teknik penerapan risk based audit

RISK BASED INTERNAL AUDITING

IMPLEMENTATIONIMPLEMENTATION

"Towards a Greater Transparency and Accountability"

IKATAN AKUNTAN INDONESIA

Jakarta, 21-23 November 2006

Inawaty SuwardiHead of Internal Audit

of

RBIA - Kongres X IAI-2006 2

Current Definition ofInternal Auditing

• “An independent, objective assuranceand consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes”


Risk Based Internal Auditing

•• Risk Based Internal Auditing is an Risk Based Internal Auditing is an approach that can help to meet those approach that can help to meet those requirementsrequirements

•• The Standards for the Professional The Standards for the Professional Practice of Internal AuditingPractice of Internal Auditingand the associated and the associated Practice AdvisoriesPractice Advisoriesemphasize adopting a Riskemphasize adopting a Risk--based based approach to internal auditingapproach to internal auditing


PERFORMANCE STANDARDS

•2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually.

•2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems.

•2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.


Objectives of Risk Based Internal Auditing

• To provide independent assurance to the board, that:• The risk management processes are operating as

intended• These risk management processes are of sound

design• The responses to risks are both adequate and

effective in reducing those risks to a level acceptable to the board

• A sound framework of controls is in place to sufficiently mitigate those risks


The Practice of RBIA

The key starting point is • to determine that appropriate objectives

have been set • to determine whether the business has an

adequate process for identifying, assessing and managing the risks that impact on the achievement of these objectives


The Practice of RBIA….

• The extent to which internal audit needs to undertake its own risk assessment depends upon the risk management maturity within an organization


The Practice of RBIA….

Risk Maturity

Key Characteristics Internal Audit Approach

Risk Naïve No formal approach developed for risk management

Promote risk management and rely on audit risk assessment

Risk Aware Scattered silo based Approach to risk management

Promote enterprise wide Approach to risk management and rely on audit risk assessment

Risk Defined Strategy and policies in place and communicated Risk Appetite defined

Facilitate risk management/liaise with risk management and use management assessment of risk when appropriate

Risk Managed Enterprise wide approach To risk management Developed and communicated

Audit risk management processes and use management assessment of risk as appropriate

Risk Enabled Risk management and Internal control fully embedded Into the operations

Audit risk management processes and use management assessment of risks as appropriate

Risk Management Continuum

Source : IIA UK/Ireland


The Practice of RBIA…

• The end result of each audit assignment should be

to give assurance that risks are being managed to an acceptable level(as determined by risk appetite)

orto facilitate and/or agree improvements as necessary

RISK BASED INTERNAL AUDITINGHow We Do It

in


BANK RISK PROFILECredit Risk Market Risk Liquidity

Risk Operational

RiskLegal Risk Reputation

RiskStrategic

RiskCompliance

RiskCredit Low Low Low Low Low Low Low LowTreasury & Investment Moderate Low Low Low Low Low Moderate Low LowOperational & Services Low Low Low Low Low LowTrade Finance & Bank guarantee Low Low Low low Low Low LowFunding Low low Low Low LowIT & MIS Low Low low Low LowHRM low Low Low Low LowAggregate Inherent Risk Moderate Low Low Low Low Low Low Low Low

Board and senior management Oversight Strong Strong Strong Strong Strong Strong Strong Strong StrongPolicies, Procedures & Limit Acceptable Strong Strong Acceptable Strong Strong Strong Strong StrongRisk Assessment, measurement & MIS Acceptable Strong Strong Acceptable Strong Strong Strong Strong StrongInternal control Strong Strong Strong Acceptable Strong Strong Strong Strong StrongAgregate Risk Control System Strong Strong Strong Acceptable Strong Strong Strong Strong Strong

Composit Risk Moderate Low Low Low Low Low Low LowLow

Composit Risk

RISK RATING

Functional ActivitisInherent Risk

RISK CONTROL SYSTEM

Prepared by Risk Management Unit, validated by Internal Audit, submitted quarterly to BI


Risk Profile….Components

• The eight types of Risk1. Credit Risk2. Market Risk3. Liquidity Risk4. Operational Risk5. Legal Risk6. Reputation Risk7. Strategic Risk8. Compliance Risk

• Four Elements ofRisk Control System

1. Board & Senior Management Oversight

2. Policies, procedures and Limit structure

3. Risk measurement, monitoring & management reporting system

4. Internal Control


RISK BASED AUDIT APPROACHin BCA

• Annual Audit Planning (Macro Risk Assessment)

• Individual Engagement Planning (Micro Risk Assessment)

• Performing Risk-Focused auditingRating the Risk Control System


MACRO RISK ASSESSMENT

• Identification, measurement and prioritization of audit areas

• Is used to create the annual audit plan

• Helps to allocate audit resources to the most important aspects of the enterprise


Macro Risk Assessment Process

1. Define the Audit Universe2. Assess each of the auditable unit/area with respect to:

• Level of the inherent risks in each of the eight inherent risks by business activity(liaise with Risk Management Unit)

• Previous audit rating & time lapsed since last audit3. Develop the Annual Audit Plan based on the Ranked

Audit Universe4. Seek for approval from the President Director and

Board of Commissioner


Macro Risk Assessment Process…

3 SubsidiariesSubsidiary Companies

118 Main Branches665 Sub Branches

Branches

12 Regional OfficesRegional Office

23 Business & Supporting functions / units

Head Office

Auditable UnitAudit Universe


Micro Risk Assessment• The primary focus of RBIA is to provide reasonable

assurance to the Board and Top management about the adequacy and effectiveness of the risk management and control framework in the bank’s operation

• While examining the effectiveness of control framework, the RBIA should report on proper recording and reporting of major exceptions and excesses. Transaction testing would continue to remain an essential aspect of RBIA

• The extent of transaction testing will have to be determined based on the risk assessment

• The Micro Risk Assessment is done at the planning stage of an individual audit engagement


MICRO RISK ASSESSMENTRISK PROFILE MATRIX

Low to moderate aggregate risk

Limited review

Low aggregate risk

No review Required

Low Aggregate risk

No review required

LOW

Moderate to high aggregate risk

Full – scope review required

Moderate aggregate risk

Limited review

Low to moderate aggregate risk

Limited review

MODERATE

High aggregate risk

Full-scopeReview required

High aggregate risk

Limited Review

Moderate to high aggregate risk

Limited review

HIGH

INHERENTBUSINESS RISK

WEAKACCEPTABLESTRONG

RISK CONTROL SYSTEMS


AUDIT PLANNING FIELDWORK

Risk Assessment

REPORTING

AUDITRATING

Assessment of InternalControl, Risk Mgt,

Corporate Governance

AuditProgram / Tools

Risk Identification

Risk MeasurementPrioritization

Prelimi-nary

FieldworkProcedures

Design(Adequacy)

Application(Effective-

ness)Risk Profile

RISK PROFILEMATRIX

( Audit focus )

RISK CONTROLASSESSMENT

TOOLS

OBSERVATIOS/ FINDINGS

( Residual risk)

Audit Report

OVERVIEW MICRO RISK BASED AUDIT APPROACH


RISK FOCUSED EXAMINATION

• Identification of inherent business risks in various activities undertaken by business activities

• Evaluation of the effectiveness of the control systems for the monitoring of the inherent risks of the business activities

• Assign Risk Based Rating to the Control System


Risk Based Rating

Finding/Observation Risk Scenario

Generation

Breach of

Key Control

8 types of riskIf it’s operational risk, refer to Loss Event type classification (Basel)

Impact :L2,L1,M,H1,H2

Likelihood :

L2,L1,M,H1,H2

ControlRisk Ranking &

Score

Extreme, High,

Moderate, Low

Score:

1,2,3,4,5,6,8, 9, 10,12,15,16,20, 25

Risk Control Rating

Very strong, strong, acceptable, weak ,Very weak

Rating :1-10

1 2 3 4 5


Product defects, model errorsProduct Flaws

Clients, Products & Business Practices

Failure to investigate client per guidelinesExceeding client exposure limits

Selection, Sponsorship & Exposure

Disputes over performance of advisory activitiesAdvisory activities

Antitrust, improper trade/market practicesMarket manipulation, insider trading, etc

Improper Business or Market Practices

General liability. Employee health & safety rule events. Workers compensation

Safe Environment

All discrimination typesDiversity & discrimination

Fiduciary breaches/guidelines violationsSuitability/disclosure issues (KYC etc)Retail consumer disclosure violationsBreach of privacy, Aggressive sales, lender liability, etc

Suitability, Disclosure & Fiduciary

Hacking damage, theft of informationSystems Security

Fraud/credit fraud/worthless deposits, Theft/extortion /embezzlement/ robberyMisappropriation of assets, Malicious destruction of assetsForgery, Check kiting, smuggling, Bribes/ kickbacks, etc

Theft & Fraud

Compensation, benefit, termination issues. Organized labour activityEmployee RelationsEmployment Practices and workplace safety

Theft/ Robbery, Forgery, check kitingTheft and FraudExternal Fraud

Transaction not reported, Trans type unauthorized, Mismarking of positionUnauthorized activityInternal FraudActivity ExamplesCategoriesEvent Type

Loss Event type classification


Client permissions/disclaimers missingLegal documents missing / incomplete

•Customer Intake and Documentation

Non client counterparty misperformanceMisc. non client counterparty disputes

•Trade Counterparties

Unapproved access given to accountsIncorrect client records (loss incurred)Negligent loss or damage of client assets

•Customer/Client Account management

MiscommunicationData entry, maintenance or loading errorMissed deadline or responsibilityCollateral management failureetc

•Transaction Capture, Execution & Maintenance

Execution, Delivery & process management

Failed mandatory reporting obligationInaccurate external report (loss incurred)

•Monitoring & reporting

OutsourcingVendor disputes

•Vendors & Suppliers

HardwareSoftwareTelecommunicationsUtility outage/disruptions

SystemsBusiness Disruption and system failures

Natural Disaster lossesHuman losses from external sources (terrorism, vandalism)

Disasters and other eventsDamage to Physical assets

Activity ExamplesCategoriesEvent Type

Loss Event type classification


•Case : Consumer loan processing•Observation

•The weakest step among the processing flow is registration of collateral because it has no system support, no standardized documents•There has been one error recorded (but no financial loss) in the last 5 years•Operation volume is approximately 5.000 new loan /year with the average amount of Rp 1 billion

•Risk Factor : Processing Risk•Loss Event : Transaction capture, Execution & maintenance•Description of scenario: Due to an insufficient system support and complicated documents, a staff forgets to register the collateral of loan. As a result, the bank cannot reimburse the loan from the collateral•Loss Severity : Rp 3 billion (considering the analysis of loan amount distribution)•Loss Frequency : once in 5 years (considering the analysis of historical loss frequency)

Scenarios are generated based on the result of the qualitative assessment. Factors such as the identified control weakness, internal loss experience, business environment, and relevant industry loss experiences, are taken into consideration in generating the scenario

Generated Scenario

Example of Scenario Generation


Generated Scenario• Mapping to Control Risk Ranking & Score

Matrix• Impact : Moderate (M)• Likelihood : Unlikely (L1)• ----------------------------------• Score 6 = MODERATE

• Mapping to Table of Risk Control Rating • Moderate Impact & Low 1 Likelihood

(score = 6)• Risk Control rating for the process is

5 = ACCEPTABLE


CONTROL RISK RANKING & SCORE

CriticalH2

MajorH1

ModeratM

MinorL1

LowL2

High5

High4

Moderate3

Low2

Low1

RareL2

Extreme10

High8

Moderate6

Low4

Low2

UnlikelyL1

Extreme15

Extreme12

High9

Moderate6

Low3

PossiblM

Extreme20

Extreme16

High12

High8

Moderate4

LikelyH1

Extreme25

Extreme20

Extreme15

High10

Moderate5

AlmostCertain

H2

Impact

Like

lihoo

d


Ranking Score Impact LikelihoodLow 1 Low 2 Low2 1 Very StrongLow 2 Low 2 Low1 1 Very StrongLow 2 Low 1 Low2 1 Very StrongLow 3 Low 2 Moderate 2 StrongLow 4 Low 1 Low 1 2 Strong

Moderate 3 Moderate Low 2 3 AcceptableModerate 4 Low 2 High1 3 AcceptableModerate 5 Low 2 High 2 4 AcceptableModerate 6 Low 1 Moderate 5 AcceptableModerate 6 Moderate Low1 5 Acceptable

High 4 High 1 Low 2 6 WeakHigh 5 High 2 Low 2 6 WeakHigh 8 High 1 Low1 7 WeakHigh 8 Low 1 High1 7 WeakHigh 9 Moderate Moderate 8 WeakHigh 10 Low 1 High 2 9 WeakHigh 12 Moderate High1 9 Weak

Extreme 10 High 2 Low 1 10 Very WeakExtreme 12 High 1 Moderate 10 Very WeakExtreme 15 Moderate High2 10 Very WeakExtreme 15 High 2 Moderate 10 Very WeakExtreme 16 High 1 High1 10 Very WeakExtreme 20 High 1 High2 10 Very WeakExtreme 20 High 2 High1 10 Very WeakExtreme 25 High 2 High2 10 Very Weak

Control Risk Rating Risk Control System (RCS)

RISK CONTROL RATINGC

ontr

ol R

isk

Ext

rem

eL

ow

Con

trol

Effe

ctiv

enes

s

Ver

y W

eak

Ver

y St

rong


RISK CONTROL RATINGExample: Consumer Loan

Credit Market Liquidity Operation legal Reputation Strategic Compliance

Control Environment 2 Strong Strong Strong StrongRisk Assessment 5 Acceptable Acceptable StrongControl Activities 6 Acceptable Acceptable AcceptableInformation & Communication 5 Acceptable Strong AcceptableMonitoring 2 Strong Strong

Risk Control System 4 Acceptable

DescriptionRISK CONTROL RATINGRisk Control

Rating


Credit Market Liquidity Operation Legal Reputation Strategic Compliance

INHERENT RISK Moderate Moderate n/a n/a Moderate low Low low Low

RISK CONTROL SYSTEM Acceptable Acceptable n/a n/a Acceptable Strong Strong Strong acceptable

RESIDUAL RISK Moderate Moderate n/a n/a Moderate low low low low

DESCRIPTION COMPOSITERISK CONTROL

RISK PROFILE Example: Consumer Loan

teknik penerapan risk based audit

Documents