disease for
portfolio quality.
In this point we focus on Credit risk
controls and Credit risk monitoring.
 I.1. Credit Risk Controls

A lender’s risk management expand

from controls that reduce the potential
for loss to controls that reduce actual
losses. The four key credit risk controls
are (1) loan product design, (2) client
screening, (3) credit committees, (4)
delinquency management
 (1) Loan Product Design

Loan product should be designed to

address the specific loan purpose with
different design features included loan
size, loan terms, interest rate, repayment
schedule, collateral requirements, eligibility
requirements, and other special terms in
order to meet client need. These Product
design features cam minimize credit risk
 (2) Client Screening

MFI typically use the 5Cs for screening clients:

1.Character:the applicant’s willingness to repay and
ability to run the enterprise
2.Capacity: whether the cash flow of business or
household can service loan repayments.
3.Capital: Assets and liabilities of the business and/or
household
4.Collateral: Access to an asset that the applicant is
willing to cede in case of non-repayment, or a guarantee
by a respected person to repay a loan in default.
5.Condition: a business plan that considers the level of
competition and the market for the product or service, and
the legal and economic environment
 (3) Credit Committee

Credit committee is established to

approve loans, monitor their progress
and get involved in delinquency
management. Additionally, MFI
should have written policies
regarding Loan approval authority
with specific loan amount which can
be approved by two people or third
person requirement.
 (4) Delinquency Management

To minimize the delinquency, CARE

recommends six delinquency management
methods:
1. Institutional culture
2. Client Orientation
3. Staff incentives
4. Delinquency penalties
5. Enforcing contracts
6. Loan rescheduling
 I.2. Credit Risk Monitoring

This point discuss about the monitoring

of the portfolio quality ratios on
monthly basis which can minimize
credit risk. These ratios included
Portfolio at Risk, Loan Loss Ratio,
Reserve Ratio, and Loan Rescheduling
Ratio.
 II. Fraud Risk
Wherever there is money, there is an
opportunity for fraud. However, through
proper controls they can reduce their
vulnerability to fraud. This section first
summarize common types of fraud and
discusses controls for preventing and
detecting fraud.
 II.1. Types of Fraud

Fraudulent activities can occur in following

lending process:
1. Loan disbursement
2. Repayment
3. Collateral procedures, and
4. Closure activities
Fraud can occur from misuse of petty cash,
false travel claims, kickbacks from
procurement contracts, and management
override.
 II.2. Types of Fraud (cont)

High level employees incite employee

violate control policies or procedures,
enabling his/her commit fraud.
The More vulnerable to MFI’s fraud such
as: poor portfolio quality, weak information
system, change in information system,
weak internal control procedures, high
employee turnover, multiple loan products,
handle cash, and rapid growth.
 II.2. Control: Fraud Prevention

The CARE EDU suggests the following 8

categories of control to reduce fraud:
1.excellent portfolio quality
2.simplicity and transparency
3.human resource policies
4.client education
5.credit committee
6.handling cash
7.handling collateral and
8.write-off and rescheduling policies
II.3. Monitoring: Fraud detection
The best prevention strategies in the world
are not going to eliminate fraud. This is
partly. The fraud detection is the
responsibility of all staff members, from the
chairman of the board down to cleaners and
drivers. So this responsibility for fraud
detection is tasked to internal auditor which
should report directly to audit committee of
the board.
Fraud detection involves the following four
elements: 1) operational audit, 2) loan
collection policy, 3) client sampling, and 4)
customer complaints.
 1) Operational Audit
1)The purpose of operational audit is to confirm that
the policies are being followed. There are 3 reasons
for being not following policies:1) the employees was
involved in some sort of fraudulent activities; 2) the
employees did not know about policies or didn’t
understand; 3) the employees believed that the policy
was unreasonable.
2)An operational audit is a review of all operation
activities, procedures and process, including human
resources, procurement, finance, information
systems and any other operational areas. It’s
important that this independent person or
department report to the board of director, not to
management.
 2) Loan Collection Policies

The collection policies have a very

important role in fraud detection. By
involving several different persons in
the collection process, MFI’s not only
escalate the pressure on client, but also
help to identify instances of fraud.
 3) Client Sampling
The client visited by internal auditors is a main
aspect of fraud detection. Internal auditors use
selective sampling of borrowers whose loans that are
more likely to be fraudulent, especially payment in
arrears.This client visit, internal auditors may find
major discrepancies between information in client’s
file and the reality in the field, which could expose
the organization to credit or fraud risk. auditor also
use selective sampling of depositors.Prior to visiting
clients, internal auditors are preferred to reviewing
document first.
Field work, internal auditor can fulfill other
important function such as delinquency
management, gathering information on customer
satisfaction and market tends, and identify staff
training needs.
 4) Customer Complaints

Another important method for detecting

fraud and improving customer service,
is to establish a complain and
suggestion system that creates a
communication through which clients
can voice their opinions.
 II.4. Response to Fraud
If fraud is suspected, in most cases the most MFI
should conduct a fraud audit and then
implement damage control proceedings.
Fraud audit: There are two factors in conducting
fraud audit are potential magnitude(large amount
of cash) of fraud and the extent of evidence and
should be conducted by specialized training in
forensic auditing.
Damage control: MFI should consider developing
contingency plans which can be dusted off and
put into action when fraud is occurred.
contingency plan should include the following
elements:
 III. Security Risk
This risk has two basic elements:
1) Safe of cash: MFIs need to ensure that
cash is protected from theft during office
hours, after office hours, and in transit.
cash can protect through the use of local
bank, security measures, and liquidity
policies.
2) Safety of Office assets: MFIs need to
ensure that they are protecting their
computers, fax machine, office
equipment..etc from theft. Assets can
protect through a fix assets register.
FINANCIAL MANAGEMENT
RISKS AND CONTROLS
In this chapter we will discuss the 3
key risk areas:
I.Asset and Liability Management
Risks
II.Inefficiency Risks
III.System Vulnerability Risks
 I. Asset and Liability
Management Risks
It’s refers to management of spread, or the
positive difference between the interest rate on
earning assets and cost of funds. Successful of
this spread requires control over: a) interest rate
risk, b) foreign exchange gap, c) liquidity, and d)
credit risk. MFI can vulnerable if it has one of the
following characteristics:
ÖIt borrows money from commercial sources to
fund its portfolio;
ÖIt funds its portfolio from client saving;
ÖIt operates in a high inflation environment;
ÖIt has liabilities denominated in a foreign
currency.
 I.1 Interest Rate Risk
This risk is particularly problematic for MFIs
operating in high inflationary environments.
MFIs should monitor interest rate risk by 1)
assessing the amount funds at risk for a
given shift in rates, and 2) evaluating the
timing of the cash changes given a particular
interest rate shift.
This risk can be effected by interest rate
sensitivity which large scale saving is highly
effected than small ones.
The measure of this risk is net interest
margin=( Interest Revenue-Interest
Expense)/Average Total Assets
 I.2. Foreign Exchange Risk
This risk occurs when MFI hold assets and
liabilities in foreign currency.
For MFIs with foreign currency exposure should
establish control mechanisms which have options
as follows:
ÖAdd the expected devaluation rate
ÖInclude a provision for devaluation expense on
the balance sheet and income statement
ÖIndex the interest rate on local currency loan to
foreign currency.
The key ratio is currency gap risk ratio=(Assets in
Specified Currency-Liabilities in Specified
Currency)/Performing Assets
 Currency Devaluation Impact

Amount lent:$100,000 at 20% USD Scenario 1-SAR Scenario 2-SAR

(no devaluation) (devaluation)

Amount lent 100,000 600,000 600,000

Exchange rate at due date - R6/USD R7/USD

Amount due 120,000 720,000 840,000
Principle 100,000 600,000 700,000
Interest 20,000 120,000 140,000
Actual cost of funds* 20,000 120,000 240,000

Client revenue** 420,000 420,000

Operation costs*** 240,000 240,000
Net difference 180,000 180,000
Profit/Loss 60,000 (60,000)

*Includes interest expense, revaluation of principal, and revaluation of interest

expense
**Assume interest rate of 70%
***Assume operation cost ratio of 40%
 I.3. Liquidity Risk
Liquidity refers to an MFI’s ability to meet its
immediate demands for cash, such as disbursement,
bill payment, and debt repayment. A temporary lack
of loan capital can result in a dramatic spike in
portfolio quality problems.
The key control for liquidity is cash flow
management which ensure that cash inflow is equal
to or greater than cash outflow. Besides cash flow
projection is ratios:
-Quick Ratio=liquid assets/current liabilities
-Liquidity Ratio=(cash+ expected cash inflows in
period)/anticipated cash outflow in period
-Idle fund ratio=(cash+Near cash)/Total outstanding
Portfolio
 II. Inefficiency Risk
This risk involves the an organization’s
disability to manage costs per unit of
output which cause waste of resources
and ultimately provide clients with poor
services and products. MFIs can
improve efficiency in three ways:(1)
increase the numbers of clients to
achieve greater economics of scale, (2)
streamline systems to improve
productivity, and (3) cut costs.
 II.1. Inefficiency Controls
There are four elements were discussed in this
part:
9Budgeting: the master plan of all expenses and
all sources of capital.
9A budget comparison report: the purpose is to
allow the board and staff to monitor performance
relative to the approved budget.
9Activity Based Costing: it’s allocates both direct
and indirect related costs to specific revenue
generating activity.
9Reengineering: The process of cleaning up
inefficiencies (such as poor customer service or
unattractive product). The greatest challenge to
successful reengineering is the lack of strong
leadership to organizational resistance to change.
 II.2. Inefficiency Monitoring

This point was discussed the Efficiency

and Productivity Ratios and Monitoring
Human Errors. EPRs analyze its level of
efficiency, and MFI should compare its
current performance to two other data
sets: 1) the organization’s past
performance (trend analysis) and 2) similar
organizations identified as industry
leaders (industry benchmarks).
 III. System Integrity Risk

It’s the way of secure the reliability of

source data and information contained
in the financial statement and
management reports through definitive
assessed the financial reports and
systems in an MFI by external audit
firm. The financial audit should
conduct on an annual basis in order to
safeguard company assets.
 Auditing
Audit: Examination of books, records and
accounts of a company which is carried out
by independent auditors both external and
internal.
External audit: Audit carried out by
independent auditors who come from
private firm. External audit focus on
financial statement audit.
 Auditing review (cont)
Internal audit: an independent appraisal
function established by the management of
an organization for the review of internal
control system as service to the
organization
 The need for an audit
The need of audit is to certify the
reports are free from errors and
frauds in order to show strong
reliability to interest parties.
 Objectives of auditing
-Primary: Produce report of true and fair
opinion of financial statement.
-Subsidiary:
.to detect errors and fraud
.to prevent errors and fraud by the
.deterrent and moral effect of the audit.
.to provide pin-off
 Auditor qualification
a. Independence :Auditor not only must be
independent in fact and attitude in mind
but also must be seen to be independent
with unbiased opinion.
b. Competence : referred to CPA candidates.
c. Integrity : referred to qualified
accountants are renowned for their
honesty, discretion and tactfulness
 Types of auditor
• Independent auditors or external
auditors: referred to CPA members

• Internal auditors: referred to employees of

the entities they audit.

• Government auditors: not mentioned in

this point.
Audit Process
 Internal Audit Process
-Background research
-Preparation of the audit plan
-Accounting system review
-Internal control system review
-Review related document and do substantive
testing
-Analytical review techniques
-Analytical review of financial statement
-Preparation and signing report
 Internal control
Internal control is process designed by
managements to provide reasonable
assurance regarding the achievement of
objectives in the following categories:
•Reliability of financial reporting;
•Compliance with applicable laws and
regulations;
•Effectiveness and efficiency of operations.
The elements of internal control are policies,
procedures, manuals, memos, working
processes……….
 Engagement Letter

A letter which provides the

understanding each other between
auditor and client.

It presents the services, objective,

responsibilities, scope of work, period
and audit fee.
 Audit Evidence
-Audit evidence (alternatively referred to
as evidential matter) consist of two
categories:
underlying accounting data and all
corroborating information
-Auditor can collect the evidence
through observation, third parties,
authoritative document, internal
control, calculation, interview………
 Working Papers

Working papers are papers (soft and

hard) that document the evidence
gathered by auditors to show the work
they have done, the methods and
procedures they have followed, and the
conclusions they have developed in an
audit of financial statement or other
type of engagement.