As per the risk based supervision (RBS) framework determined by RBI, every bank is expected to

prepare a risk profile of its own, considering the various parameters and the risks to which bank is
currently exposed.
As
be

per the risk profile of the bank and the parameters laid down following surveillance activities may
conducted:
Off site surveillance
On site inspections
Process level inspections
Product level inspections
Demographic inspections
Integrity inspections
Structured meetings with other banks
Meeting external auditors
Specific supervisory directions and new policy actions

However the above list is illustrative in nature, RBI has also indicated other five areas wherein bank
is expected to implement RBS framework:
Setting up of Risk management architecture
Adoption of risk focused Audit
Strengthening of management information system and information technology
Addressing Human Resource Department issues
Setting up of a Compliance unit
As per the Standards and Guidance note issued by ICAI, internal audit is defined as:
Internal Audit is an independent management function, which involves a continuous and critical
appraisal of the functioning of an entity with a view to suggest improvements thereto and add value
to and strengthen the overall governance mechanism of the entity, including the entitys strategic
risk management and internal control system.
Also, para 8 of the Auditing and assurance Standard (AAS 6), Risk assessments and internal control
clarifies that internal audit, constitutes a separate component of internal control with the objective
of determining whether other internal controls are well designed and properly operated.
Thus the scope of internal audit can be broadly classified as follows:
Independent functioning and evaluation of effectiveness of the internal control system of the
organisation
Continuous evaluation of the organisations processes
Review of the application and effectiveness of the risk management procedures and risk
assessment methodologies
Review of effective management accounting system and information technology of the
organisation
Review of the means of safeguarding the assets
Review of management decisions and cost benefit analysis of the applications
Review of various procedures and reduction in overall turn around time
Review of application used for regulatory reporting
Review of stand alone applications and other applications having interface with the core systems
of the organisation
Internal Audit Function in banks:
Banking industry and need for internal audit:
Deals with public money (Borrowing, lending and investment)
Needs to be accurate
Proper checks and balances to be in place
Primary source of information for determining the effectiveness of existing internal control in the
bank
Global presence of Indian banks
Use of modern information technology

Key audit decisions of a risk based internal audit:

Frequency of Audits
Categorisation of the risks (High, Low,Medium)
Determination of the frequency based on the risk profile
Optimal allocation of audit resources
Scope of Audit
Extent of audit based on risk profiles
Sampling technique as per the AAS 15, and to be approved by the Audit Committee
Timing of internal audit
Random and fixed timing policies for high and low risk audit units respectively
Surprise and snap audits for high risk profile
Conditional auditing for medium risk units
Size of the Internal Audit team
Depending on the risk profile
Preventive measure
Suggesting risk mitigants
Anticipating potential risk areas
Proactive approach prevention
Advantages of Risk based internal audit
Defining the scope of audit
Co relation between risk factors and the management concerns
Priority classification
Appropriate risk format according to the classification
Synergy effect of high risk audit areas
Optimal utilisation of the resources
Process oriented audit
Risk based internal audit vs Risk management function
Risk based internal audit
Continuous evaluation of various
processes to determine well designed
internal controls and effective overall
governance of the organisation. There
will be monitoring of inherent business
risks

Risk management function

Development of appropriate policies and
procedures for effective risk management
on a bank wide basis.
Development of risk management policies

Formulation of risk based internal audit

plan for proper allocation of resources
Internal audit can audit risk management Risk management systems cannot asses
department of the bank, the same being the risk of the internal audit department.
an independent department
Steps involved in risk based audit
Preparation
Planning
Resource planning
Role clarification
Assigning responsibilities
Cost planning
Date of completion
Clear assignment of roles and responsibilities

Identification of units
Audit universe
Business Teams
Product teams
Individual product

Tolerance level of the residual risk from non audited units

Scope of operational risk audit and risk based internal audit to be converged with each
other( also to avoid duplication for Basel II Capital Adequacy requirement)

Conduct risk assessment

Categorisation of risks
Inherent risk
Credit risks
Direct lending repayment risk
Guarantees or Letter of Credit Insufficient funds on crystallization of liability
Treasury operations Ceasing payment from the parties for the forth coming contracts
Securities trading business
Cross border exposure
Market risks
Liquidity risk
Interest rate risk
Foreign exchange risk
Operational risks
People risk
Process risk
System risk
Legal and regulatory risk
Reputation risk
Event risk
Control risks

Control Environment
the overall attitude, awareness and actions of the directors and management regarding the
internal control system and its importance in the entity
Factors related to control environment
Hierarchy Structure
Senior management role and decision making authority
Managements philosophy and operating style
Managements control system including internal audit, personnel policies and procedures
Control Procedures
those policies and procedures, in addition to control environment, which the management
has established to achieve entitys specific objectives
Approving and controlling of documents
Segregation of duties and supervisory functions
Maker checker concept
Reporting and reviewing of exceptions
Comparison of internal data with the external information
Restricting direct access to assets, records and information
Information system controls
Key factors to be considered by an internal auditor before performing internal audit function
Trend pattern of risks
Risk matrix
Inherent risks
High, Low & Medium
Control risks
High, Low & Medium
Prioritization based on the risk assessment
Previous internal audit reports and compliance
Proposed changes in business lines or change in focus
Significant change in management/ key personnel
Results of latest regulatory examination
Reports of external auditors
Industry trends and other environmental factors
Time lapsed since last audit

Volume of business and complexities of activities

Substantial performance variations from budget

Risk based internal audit plan

Final planning
Scope
Cost
Resource
Timing
Approval from Audit Committee

Internal Audit and Control risk

Understanding of the control environment by the internal auditor
Assess managements attitude
Assess managements awareness
Assess managements actions
Two fold role of internal auditor
Ascertaining inherent risk and identifying areas wherein control procedures are not
established
Evaluation of risk in existing control procedures
Preliminary assessment of control risk
Evaluation of effectiveness of entitys control environment and control risks in managing
inherent business risks
Assumption controls are working effectively
Generally high control risk and if not the same has to be documented
Tests used for determining control checks
Inspection
Inquiries
Re-performance of internal controls
Testing on computerized applications
Obtain evidence through tests of control
Risk assessment and evidence are inversely proportional
Lower the assessment of control risk, more is the evidence required for its
effectiveness
Factors to be considered while obtaining audit evidence
Application of existing controls
Consistency of application of such controls
Duration of the application
Responsibility of the person for such controls
Deviations while application of effective controls
Reasons for such deviations
Changes in key personnel
Fluctuation in volume of transactions
Human error
Conclusion
Qualitative and Quantitative Approach
Quantum of credit, market, operational risk Quantitative
Quality of Controls Qualitative
Focus on areas of risk, following parameters to be considered
Activity wise identification
Location wise identification
Knowledge of Auditee's Business
AAS 20 Knowledge of Business
In performing an audit of financial statement, the auditor should have or obtain knowledge
of the business sufficient to enable the auditor to identify and understand the events,
transactions and practices that, in the auditor's judgement, may have a significant effect on
the financial statement or on the examination of audit report. Such knowledge is used by

auditor in assessing inherent and control risk in determining nature, timing and extent of
audit procedures.
Mapping of both the risks with each other so that they are at an acceptable level
Risk assessment matrix appears as below:
Inherent Risk

High

A High Risk

B Very High Risk

C Extremely
High Risk

Medium

D High Risk

E Medium Risk

F Very High Risk

Low

G Low Risk

H High Risk

I High Risk

Low

Medium

High

Control Risk

Risk Based internal audit plan

Scope
Following matters to be reviewed
Process for identification of risks
Control environment
Gaps leading to increase in probabilities of occurrence of frauds
Report on data integrity, reliability and integrity of MIS
Internal, regulatory and statutory compliance
Budgetary control and performance reviews
Transaction testing/ verification of assets to the extent considered necessary
Monitoring compliance with the risk based internal audit report
Variation, if any, in the assessment of risks under the audit plan vis a vis the
risk based internal audit
Review of systems in place for ensuring compliance with money laundering controls
Suggesting corrective measures
Follow up reviews to monitor the action taken
Contents of Risk based audit plan
Audit Universe
Priority
High magnitude high frequency
High magnitude medium frequency
Medium magnitude high frequency
High magnitude low frequency
Medium magnitude medium frequency
Type of internal audit assignment
Assurance
Objective examination of evidences for risk assessment
Consulting
For assistance of senior management
Frequency
Interval between audits of auditable units
Extent of testing
Directly proportional to risk matrix
Surprise testing
Resource requirement
Factors while planning the resource requirement
Nature of internal audit assignment
Scope
Complexity of the business and the transactions
Audit expertise
Quality and quantity of documentation required
Use of audit approach and audit techniques
Submission of internal audit plan