Vivek Shenoy Sr.Vice President Risk Management Muthoot Pappachan Group 3 Objectives To provide a brief understanding of Risk How and why should risk be managed
Internal audit Purpose, authority and responsibility of internal audit activity Plan engagements Reporting and follow up
4 What is risk? A risk is ANYTHING that may affect the achievement of an organizations objectives.
It is the UNCERTAINTY that surrounds future events and outcomes.
5 The Cyclist as the Risk Manager 6 Risk factors internal 7 Risk factors external 8 Threat V opportunity Threats: Death Injury Loss / damage Health
Opportunities: Health Hobby Feel good Stress buster 9 Why Risk Management? The only alternative to risk management is crisis management - and crisis management is much more expensive, time consuming and embarrassing
Risk management means more than preparing for the worst; it also means taking advantage of opportunities eg. improve services or lower costs
10 Why Risk Management? Increase risk awareness What could go wrong? What could go right?
Increase understanding of risk sensitivities. What increases, decreases or make risks disappear?
Common and consistent approach to risk
11 The risk management cycle
Monitor
Respond Risk Management cycle
Feedback
Identify / assess 12
Risk Management is a mindset and culture. Internal Audit helps in evangelising it
Risk Management and Internal Audit 13 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organization accomplish its objectives by bringing a systemic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
- The Institute of Internal Auditors (IIA)
What is Internal Audit 14 Internal Audit Governance Board of Directors Risk Committee of BOD Risk Management Department Balance Sheet & Earnings Operational Risk Compliance Audit Audit Committee 15 Purpose : Providing independent and objective assurance
Authority : Access to data, information and its source
Responsibility : Planning the engagement, reporting and follow up
Purpose, Authority, and Responsibility
16 Critical success factors: Positive perception by senior management of the internal Audit activity
Marketing of IA Function: Management needs to understand the purpose, authority and responsibility of the internal audit activities.
Top down Support and Marketing of IA Function
17 Knowledge : Body of knowledge necessary to perform the internal audit activity
Skills : Level of proficiency needed to perform the internal audit activity
Competencies : Collective knowledge, skills, abilities, and personal attributes
Leadership
Knowledge, skills and competencies
18
What constitutes due professional care
Implications of Due Professional Care
Professional Care
19 Standards on Internal Audit (SIA)
Framework for SIA
Scope for SIA
Checklist for SIA
Internal Audit Framework by ICAI 20 Integrity
Objectivity
Confidentiality
Competency
Compliance with the IIA Code of Ethics
21 Framework for assessing risk
Assessing organisation wide risk
- Risk identification
- Risk measurement
- Risk prioritisation Risk Based Audit Plan 22 Preliminary communication & client meeting Site survey Determine scope of audit Special Requirements Previous audit reports CAKE Fraud Indicators Analytical reviews Resource allocation Engagement letter
Plan engagements 23 Risk Risk Elements Risk Assessment Process
Control Control Elements Types of controls (one to many, many to one) Control design and its effectiveness
Process analysis 24 Define objective of process Perform threat assessment Understand control objectives Assess strength & adequacy of controls Determine further action - Report - Determine timing, extent and nature (TOC) Process analysis contd 25 Business process, Sub-process Objective Impact High/Low/Medium Impact explanation Threats to the process Likelihood High/Low/Medium Risk High/Low/Medium Controls in place Control strength Residual risk Suggested control
Process analysis template 26
Process analysis template - BRS 27 Review of the BRS of all bank accounts WP Ref.no. Remarks a. Verify the list of bank accounts list provided by the Accounts Dept. and compare it with the register of bank accounts maintained by Corporate Affairs Dept. b. Review the process within the Corporate Affairs dept w.r.t. maintenance of registers Audit program - BRS Review of the long outstanding items WP Ref.no. Remarks a.Increase the sample size of the BRS. Perform a more substantive review of BRS. Allocate senior resource for this review b.Look for any large reconciliation entries. Check whether any financial statements have been reframed.Also review supplier accounts, any longstanding debit etc. 28 Nine box tool
Low Medium High
R i s k
P r o b a b i l i t y
Risk Impact High M 4 (0) H 7 (2) H 9 (4) Medium L 2 (1) M 5 (13) H 8 (14) Low L 1 (0) L 3 (9) M 6 (1) 29 Audit Program Working paper Evidence Cross reference report Issue register Draw conclusion
Execution 30 Review of work papers Validate process level conclusions Develop process level recommendations Obtain management response Broad based conclusions the big picture Report engagement results Follow up Reporting & Follow up 31 Documentation File contents Review Evidence Consistency Debrief Client feedback
Independent Review (Peer) Quality Control 32 32 Questions?