1

If anything can go wrong, it will.

2


Risk Management & Internal Audit

Vivek Shenoy
Sr.Vice President Risk Management
Muthoot Pappachan Group
3
Objectives
To provide a brief understanding of
Risk
How and why should risk be managed

Internal audit
Purpose, authority and responsibility of internal audit
activity
Plan engagements
Reporting and follow up











4
What is risk?
A risk is ANYTHING that may affect the achievement
of an organizations objectives.

It is the UNCERTAINTY that surrounds future events
and outcomes.

5
The Cyclist as the Risk Manager
6
Risk factors internal
7
Risk factors external
8
Threat V opportunity
Threats:
Death
Injury
Loss / damage
Health



Opportunities:
Health
Hobby
Feel good
Stress buster
9
Why Risk Management?
The only alternative to risk management is crisis
management - and crisis management is much more
expensive, time consuming and embarrassing

Risk management means more than preparing for the
worst; it also means taking advantage of opportunities
eg. improve services or lower costs

10
Why Risk Management?
Increase risk awareness What could go wrong?
What could go right?

Increase understanding of risk sensitivities. What
increases, decreases or make risks disappear?

Common and consistent approach to risk

11
The risk management cycle

Monitor

Respond
Risk Management
cycle

Feedback

Identify /
assess
12

Risk Management is a mindset and culture.
Internal Audit helps in evangelising it

Risk Management and Internal Audit
13
Internal auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organisations operations. It
helps an organization accomplish its objectives by bringing a systemic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance processes.

- The Institute of Internal Auditors (IIA)

What is Internal Audit
14
Internal Audit Governance
Board of
Directors
Risk
Committee of
BOD
Risk
Management
Department
Balance Sheet
& Earnings
Operational
Risk
Compliance Audit
Audit
Committee
15
Purpose : Providing independent and
objective assurance

Authority : Access to data, information and its
source

Responsibility : Planning the engagement,
reporting and follow up

Purpose, Authority, and Responsibility

16
Critical success factors: Positive perception by
senior management of the internal Audit activity

Marketing of IA Function: Management needs to
understand the purpose, authority and responsibility
of the internal audit activities.


Top down Support and Marketing of IA
Function

17
Knowledge : Body of knowledge necessary to
perform the internal audit activity

Skills : Level of proficiency needed to
perform the internal audit activity

Competencies : Collective knowledge, skills,
abilities, and personal attributes

Leadership



Knowledge, skills and competencies

18

What constitutes due professional care

Implications of Due Professional Care



Professional Care

19
Standards on Internal Audit (SIA)

Framework for SIA

Scope for SIA

Checklist for SIA


Internal Audit Framework by ICAI
20
Integrity

Objectivity

Confidentiality

Competency



Compliance with the IIA Code of Ethics

21
Framework for assessing risk

Assessing organisation wide risk

- Risk identification

- Risk measurement

- Risk prioritisation
Risk Based Audit Plan
22
Preliminary communication & client meeting
Site survey
Determine scope of audit
Special Requirements
Previous audit reports
CAKE
Fraud Indicators
Analytical reviews
Resource allocation
Engagement letter

Plan engagements
23
Risk
Risk Elements
Risk Assessment Process

Control
Control Elements
Types of controls (one to many, many to one)
Control design and its effectiveness

Process analysis
24
Define objective of process
Perform threat assessment
Understand control objectives
Assess strength & adequacy of controls
Determine further action
- Report
- Determine timing, extent and nature (TOC)
Process analysis contd
25
Business process, Sub-process
Objective
Impact High/Low/Medium
Impact explanation
Threats to the process
Likelihood High/Low/Medium
Risk High/Low/Medium
Controls in place
Control strength
Residual risk
Suggested control


Process analysis template
26


Process analysis template - BRS
27
Review of the BRS of all bank accounts WP
Ref.no.
Remarks
a. Verify the list of bank accounts list provided by the
Accounts Dept. and compare it with the register of bank
accounts maintained by Corporate Affairs Dept.
b. Review the process within the Corporate Affairs dept
w.r.t. maintenance of registers
Audit program - BRS
Review of the long outstanding items WP
Ref.no.
Remarks
a.Increase the sample size of the BRS. Perform a more
substantive review of BRS. Allocate senior resource for
this review
b.Look for any large reconciliation entries. Check
whether any financial statements have been
reframed.Also review supplier accounts, any
longstanding debit etc.
28
Nine box tool



Low Medium High



R
i
s
k

P
r
o
b
a
b
i
l
i
t
y

Risk Impact
High M 4 (0) H 7 (2) H 9 (4)
Medium L 2 (1) M 5 (13) H 8 (14)
Low L 1 (0) L 3 (9) M 6 (1)
29
Audit Program
Working paper
Evidence
Cross reference report
Issue register
Draw conclusion

Execution
30
Review of work papers
Validate process level conclusions
Develop process level recommendations
Obtain management response
Broad based conclusions the big picture
Report engagement results
Follow up
Reporting & Follow up
31
Documentation
File contents
Review
Evidence
Consistency
Debrief
Client feedback

Independent Review (Peer)
Quality Control
32
32
Questions?



33
Thank You