You are on page 1of 30

RI SK BASED

I NTERNAL AUDI TI NG
I MPLEMENTATI ON
I MPLEMENTATI ON
"Towards a Greater Transparency and Accountability"
IKATAN AKUNTAN INDONESIA
Jakarta, 21-23 November 2006
Inawaty Suwardi
Head of Internal Audit
of
RBIA - Kongres X IAI-2006 2
Current Definition of
Internal Auditing
An independent, objective assurance
and consulting activity designed to add
value and improve an organizations
operations. It helps an organization
accomplish its objectives by bringing a
systematic, disciplined approach to
evaluate and improve the effectiveness
of risk management, control and
governance processes
RBIA - Kongres X IAI-2006 3
Risk Based Internal Auditing

Risk Based Internal Auditing is an


Risk Based Internal Auditing is an
approach that can help to meet those
approach that can help to meet those
requirements
requirements

The Standards for the Professional


The Standards for the Professional
Practice of Internal Auditing
Practice of Internal Auditing
and the associated
and the associated
Practice Advisories
Practice Advisories
emphasize adopting a Risk
emphasize adopting a Risk
-
-
based
based
approach to internal auditing
approach to internal auditing
RBIA - Kongres X IAI-2006 4
PERFORMANCE STANDARDS
2010.A1 The internal audit activitys plan of
engagements should be based on a risk
assessment, undertaken at least annually.
2120.A1 Based on the results of the risk
assessment, the internal audit activity should
evaluate the adequacy and effectiveness of
controls encompassing the organizations
governance, operations, and information
systems.
2210.A1 When planning the engagement,
the internal auditor should identify and assess
risks relevant to the activity under review. The
engagement objectives should reflect the
results of the risk assessment.
RBIA - Kongres X IAI-2006 5
Objectives of
Risk Based Internal Auditing
To provide independent assurance to the
board, that:
The risk management processes are operating as
intended
These risk management processes are of sound
design
The responses to risks are both adequate and
effective in reducing those risks to a level
acceptable to the board
A sound framework of controls is in place to
sufficiently mitigate those risks
RBIA - Kongres X IAI-2006 6
The Practice of RBIA
The key starting point is
to determine that appropriate objectives
have been set
to determine whether the business has an
adequate process for identifying,
assessing and managing the risks that
impact on the achievement of these
objectives
RBIA - Kongres X IAI-2006 7
The Practice of RBIA.
The extent to which internal audit needs
to undertake its own risk assessment
depends upon
the risk management maturity
within an organization
RBIA - Kongres X IAI-2006 8
The Practice of RBIA.
Risk
Maturity
Key Characteristics Internal Audit
Approach
Risk Nave No formal approach
developed for risk
management
Promote risk management and
rely on audit risk assessment
Risk Aware Scattered silo based
Approach to risk
management
Promote enterprise wide
Approach to risk management
and rely on audit risk
assessment
Risk Defined Strategy and policies in
place and communicated
Risk Appetite defined
Facilitate risk management/liaise
with risk management and use
management assessment of risk
when appropriate
Risk Managed Enterprise wide approach
To risk management
Developed and
communicated
Audit risk management
processes and use management
assessment of risk as
appropriate
Risk Enabled Risk management and
Internal control fully
embedded
Into the operations
Audit risk management
processes and use management
assessment of risks as
appropriate

Risk Management Continuum
Source : IIA UK/Ireland
RBIA - Kongres X IAI-2006 9
The Practice of RBIA
The end result of each audit assignment
should be
to give assurance that risks are being
managed to an acceptable level
(as determined by risk appetite)
or
to facilitate and/or agree improvements as
necessary
RISK BASED INTERNAL AUDITING
How We Do It
in
RBIA - Kongres X IAI-2006 11
BANK RISK PROFILE
Credit Risk Market Risk Liquidity
Risk
Operational
Risk
Legal Risk Reputation
Risk
Strategic
Risk
Compliance
Risk
Credit Low Low Low Low Low Low Low Low
Treasury & Investment Moderate Low Low Low Low Low Moderate Low Low
Operational & Services Low Low Low Low Low Low
Trade Finance & Bank guarantee
Low Low Low low Low Low
Low
Funding Low low Low Low Low
IT & MIS Low Low low Low Low
HRM low Low Low Low Low
Aggregate Inherent Risk Moderate Low Low Low Low Low Low Low Low
Board and senior management Oversight Strong Strong Strong Strong Strong Strong Strong Strong Strong
Policies, Procedures & Limit Acceptable Strong Strong Acceptable Strong Strong Strong Strong Strong
Risk Assessment, measurement & MIS Acceptable Strong Strong Acceptable Strong Strong Strong Strong Strong
Internal control Strong Strong Strong Acceptable Strong Strong Strong Strong Strong
Agregate Risk Control System Strong Strong Strong Acceptable Strong Strong Strong Strong Strong
Composit Risk Moderate Low Low Low Low Low Low Low
Low
Composit
Risk
RISK RATING
Functional Activitis
Inherent Risk
RISK CONTROL SYSTEM
Prepared by Risk Management Unit, validated by Internal Audit, submitted quarterly to BI
RBIA - Kongres X IAI-2006 12
Risk Profile.
Components
The eight types of
Risk
1. Credit Risk
2. Market Risk
3. Liquidity Risk
4. Operational Risk
5. Legal Risk
6. Reputation Risk
7. Strategic Risk
8. Compliance Risk
Four Elements of
Risk Control System
1. Board & Senior
Management Oversight
2. Policies, procedures
and Limit structure
3. Risk measurement,
monitoring &
management reporting
system
4. Internal Control
RBIA - Kongres X IAI-2006 13
RISK BASED AUDIT APPROACH
in BCA
Annual Audit Planning
(Macro Risk Assessment)
Individual Engagement Planning
(Micro Risk Assessment)
Performing Risk-Focused auditing
Rating the Risk Control System
RBIA - Kongres X IAI-2006 14
MACRO RISK ASSESSMENT
Identification, measurement and prioritization
of audit areas
Is used to create the annual audit plan
Helps to allocate audit resources to
the most important aspects of the enterprise
RBIA - Kongres X IAI-2006 15
Macro Risk Assessment Process
1. Define the Audit Universe
2. Assess each of the auditable unit/area with respect to:
Level of the inherent risks in each of the eight
inherent risks by business activity
(liaise with Risk Management Unit)
Previous audit rating & time lapsed since last audit
3. Develop the Annual Audit Plan based on the Ranked
Audit Universe
4. Seek for approval from the President Director and
Board of Commissioner
RBIA - Kongres X IAI-2006 16
Macro Risk Assessment Process
3 Subsidiaries Subsidiary Companies
118 Main Branches
665 Sub Branches
Branches
12 Regional Offices Regional Office
23 Business & Supporting
functions / units
Head Office
Auditable Unit Audit Universe
RBIA - Kongres X IAI-2006 17
Micro Risk Assessment
The primary focus of RBIA is to provide reasonable
assurance to the Board and Top management about
the adequacy and effectiveness of the risk
management and control framework in the banks
operation
While examining the effectiveness of control
framework, the RBIA should report on proper
recording and reporting of major exceptions and
excesses. Transaction testing would continue to
remain an essential aspect of RBIA
The extent of transaction testing will have to be
determined based on the risk assessment
The Micro Risk Assessment is done at the planning
stage of an individual audit engagement
RBIA - Kongres X IAI-2006 18
MICRO RISK ASSESSMENT
RISK PROFILE MATRIX
Low to
moderate
aggregate risk
Limited review
Low aggregate
risk
No review
Required
Low Aggregate
risk
No review
required
LOW
Moderate to
high aggregate
risk
Full scope
review
required
Moderate
aggregate risk
Limited review
Low to
moderate
aggregate risk
Limited review
MODERATE
High aggregate
risk
Full-scope
Review
required
High aggregate
risk
Limited Review
Moderate to
high aggregate
risk
Limited review
HIGH
INHERENT
BUSINESS
RISK
WEAK ACCEPTABLE STRONG
RISK CONTROL SYSTEMS
RBIA - Kongres X IAI-2006 19
AUDI T PLANNI NG FI ELDWORK
Risk Assessment
REPORTI NG
AUDI T
RATI NG
Assessment of I nternal
Control, Risk Mgt,
Corporate Governance
Audit
Program / Tools
Risk
I dentification
Risk
Measurement
Prioritization
Prelimi-
nary
Fieldwork
Procedures
Design
(Adequacy)
Application
(Effective-
ness)
Risk Profile
RI SK PROFI LE
MATRI X
( Audit focus )
RI SK CONTROL
ASSESSMENT
TOOLS
OBSERVATI OS/
FI NDI NGS
( Residual risk)
Audit
Report
OVERVIEW MICRO RISK BASED AUDIT APPROACH
RBIA - Kongres X IAI-2006 20
RISK FOCUSED EXAMINATION
Identification of inherent business risks in various
activities undertaken by business activities
Evaluation of the effectiveness of the control systems
for the monitoring of the inherent risks of the
business activities
Assign Risk Based Rating to the Control System
RBIA - Kongres X IAI-2006 21
Risk Based Rating
Finding/
Observation
Risk
Scenario
Generation
Breach of
Key
Control
8 types of
risk
If its
operational
risk, refer
to Loss
Event type
classificati
on (Basel)
Impact :
L2,L1,M,H1,H2
Likelihood:
L2,L1,M,H1,H2
Control
RiskRanking &
Score
Extreme, High,
Moderate, Low
Score:
1,2,3,4,5,6,8, 9,
10,12,15,16,20,
25
Risk Control
Rating
Very strong, strong,
acceptable, weak ,
Very weak
Rating :
1-10
1
2
3
4 5
RBIA - Kongres X IAI-2006 22
Product defects, model errors Product Flaws
Clients, Products
& Business
Practices
Failure to investigate client per guidelines
Exceeding client exposure limits
Selection, Sponsorship & Exposure
Disputes over performance of advisory activities Advisory activities
Antitrust, improper trade/market practices
Market manipulation, insider trading, etc
Improper Business or Market Practices
General liability. Employee health & safety rule events.
Workers compensation
Safe Environment
All discrimination types Diversity & discrimination
Fiduciary breaches/guidelines violations
Suitability/disclosure issues (KYC etc)
Retail consumer disclosure violations
Breach of privacy, Aggressive sales, lender liability, etc
Suitability, Disclosure & Fiduciary
Hacking damage, theft of information Systems Security
Fraud/credit fraud/worthless deposits, Theft/extortion /embezzlement/
robbery
Misappropriation of assets, Malicious destruction of assets
Forgery, Check kiting, smuggling, Bribes/ kickbacks, etc
Theft & Fraud
Compensation, benefit, termination issues. Organized labour activity Employee Relations
Employment
Practices and
workplace safety
Theft/ Robbery, Forgery, check kiting Theft and Fraud
External Fraud
Transaction not reported, Trans type unauthorized, Mismarkingof position Unauthorized activity
Internal Fraud
Ac t i vi t y Ex ampl es Cat egor i es Event Type
Loss Event t ype c l assi f i c at i on
RBIA - Kongres X IAI-2006 23
Client permissions/disclaimers missing
Legal documents missing / incomplete
Customer Intake and
Documentation
Non client counterparty misperformance
Misc. non client counterparty disputes
Trade Counterparties
Unapproved access given to accounts
Incorrect client records (loss incurred)
Negligent loss or damage of client assets
Customer/Client Account
management
Miscommunication
Data entry, maintenance or loading error
Missed deadline or responsibility
Collateral management failure
etc
Transaction Capture, Execution &
Maintenance
Execution, Delivery &
process management
Failed mandatory reporting obligation
Inaccurate external report (loss incurred)
Monitoring & reporting
Outsourcing
Vendor disputes
Vendors & Suppliers
Hardware
Software
Telecommunications
Utility outage/disruptions
Systems
Business Disruption
and system failures
Natural Disaster losses
Human losses from external sources (terrorism, vandalism)
Disasters and other events
Damage to Physical
assets
Ac t i vi t y Ex ampl es Cat egor i es Event Type
Loss Event t ype c l assi f i c at i on
RBIA - Kongres X IAI-2006 24
Case : Consumer loan processing
Observation
The weakest step among the processing flow is registration of collateral because it has no
system support, no standardized documents
There has been one error recorded(but no financial loss) in the last 5 years
Operation volume is approximately 5.000 new loan /year with the average amount of Rp1
billion
Risk Factor : Processing Risk
Loss Event : Transaction capture, Execution & maintenance
Description of scenario: Due to an insufficient system support and complicated documents, a staff
forgets to register the collateral of loan. As a result, the bank cannot reimburse the loan from the
collateral
Loss Severity : Rp3 billion (considering the analysis of loan amount distribution)
Loss Frequency : once in 5 years (considering the analysis of historical loss frequency)
Scenarios are generated based on the result of the qualitative assessment. Factors such as the
identified control weakness, internal loss experience, business environment, and relevant industry
loss experiences, are taken into consideration in generating thescenario
Generated Scenario
Example of Scenario Generation
RBIA - Kongres X IAI-2006 25
Generated Scenario
Mapping to Control Risk Ranking & Score
Matrix
Impact : Moderate (M)
Likelihood : Unlikely (L1)
----------------------------------
Score 6 = MODERATE
Mapping to Table of Risk Control Rating
Moderate Impact & Low 1 Likelihood
(score = 6)
Risk Control rating for the process is
5 = ACCEPTABLE
RBIA - Kongres X IAI-2006 26
CONTROL RISK RANKING & SCORE
Critical
H2
Major
H1
Moderat
M
Minor
L1
Low
L2
High
5
High
4
Moderate
3
Low
2
Low
1
Rare
L2
Extreme
10
High
8
Moderate
6
Low
4
Low
2
Unlikely
L1
Extreme
15
Extreme
12
High
9
Moderate
6
Low
3
Possibl
M
Extreme
20
Extreme
16
High
12
High
8
Moderate
4
Likely
H1
Extreme
25
Extreme
20
Extreme
15
High
10
Moderate
5
Almost
Certain
H2
Impact
L
i
k
e
l
i
h
o
o
d
RBIA - Kongres X IAI-2006 27
Ranking Score Impact Likelihood
Low 1 Low 2 Low2 1 Very Strong
Low 2 Low 2 Low1 1 Very Strong
Low 2 Low 1 Low2 1 Very Strong
Low 3 Low 2 Moderate 2 Strong
Low 4 Low 1 Low 1 2 Strong
Moderate 3 Moderate Low 2 3 Acceptable
Moderate 4 Low 2 High1 3 Acceptable
Moderate 5 Low 2 High 2 4 Acceptable
Moderate 6 Low 1 Moderate 5 Acceptable
Moderate 6 Moderate Low1 5 Acceptable
High 4 High 1 Low 2 6 Weak
High 5 High 2 Low 2 6 Weak
High 8 High 1 Low1 7 Weak
High 8 Low 1 High1 7 Weak
High 9 Moderate Moderate 8 Weak
High 10 Low 1 High 2 9 Weak
High 12 Moderate High1 9 Weak
Extreme 10 High 2 Low 1 10 Very Weak
Extreme 12 High 1 Moderate 10 Very Weak
Extreme 15 Moderate High2 10 Very Weak
Extreme 15 High 2 Moderate 10 Very Weak
Extreme 16 High 1 High1 10 Very Weak
Extreme 20 High 1 High2 10 Very Weak
Extreme 20 High 2 High1 10 Very Weak
Extreme 25 High 2 High2 10 Very Weak
Control Risk Rating Risk Control
System (RCS)
RISK CONTROL RATING
C
o
n
t
r
o
l

R
i
s
k
E
x
t
r
e
m
e
L
o
w
C
o
n
t
r
o
l

E
f
f
e
c
t
i
v
e
n
e
s
s
V
e
r
y

W
e
a
k
V
e
r
y

S
t
r
o
n
g
RBIA - Kongres X IAI-2006 28
RISK CONTROL RATING
Example: Consumer Loan
Credit Market Liquidity Operation legal Reputation Strategic Compliance
Control Environment 2 Strong Strong Strong Strong
Risk Assessment 5 Acceptable Acceptable Strong
Control Activities 6 Acceptable Acceptable Acceptable
Information &
Communication 5 Acceptable Strong Acceptable
Monitoring 2 Strong Strong
Risk Control System 4 Acceptable
Description
RISK CONTROL RATING
Risk Control
Rating
RBIA - Kongres X IAI-2006 29
Credit Market Liquidity Operation Legal Reputation Strategic Compliance
INHERENT RISK Moderate Moderate n/a n/a Moderate low Low low Low
RISK CONTROL
SYSTEM Acceptable Acceptable n/a n/a Acceptable Strong Strong Strong acceptable
RESIDUAL RISK Moderate Moderate n/a n/a Moderate low low low low
DESCRIPTION COMPOSITE
RISK CONTROL
RISK PROFILE
Example: Consumer Loan
RBIA - Kongres X IAI-2006 30