Risk Based Internal Auditing in Banks

April
2018
Fundamentals of
Finance and
Accounting
Risk Based Internal Auditing in Banks
A REPORT ON
RISK BASED INTERNAL
AUDITING IN BANKS
IN PARTIAL FULFILMENT OF THE COURSE

FUNDAMENTALS OF FINANCE AND ACCOUNTING
(ECON F212)
PREPARED FOR DR DEBASIS PATNAIK AND PROF. SARIPALLI

VENKATA RAMAN
BY
PARSHVA KOTHARI 2015A3PS0214G
ANAY JOSHI 2015A3PS0277G
AKSHAT SHAH 2015A3PS0235G
MANDEEP SINGH 2015A3PS0260G
AKSHAT BUDANIA 2015A8PS0441G
1|Page
Fundamentals of Finance and Accounting Report
Table of Contents
Acknowledgements................................................................................................................................. 4
Abstract ................................................................................................................................................... 5
Introduction ............................................................................................................................................ 6
Literature Reviews .................................................................................................................................. 8
Internal Audit and Its Approach to the Risk Mitigation ...................................................................... 8
Improving the Efficiency and Effectiveness of Risk-Based Internal Audit Engagements.................... 8
Risk Based Internal Audit: Perspectives Offered to Corporations and Banks..................................... 9
Audit and Fraud: Evidence from Bank Failures ................................................................................... 9
Internal Audit Approach in Banks ..................................................................................................... 10
Internal Audit Methodology- Improve Internal Audit Methodology in the Case Company ............. 10
The Critical Role of Internal Audit in Addressing Bank Fraud: A Conceptual Framework and Critical
Review of the Literature with Future Extensions ............................................................................. 11
The Adoption of Risk Based Internal Auditing in Developing Countries: The Case of Ghanaian
Companies ........................................................................................................................................ 12
Basel III implementation: Issues and challenges for Indian banks ................................................... 12
Basel I, Basel II, and Emerging Markets: A Nontechnical Analysis .................................................... 13
Basel III Accord: Where Do We Go From Here? ............................................................................... 13
The Regulation of Credit, Market and Operational Risk Management Under the Basel Accords .... 14
Scams and Frauds ................................................................................................................................. 15
Overview ........................................................................................................................................... 15
Case Example: The Nirav Modi Scam ................................................................................................ 17
How the fraud was detected......................................................................................................... 17
Offsetting the payment ................................................................................................................. 18
Past Lapses .................................................................................................................................... 19
Implications and Learning Points .................................................................................................. 20
The Basel Accords ................................................................................................................................. 22
Basel I ................................................................................................................................................ 22
Basel II ............................................................................................................................................... 23
Basel III .............................................................................................................................................. 23
Risk Based Internal Auditing Methodology .......................................................................................... 27
Need for Risk Based Auditing ............................................................................................................ 28
Risk Based Internal Auditing Process ................................................................................................ 29
2|Page
Operational Risk and its Assessment ................................................................................................ 29
Parameters to be included in risk assessment.................................................................................. 30
Audit Plan .......................................................................................................................................... 31
Evaluation of the potential harm that a risk possesses .................................................................... 32
Mathematical Assessment of the Risk of an Auditable Unit ............................................................ 33
Grading the Auditable Area via the Measured Risks ........................................................................ 33
Sources of Information to be looked into for Auditing ..................................................................... 35
The Three Steps for the Practical Implementation of the Risk Based Auditing Process .................. 35
Step 1: Assessing Risk Maturity..................................................................................................... 35
Step 2: Developing a general strategy of internal audit and the audit plan ................................ 36
Step 3: The Individual Assurance Audit ........................................................................................ 37
Evaluation of Performance ............................................................................................................... 37
Continuous Auditing ......................................................................................................................... 38
Concluding Remarks.......................................................................................................................... 40
Importance and Advantages of Risk Based Internal Auditing............................................................... 41
Importance of Risk Based Internal Auditing ..................................................................................... 41
Advantages of Risk Based Internal Auditing ..................................................................................... 43
Limitations of Risk Based Internal Auditing .......................................................................................... 45
Conclusion ............................................................................................................................................. 52
References ............................................................................................................................................ 53
3|Page
Acknowledgements
We would like to thank everyone involved in the project, especially our professors Dr
Debasis Patnaik, the Instructor in Charge, and Prof. Saripalli Venkata Raman, the Instructor
of the course ‘Fundamentals of Finance and Accounting’. They have continuously guided us
throughout the semester and taught us the concepts we needed to make this report.
Because of this report, we learned a lot of things which we wouldn’t have ordinarily learnt.
All the graphs present in this report have been independently plotted by us; the source from
where the data to plot the graph and tables was obtained has been mentioned next to the
graph. As the authors of this report, we undertake that this report is original to the best of
our knowledge.
4|Page
Abstract
This report is a comprehensive analysis of Risk Based Internal Auditing in Banks. Risk Based
Internal Auditing (RBIA) is the methodology which provides an independent and objective
opinion organization’s management as to whether its risks are being managed to acceptable
levels. While dealing with banks in particular, we realized that the need for RBIA in banks is
much higher as compared to other organizations simply because of the nature of the
business that the banks undertake. The report has been presented in a structured manner
wherein firstly, we introduce the concept of RBIA to the readers following which we proceed
to underline the importance of RBIA by highlighting the scams and frauds in banks which
could’ve been avoided had proper RBIA measures been employed. The body of the report
focuses on the RBIA methodology followed by banks along with the Basel Accords which
provide guidelines for the banks to follow. The report is closed out with a brief look at the
advantages and importance of RBIA along with the limitations involved in the same. This
report has enabled us to understand the necessity of RBIA in banks and how it can be
further improved in order to make the functioning of banks more efficient.
Key Words: Risk, Audit, Bank, Basel Accords, Profitability, Assessment
5|Page
Introduction
Risk based internal auditing (RBIA) is the methodology which provides an independent and
objective opinion to an organization's management as to whether its risks are being
managed to acceptable levels.
The Board of Directors of the Institute of Internal Auditors in June 1999 described internal
audit as: “Internal audit is an independent, material and consultancy activity, which adds
value and improves the functioning of an organisation. It helps the organisation achieve its
aims by means of a systematic, disciplined approach to evaluating and improving the
effectiveness of risk management, control and the management process.”
Risk Based Internal Audit has been prescribed by Reserve Bank of India for implementation
by the Banks. Under RBIA, Banks have shifted focus from prevailing system of full-scale
transaction testing to risk identification, prioritization of audit areas and allocation of audit
resources in accordance with the risk assessment. Banks have therefore, developed a well-
defined policy, duly approved by the Board, for undertaking risk-based internal audit (RBIA).
The policy includes the risk assessment methodology for identifying the risk areas based on
which the audit plans are being formulated. The policy should also lay down the maximum
time period beyond which even the low risk business activities BUs would not remain
unaudited.
The Risk-Based Internal Audit, inter-alia, undertakes risk assessment for the purpose of
formulating the risk-based audit plan. The risk assessment would, as an independent
activity, cover risks at various levels as also the processes in place to identify, measure,
monitor, control and investigate the risks.
Objective of RBIA:
The objective of RBIA is to provide independent assurance to the Bank’s Board that:
 The risk management process which management has put in place within the Bank
(covering all risk management processes at branches and other offices etc.) are
operating as intended.
 These risk management processes are of sound design.
 The responses which management has made to risks which they wish to treat are
both adequate and effective in reducing those risks to a level acceptable to the
Board.
 A sound framework of controls is in place to sufficiently mitigate those risks which

management wishes to treat.
6|Page
Thus the aims of RBIA are:
a) An aid to necessary checks and balances in the system.
b) Timely identification of potential risk concerns.
c) Tool for effective risk management.
d) Facilitate improvement in quality and content of procedures and MIS.
Internal audit has several aims and principles which it is necessary to adhere to. It is the
board of directors of the bank, however which bears final responsibility that the bank’s
management applies an appropriate and effective system of internal control, a system of
evaluating banking activity risk and risks concerning bank capital, appropriate methods of
monitoring compliance with laws, measures and internal procedures. Likewise, the bank's
management is responsible for drawing up procedures which identify, measure, monitor
and control the risks that the bank faces. The management must ensure an organisational
structure that clearly defines powers and responsibility. It is responsible for risk
management, proposing suitable internal control mechanisms and monitoring their
adequacy and efficiency. Internal audit is a part of the repetitive monitoring of the internal
control systems of the bank and its procedures for evaluating internal capital. As such, it
assists management and the board of directors in the effective performance of their
responsibility as outlined above.
7|Page
Literature Reviews
Internal Audit and Its Approach to the Risk Mitigation
Benes, Vadim
2011
Benes, Vadim (2010) in “Internal Audit and Its Approach to the Risk Mitigation” is trying to
analyze the modern role of internal audit in corporate (mainly banking) structures and gives
a special attention to the methodology used. It also tries to bring the new insight into risk-
based auditing by implementing principles of continuous auditing into risk based
framework. It describes the changes made in the social role of auditing during the years and
emphasizes the internal audit´s risk management function, rather than just control function.
Attention is given to the methodology used, especially to the currently most widespread
risk-based auditing approach. Also one of the most recent approaches to auditing – so called
continuous auditing - is briefly described and the possibilities of its implementation into the
risk-based framework are outlined. The monitoring-net consisting of the management
reporting, continuous auditing and RBA as presented here, represents one of the most
suitable the future of auditing and risk management.
Improving the Efficiency and Effectiveness of Risk-Based Internal

Audit Engagements
Philna Coetzee and Dave Lubbe
2014
Coetzee,P. and Lubbe,D.(2004) in “Improving the Efficiency and Effectiveness of Risk-

Based Internal Audit Engagements” discuss that the role of internal auditing in assisting
with the mitigation of key risks threatening organisations has increased in ensuring that
engagements are performed more effectively and efficiently, and that all the key risks of
organisations are addressed, but has also ensured that scarce internal audit resources are
used optimally. This article describes the development of a model that can be used by
internal auditors to perform this task. The model was developed from a study of the
academic literature, current business practice norms, and other documentation whereafter
it was tested in a practical scenario, and input from heads of internal audit departments in
prominent South African organisations was obtained. The findings of the study, inter alia,
8|Page
support the use of the model. However, a concern is that the risk management strategy
currently implemented by organisations is not mature enough for internal auditing to rely
on the outcome of the risk management process, a prerequisite for the model to function
optimally. A second concern is that internal auditing is reluctant to use a pure risk-based
approach when performing audit engagements and still prefers to use a control-based
approach with more emphasis placed on high risk areas.
Risk Based Internal Audit: Perspectives Offered to Corporations and

Banks
Tatiana Danescu, Anca Oltean, Raluca Sandru
2010
Danescu, T, Oltean, A and Sandru, R(2010) in “Risk Based Internal Audit: Perspectives
Offered to Corporations and Banks” state that internal audit aims at providing an
independent opinion about whether the objectives of one institution are achieved, and if
not to define the circumstance that hinder from accomplishing them. In the context of value
addition to the organization, there is increasing pressure for addressing exposure to risks,
regulatory requirements for risk assessment and quantification play in these sense a great
role. The shift from a traditional approach on internal audit is required by current trends of
corporate governance and risk management. In this paper they propose a procedural
guidance framework on how to address problems regarding operational risk internal
auditing by stressing particularities of banking organization working on Romanian territory.
Our conclusions draw attention to the fact that acknowledging the regulation efforts
undertaken by supervision authority for efficient risk management, a risk based internal
audit can be implemented having in mind the advantages that this form of audit involves.
Audit and Fraud: Evidence from Bank Failures
Lucy Chernykh
2016
Chernykh, L.(2016) in “Audit and Fraud: Evidence from Bank Failures” explores the external
audit function ability to limit fraud-related bank failures in opaque banking sector. The study
exploits extremely high bank failures rates in the Russian banking sector during the most
recent post-crisis period, including bank failures due to accounting and criminal fraud
related cases, to establish two sets of results. On the bright side, it is found that higher audit
9|Page
quality is associated with lower likelihood of bank failures that are accompanied with
accounting misreporting claims. On the dark side, it is found that more subtle and more
severe cases of fraud in failed banks, including concealing the true eroded value of risky
assets’ portfolios and engagement in criminal activities, remain largely undetected by
external auditing firms. The study also finds that “honest” bank failures, i.e. banks failures
for purely financial reasons, are unrelated to audit characteristics. Collectively, the evidence
suggests that although bank audit is a valuable tool in resolving asymmetric information in
an opaque banking industry, it cannot substitute for the thorough regulatory examination of
problem banks.
Internal Audit Approach in Banks
Victoria Stanciu
2008
Stanciu, V.(2008) in “Internal audit Approach in Banks” explains that the Romanian banking
system has known in the last years significant changes determined by the implementation of
Basel II requirements and governance principles on one hand and assimilation of the EU
Directives for the banking sector on the other hand. The function of internal audit is new in
the Romanian banks, being implemented as a result of the new regulation established by
the Romanian National Bank in the effort to align the Romanian banking legislation to the
international regulations and practice in the field. In the dynamic banking environment the
internal audit has to define and strengthen its statute and role. We can say that in the new
context – regulatory environment for banking system and professional requirements –
internal audit become one of the most influential and value added function in the bank. The
present paper presents the role of internal audit in the Romanian banks and its major areas
of interest.
Internal Audit Methodology- Improve Internal Audit Methodology in

the Case Company
Nguyen Thi Hong Trang
2016
10 | P a g e
Trang,N.(2016) in “Internal Audit Methodology- Improve Internal Audit Methodology
in the Case Company” states that the purpose of this study was to identify improvement
areas in the internal audit methodology used by the Internal Audit team at the case
company which is the local subsidiary of a global financial group. This study is aimed to
identify root causes for the problem identified by the quality auditors and then suggest
improvements to solve the problem. The qualitative research methodology was utilized in
this study. The author recommends the Internal Audit management apply a risk-based
approach in planning the internal audit jobs through performing a process risk analysis. It is
recommended that the Internal Audit methodology manual expresses and emphasizes more
clearly on the risk-based internal auditing approach and that the strategic objectives,
associated risks and risk responses act as a central point connecting documents created
throughout an audit cycle. It is also recommended that the Internal Audit methodology
manual underline requirements and/or criteria on traceability among audit documents as
well as provide specific instructions on how audit documents should be documented to
ensure a positive link among them.
The Critical Role of Internal Audit in Addressing Bank Fraud: A

Conceptual Framework and Critical Review of the Literature with
Future Extensions
Georgios Vousinas
2015
Vousinas, G.(2015) in “The Critical Role of Internal Audit in Addressing Bank Fraud: A
Conceptual Framework and Critical Review of the Literature with Future Extensions”
stresses that the recent global financial recession highlighted the critical role that the
banking system plays in the modern economy. Banks are complex financial institutions that
operate in a constantly changing business environment and deal with high levels of risk,
while facing fraudulent actions in regular basis. In order to address these problems, banks
engage in various internal audit techniques such as the implementation of controls and
prevention tools, the usage of anti-fraud methods and data mining. The paper aims to
redefine the contribution of internal audit in the banking system by highlighting its crucial
role in addressing bank fraud. This is achieved by initially proposing a new conceptual
framework and then by providing a thorough critical review of both theoretical and
empirical literature which helps in determining the value of internal auditing. The results
confirm the fact that internal audit can play a major role in risk assurance and bank fraud
management thus, ensuring their normal and uninterrupted operation. The paper also
provides some useful insights for future application of internal audit methods in the banking
sector thus, laying the ground for a fruitful dialogue among the various stakeholders.
11 | P a g e
The Adoption of Risk Based Internal Auditing in Developing
Countries: The Case of Ghanaian Companies
Philip Ayagre
2014
Ayagre, P.(2014) in “The Adoption of Risk Based Internal Auditing in Developing Countries:
The Case of Ghanaian Companies” investigated the adoption of Risk Based Internal Audit in
Ghana, the factors that influence the adoption or non-adoption of Risk Based Internal Audit
amongst Ghanaian Companies. The involvement of internal auditors in risk assessment was
also assessed in the context of Enterprise Risk Management. The study employed Pearson’s
chi-square test of independence model at a p-value of 0.05. It was observed that risk based
approach to internal auditing is widely used amongst Ghana’s Club 100 companies,
especially amongst financial, Telecommunications, and Manufacturing companies. The
study again found out that, there is high involvement of IA in risk management which
translated to the use of risk based approaches in planning annual audits. Regulation the
study observed is not a driver of adoption of RBIA in Ghana. The main factor that motivated
the adoption of RBIA was, RBIA helped these organizations to focus on high risks priority
areas.
Basel III implementation: Issues and challenges for Indian banks
M. Jayadev
2013
Jayadev,M. (2013) in “Basel III implementation: Issues and challenges for Indian banks”
explains that the Basel III framework, whose main thrust has been enhancing the banking
sector’s safety and stability, emphasises the need to improve the quality and quantity of
capital components, leverage ratio, liquidity standards, and enhanced disclosures. This
article first lays the context of Basel III and then incorporates the views of senior executives
of Indian banks and risk management experts on addressing the challenges of implementing
the Basel III framework, especially in areas such as augmentation of capital resources,
growth versus financial stability, challenges for enhanced profitability, deposit pricing, cost
of credit, maintenance of liquidity standards, and strengthening of risk architecture.
12 | P a g e
Basel I, Basel II, and Emerging Markets: A Nontechnical Analysis
Bryan J. Balin
2009
Balin, B.(2009) in “Basel I, Basel II, and Emerging Markets: A Nontechnical Analysis”
emphasizes that the Basel Accords, while extremely influential, are oftentimes too detailed
and technical to be easily accessible to the nontechnical policymaker or interested scholar.
This paper looks to fill that gap by detailing the origin, regulation, implementation, criticism,
and results of both Basel I and Basel II. Findings of note include (1) the limited scope and
general language of Basel I gives banks excessive leeway in their interpretation of its rules,
and, in the end, allows financial institutions to take improper risks and hold unduly low
capital reserves; (2) Basel II seeks to extend the breath and precision of Basel I, bringing in
factors such as market and operational risk, market-based discipline and surveillance, and
regulatory mandates, but is oftentimes excessively long and complex; (3) both Basel I and II
effectively ignore the implications of their rules on emerging market banks; and that (4)
although each accord states that its positions are not recommended for application in
emerging market economies, the use of Basel I and II by most private and public
organizations as truly international banking standards predicates the inclusion of emerging
markets in each accord.
Basel III Accord: Where Do We Go From Here?
Peter Went
2010
Went, P. (2010) in” Basel III Accord: Where Do We Go From Here?” explains that the Basel
III framework strengthens risk-based capital regulation, regulatory supervision principles
and risk management practices in the banking sector. While maintaining the micro-
prudential regulatory toolkit introduced in the previous Basel Accords that ensure the safe,
sound and prudent operations of banks, Basel III seeks to address the effects of systemic
risks that globally interconnected financial institutes propagate. On the eve of the G-20
meetings in South Korea that are to ratify this new international framework, this note
discusses the implications this new macro-prudential regulatory regime has on the future of
banking, risk management, and risk managers.
13 | P a g e
The Regulation of Credit, Market and Operational Risk Management
Under the Basel Accords
Sappideen,R.
2004
Sappideen, R(2004) in “The regulation of credit, market and operational risk management
under the Basel Accords” discusses the evolution of financial regulation under the Basel
Committee on Banking Supervision. It considers the management of banking risk including
credit, market and operational risk. It examines the evolution of the capital adequacy
requirements under the Basel Accord and their impact on bank risk management. It also
reviews the Basel Accord's reliance on market discipline, disclosure and enhanced
transparency as regulatory measures.
14 | P a g e
Scams and Frauds
Overview
The best way to understand the importance of Risk Based Internal Auditing in Banks is to
understand how the lack of it can result in frauds going unnoticed.
The general definition of Internal Audit is provided by the Institute of Internal Auditors (IIA)
as:
“An independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations. The internal audit activity helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and governance processes.”
Internal Audit in banks particularly, is a department, independent of line management,

whose prime responsibility is to review the quality and effectiveness of the controls within
the banks, to manage and mitigate risk and protect the assets.
The Committee’s Principles for Enhancing Corporate Governance require modern banks to
have an internal audit function with sufficient authority, stature, independence, resources
and access to the board of directors. As a result, independent, efficient and qualified
internal auditors are vital in contemporary banking corporate governance. Moreover,
banking supervisory authorities must be satisfied by the effectiveness of a bank's internal
audit function by requiring effective policies and practices to be followed and that
management takes appropriate corrective action in response to internal control weaknesses
identified by internal auditors. An effective internal audit function provides vital assurance
to a bank’s board of directors and senior management (and bank supervisors) as to the
quality of the bank’s internal control system. In doing so, the function helps reduce the risk
of loss and reputational damage to the bank.
Fraud is an aspect of corruption and it occurs in organizations where governance structures

are weak. Fraud encompasses a wide range of illicit practices and illegal acts involving
intentional deception or misrepresentation. In the perspective of the financial industry and
specifically the banking sector, fraud remains a huge issue, especially these turbulent days,
mainly driven by the recent financial crisis.
Banking fraud therefore is defined as the use of deliberate misrepresentation in order to

fraudulently obtain money, assets or other property owned or held by a financial institution.
Moreover in criminal law, bank fraud is an intentional deception made for personal gain or
to damage the financial institution. It is distinct from simple bank robbery or theft, because
15 | P a g e
the perpetrator usually commits the fraud in secret, hoping that it will not be noticed
until he has had ample time to move on. It usually requires some sort of technical expertise
as well. For reasons like this, bank fraud is one of the offenses referred to as the white-collar
crime.
As fraud can be perpetrated by any employee within an organization or by those from the
outside, it is important to have an effective fraud management program in place to
safeguard organization’s assets and reputation. While senior management and the board of
directors are ultimately responsible for a fraud management program, internal audit can be
a key player in helping address bank fraud. By providing an evaluation on the potential for
the occurrence of fraud, internal audit can show an organization how it is prepared for and
is managing these fraud risks. In today’s automated world, many business processes depend
more and more on the use of technology. This allows for people committing fraud to exploit
weaknesses in security, controls or oversight in business applications to perpetrate their
crimes.
However, technology can also be a major factor of combating fraud. Internal audit needs to
view technology as a necessary part of their toolkit that can help prevent and detect fraud.
Leveraging technology to implement continuous fraud prevention programs helps safeguard
organizations from the risk of fraud and reduce the time it takes to uncover fraudulent
activity. This helps both catch it faster and reduce the impact it can have on organizations.
The effects of fraud generally lead to the reduction of the assets and increase of the
liabilities of any type of company. In banks particularly, this may result in the loss of
potential customers or crisis of confidence and trust of banking by the public and in the long
run end up in another failed bank situation. An analysis made of cases brings out broadly
the following major elements responsible for the commission of frauds in banks.
a. Active involvement of the staff-both supervisor and clerical either independent of

external elements or in connivance with outsiders
b. Failure on the part of the bank staff to follow meticulously laid down instructions and
guidelines
c. External elements perpetuating fraud on banks by forgeries or manipulations of cheques,

drafts and other instruments.
d. There has been a growing collusion between business, top banks executives, civil servants
and politicians in power to defraud the banks, by getting the rules bent, regulations flouted
and banking norms thrown to the winds.
Beyond financial (monetary) losses fraud has other negative consequences that impact an
institution reputation, customer loyalty and the confidence of the shareholder. Moreover in
the greater impact, the fraud cost is passed on to the customer. The individual who fall
16 | P a g e
victim to fraud can experience mental, psychological, financial, social and physical
damage. The impact of fraud can also be very damaging to co-operate victims where
small/medium scale businesses are most times unable to recover from the financial or
reputational damage caused. A majority of these causes can be countered using effective
Risk Based Internal Audit methods. In light of the most recent bank fraud that rocked the
country, the calls for these measures have grown even louder. Let us take a look at the
same.
Case Example: The Nirav Modi Scam
Amid the blame game between Punjab National Bank and other affected lenders in the Rs
11,400-crore scam, the elaborate web of deception has served to expose the biggest flaws
in the Indian banking system – weak risk management practices and glaring over sight
lapses.
While international banks tightened supervision and corporate governance after the
subprime credit crisis in 2008, most Indian banks appear to have remained laggards.
The Central Bureau of Investigation (CBI) received two complaints from PNB against
billionaire diamantaire Nirav Modi and a jewellery company alleging fraudulent transactions
worth about ₹11,400 crore, the Press Trust of India reported. This is in addition to the ₹280
crore fraud case that he is already under investigation for, again filed by PNB.
How the fraud was detected
According to the complaint filed by PNB with the CBI on January 28, the fraudulent issuance
of Letters of Undertakings (LOU) was detected at the Mid Corporate Branch, Brady House in
Mumbai.
A set of partnership firms -- Diamond R US, Solar Exports and Stellar Diamonds --
approached the bank on January 16 with a set of import documents and requested for
Buyer's Credit to make payments to overseas suppliers. The firms have Nirav Modi, his
brother Nishal Modi, Mr. Nirav's wife Ami Nirav Modi, and Mehul Chinubhai Chokshi as
partners.
Buyers Credit is, typically, a short-term loan facility extended to an importer by a bank to
finance goods and services. It is a common mode of transaction in international trade where
17 | P a g e
a bank extends credit to the importer and a finance agency based in the exporter's
country guarantees the loan.
As there was no sanctioned limit in the name of the firms, the branch officials requested the
firms to furnish 100% cash margin for issuing the LOU for raising the Buyer's Credit. At this,
the firms contested that they have been availing this facility in the past; but the branch
records do not corroborate this.
On digging further, the bank officials discovered that two of its employees had fraudulently
issued LOUs in the past without following prescribed procedures and approvals. The
employees had then transmitted SWIFT instructions to the overseas branches of Indian
banks for raising Buyer's Credit without making entries in banking system to avoid
detection.
The complaint also said that the funds so raised for the payment of the Import Bills have not
been utilised for such purposes in many cases.
As per the FIR, five of the SWIFT messages (SWIFT is a messaging network used by financial
institutions to securely transmit instruction) were issued to Allahabad Bank in Hong Kong
and three to Axis Bank in Hong Kong.
SWIFT is the Society of Worldwide Interbank Financial Telecommunication, or SWIFT, is a

system to send instant messages. Once a foreign bank or a foreign branch of a bank gets the
LoU via the SWIFT message, it disburses the loan to the borrower.
Offsetting the payment
When the borrower did not repay the first Rs800 crore, the bank ought to have stepped in
and booked a default by the group company. Instead, the two PNB employees, who were
allegedly party to the fraud, issued more LoUs on behalf of PNB, asking other banks to give
out fresh loans to the firms. This continued until two weeks before the whole operation
came to light after some of Modi’s employees visited the bank on Jan. 05. The management
was caught napping and the overdue loans exceeded Rs11,000 crore.
PNB sources say the bank isn’t fully integrated on a Core Banking System (CBS) which could
have immediately detected the discrepancy. CBS is a back-end system that processes daily
banking transactions, posting updates to accounts and other financial records. It is
centralised software that keeps all records across branches and is capable of generating
alerts over any undue activity. According to sources, PNB’s integration to a CBS was initiated
in 2002. The technology took a decade to become developed. It should have been upgraded
by 2012, but wasn’t. It is getting updated now.
18 | P a g e
“Public sector banks continue to grapple with weak systems, raising questions on why
the processes are not centralised, unlike most private banks where bypassing CBS is not
easy,” Edelweiss said. It added that “the liability on respective banks depends on the
investigation’s outcome. Even Bank of India, in the third quarter of financial year 2018,
reported stress of Rs 9,400 crore pertaining to stand-by letter of credits discounted by its
overseas branches.”
SWIFT transactions are supposed to be regularly reviewed. PNB sources say there is a
system to check SWIFT transactions daily by the manager and a concurrent auditor within
the branch, a norm that was not followed. “We have an internal rule wherein officials are
rotated within departments, ideally every few months. But the two accused were in the
same role in the same branch for seven years. The moot point is, we are at a loss to find out
now. So many managers changed, so many auditors and inspectors came and went. How did
they bypass everybody?” a PNB official said, requesting anonymity.
A bunch of Indian banks faced massive losses due to unpaid loans from Winsome Diamonds,
which defaulted for the first time in 2013. The loans given to Winsome, and its associate
entity Forever Diamonds, were through similar SWIFT route. However, both Winsome and
Forever failed to repay, citing default by customers. The Serious Fraud Investigation Office is
probing the case.
Past Lapses
It is not as if the bank’s audit committee was not aware of how weak its audit and fraud
detection systems are. An official of another public sector bank pointed to a filing to the
Bombay Stock Exchange in December in which Punjab National Bank admitted to several
lapses. Last September, a Rs 484 crore scam involving foreign exchange transfers by a
Chennai branch through shell companies was detected by CBI. This too involved funnelling
out money using the bank’s Nostro accounts.
In the filing, the Punjab National Bank states: “Regulatory feedback has noted that we have
had many instances of lapses relating to our compliance with know your customer norms,
anti-money laundering laws...failure to update the risk status of customers”.
The report admits that the RBI had earlier stated that the bank has “had no system to
monitor large credits to small accounts and money mules, among other matters”. The RBI
had repeatedly fined the bank for its lapses, the bank management admitted in its filings.
19 | P a g e
Implications and Learning Points
According to sources, Allahabad Bank has the largest exposure—of over Rs4,000 crore.
Union Bank has anywhere between Rs1,000 crore and Rs2,000 crore, and the State Bank of
India about Rs1,000 crore. Axis Bank has over Rs2,000 crore, though it has already sold off
those loans. Loss of public faith in PNB and other state-owned banks will be the biggest risk.
According to RBI regulations, PNB will have to repay other banks the money owed by the
firms. PNB sharesholders may see their wealth eroding further as the Rs11,400 crore liability
is more than a third of the bank’s market value. The pain will only increase if the probe
reveals a bigger scam. This is besides the taxpayer money that will be lost in litigation and
getting Modi and Choksi extradited. The PNB CEO said Modi sent an email seeking time to
repay, and the management, in turn, has sought a detailed repayment plan.
Reports say that RBI has instructed PNB to pay other banks for the loans disbursed to Modi
and Choksi. Other banks will have to set aside money from their profits till the time PNB
coughs up the money, and when it does pay up, PNB’s books will then have to show the
amount as loss.
One of the worrying aspects of the scam is that in its statement, PNB says that based on the
fraudulent transactions, other banks appear to have advanced money to the customers
abroad. It goes on to add that these transactions are contingent in nature and any liability
arising out of these on the bank will have to be decided based on the law and genuineness
of underlying transactions.
However, the ₹11,400 crore scam comes at a time when the Central government is
attempting to provide a breather to ailing PSBs, having announced a ₹2.11 lakh crore capital
infusion to the sector in October 2017.
Part of the blame may lie with the government itself, particularly the finance ministry. One
of its nominees, a senior Indian Administrative Services officer, is a member of the audit
committee of the bank’s board of directors. This committee, a subset of the board, is meant
to supervise audits and ensure that they are conducted with due diligence and that proper
checks are in place to ensure such scams do not go undetected. Documents of the bank
show that the audit committee was well aware of how weak its audit and scrutiny system
was. As recently as September, another branch of the bank had been found embroiled in a
Rs 464-crore scam involving foreign exchange, black money and shell companies.
But, for two years, between 2015 and 2017, the Punjab National Bank did not have an
adequate number of independent board members on the audit committee. These
independent members are individuals who are not employees or have any stake in the
bank’s business.
20 | P a g e
Regulations of the Securities and Exchange Board of India require two-thirds of the
members on the audit committee to be independent to ensure better scrutiny. But the
bank’s statutory auditors, signing off the consecutive annual reports, found that the bank
was in breach of this regulation. Instead of fixing this breach, the bank justified it saying that
it followed instructions and regulations of the Reserve Bank of India in electing the audit
committee members. All the while, the government nominee continued to be a member of
the audit committee.
Bank branches dealing with foreign exchange – such as the Punjab National Bank’s Brady
House branch in South Mumbai from where the scam allegedly took place – must get special
approvals by the RBI.
The level of audits and scrutiny prescribed for branches dealing with foreign exchange is of a
much higher degree than that prescribed for others. The audit committee of the board
oversees a quarterly report particularly on the foreign exchange dealings of such branches.
“Concurrent and other auditors cannot possibly check every transaction at even such a
branch which deals with foreign exchange,” said an auditor. “Therefore, they are required to
look particularly at segments of lending where sudden increases and decreases are being
noticed through the year or year-on-year. In these segments we should be carrying out a
100% audit of all transactions.”
“Customers dealing in gems and jewellery have been treated as a risky segment to lend for
several years now by bankers,” said S Nagarajan, general secretary of the All India Bank
Officers’ Association. “In fact they often complain about how tough it has got to secure low-
interest and easy loans these days. Auditors are required to keep a specific eye out for such
segments. The audit committee of the board should have ideally delved into these
fluctuations and made sure the loans given to them, particularly in foreign exchange, are
specially scrutinised. They cannot escape responsibility.”
As of now, as Reuters opined, the only good that could come out of the affair would be
some fresh consideration to implementing better practices in public sector banking. Thus
we can clearly see, that if proper Risk Based Internal Audit Measures had been adopted in
PNB, this mega scam could’ve been nipped in the bud.
21 | P a g e
The Basel Accords
The Basel Accords are three sets of banking regulations (Basel I, II and III) set by the Basel
Committee on Bank Supervision (BCBS), which provides recommendations on banking
regulations in regards to capital risk, market risk and operational risk. The purpose of the
accords is to ensure that financial institutions have enough capital on account to meet
obligations and absorb unexpected losses.
The BCBS was founded in 1974 as a forum for regular cooperation between its member
countries on banking supervisory matters. The BCBS describes its original aim as the
enhancement of "financial stability by improving supervisory knowhow and the quality of
banking supervision worldwide." Later on, it turned its attention to monitoring and ensuring
the capital adequacy of banks and the banking system causing a deep impact on the banking
sector.
Formerly, the Basel Committee consisted of representatives from central banks and
regulatory authorities of the Group of Ten countries (Belgium, Canada, France, Germany,
Italy, Japan, the Netherlands, Sweden, Switzerland, the United Kingdom and the United
States of America) plus Luxembourg and Spain. Since 2009, all of the other G-20 major
economies are represented, as well as some other major banking locales such as Hong
Kong and Singapore
The committee does not have the authority to enforce recommendations, although most
member countries as well as some other countries tend to implement the Committee's
policies. This means that recommendations are enforced through national (or EU-wide) laws
and regulations, rather than as a result of the committee's recommendations - thus some
time may pass between recommendations and implementation as law at the national level.
Basel I
The first Basel Accord, known as Basel I, was issued in 1988 and focuses on the capital
adequacy of financial institutions. The capital adequacy risk (the risk that a financial
institution will be hurt by an unexpected loss), categorizes the assets of financial institutions
into five risk categories (0%, 10%, 20%, 50% and 100%). Under Basel I, banks that operate
internationally are required to have a risk weight of 8% or less.
22 | P a g e
Basel II
The second Basel Accord, called Revised Capital Framework but better known as Basel II,
served as an update of the original accord. It focuses on three main areas: minimum capital
requirements, supervisory review of an institution's capital adequacy and internal
assessment process, and effective use of disclosure as a lever to strengthen market
discipline and encourage sound banking practices including supervisory review. Together,
these areas of focus are known as the three pillars.
Basel III
Basel III is an international regulatory accord that introduced a set of reforms designed to
improve the regulation, supervision and risk management within the banking sector. The
Basel Committee on Banking Supervision published the first version of Basel III in late 2009,
giving banks approximately three years to satisfy all requirements. Largely in response to
the credit crisis, banks are required to maintain proper leverage ratios and meet certain
minimum requirements of capital required to be maintained in the banks.
Basel III is part of the continuous effort to enhance the banking regulatory framework. It
builds on the Basel I and Basel II documents, and seeks to improve the banking sector's
ability to deal with financial stress, improve risk management, and strengthen the
banks' transparency. A focus of Basel III is to foster greater resilience at the individual bank
level in order to reduce the risk of system-wide shocks.
Basel III introduced tighter capital requirements in comparison to Basel I and Basel II. Banks'
regulatory capital is divided into Tier 1 and Tier 2, while Tier 1 is subdivided into Common
Equity Tier 1 and additional Tier 1 capital. The distinction is important because security
instruments included in Tier 1 capital have the highest level of subordination. Common
Equity Tier 1 capital includes equity instruments that have discretionary dividends and no
maturity, while additional Tier 1 capital comprises securities that are subordinated to most
subordinated debt, have no maturity, and their dividends can be cancelled at any time. Tier
2 capital consists of unsecured subordinated debt with an original maturity of at least five
years.
Basel III left the guidelines for risk-weighted assets largely unchanged from Basel II. Risk-
weighted assets represent a bank's assets weighted by coefficients of risk set forth by Basel
III. The higher the credit risk of an asset, the higher its risk weight. Basel III uses credit
ratings of certain assets to establish their risk coefficients.
23 | P a g e
In comparison to Basel II, Basel III strengthened regulatory capital ratios, which are
computed as a percent of risk-weighted assets. In particular, Basel III increased minimum
Common Equity Tier 1 capital from 4% to 4.5%, and minimum Tier 1 capital from 4% to 6%.
The overall regulatory capital was left unchanged at 8%.
Basel III introduced new requirements with respect to regulatory capital for large banks to
cushion against cyclical changes on their balance sheets. During credit expansion, banks
have to set aside additional capital, while during the credit contraction, capital requirements
can be loosened. The new guidelines also introduced the bucketing method, in which banks
are grouped according to their size, complexity and importance to the overall economy.
Systematically important banks are subject to higher capital requirements.
Additionally, Basel III introduced leverage and liquidity requirements to safeguard against
excessive borrowings and ensure that banks have sufficient liquidity during financial stress.
In particular, the leverage ratio, computed as Tier 1 capital divided by the total of on and
off-balance assets less intangible assets, was capped at 3%.
Most people forget that whilst the amount of capital and the quality of capital are
important, Basel III is not about managing by numbers. It is about improving banks’ risk
management and about making personnel around risk takers such as risk managers,
auditors, and bank regulators proactive in identifying weaknesses with controls, model use,
and capital calculations. Basel III, as was Basel II, is about giving banks guidance on how they
can improve their corporate governance. Also, Basel III is very much about the type of
detailed, material information that should be regularly and uniformly disclosed that is useful
to all types of market participants, such as investors, rating agencies, regulators, financial
journalists, and even individuals at the retail level. As part of preparing to have meaningful
transparency, risk managers and auditors need to understand how their banks’ data
collection and verification function, how the data are used in models, who interprets and
uses the results, who designs, backs and stress-tests the models, and whether the results
are actually used for risk management purposes such as setting limits, improving pricing,
diversifying a portfolio, or to allocate regulatory or economic capital. In my experience as a
financial consultant and trainer, I have noticed globally time and again that numerous
auditors all too often are given more work than they can handle, are not trained to
understand the groups or products that they have to audit, are not given the proper respect
and authority that they need, and of course, they are not remunerated anywhere near what
the risk takers are. In the typical environment that auditors worked in, they are not
empowered nor is it easy for them to question data, models, and their use. Yet, whatever
analysis and reports auditors produce, both risk managers and bank supervisors will look to
that information as a first port of call.
24 | P a g e
While US banks are still working on implementing Basel II, it is essential that auditors
take stock of their in house knowledge of Basel II and III. Heads of auditing teams need to
identify what parts of Basel their teams will be auditing, whether they need to focus on
domestic Basel rules or will they also audit functions in other countries where some Basel
rules might differ, and whether they have sufficient personnel and other resources to
conduct Basel audits successfully. Moreover, auditors need to conduct a gap study to
identify what concepts need to be learned or strengthened. Some useful questions, and by
no means a finite list, to include in the gap study are:
Do auditors understand:
 The purpose and differences of the three Basel Accords?

 How the firm’s risk appetite and tone are established?
 What corporate governance is and what the processes and procedures related to it
are at the firm?
 What exactly the financial risks are that the firm is exposed across products and
geographies?
 How the firm identifies, measures, controls, and monitors macro and financial risks?
 The life cycle of a model: ownership, verification, and monitoring?
 How data at the firm are collected and verified?
 At least the philosophy, if not the mechanics, of the credit, market, and operational
risk models being used by their firm?
 How the models’ results are used as inputs for Basel formulae?
 Who is responsible for independently verifying the models’ design, back- and stress-
testing?
 The role of models to allocate regulatory and economic capital?
 The requirements, purpose and interconnectedness of Pillars II and III with Pillar I?
 How communication and reporting channels work within the firm and with relevant
regulators?
 What is expected from the internal audit function by Basel and relevant regulators?
Once auditors have created their list of questions for their gap study, it is time to get
answers. This is not always easy. Senior auditors may have an idea of what their staff now,
but how will they discover gaps. Some firms like to have their auditors take a test, but in
some cultures a test may intimidate employees. Auditing heads may be better served by
making sure that auditors are taking in house or public classes about relevant new market
products, regulatory trends, major types of credit, market, and operational risk
measurement models used by banks, and specifically about Basel and its requirements. A
way to verify whether staff learns anything from classes is to have a requirement that
personnel who attend conferences or courses should give brief presentations to other
colleagues who were not able to attend classes. This would also establish a culture of
information sharing. Importantly, senior auditors must always be in communication with
25 | P a g e
senior management of all product lines to emphasize to them the importance of
auditors’ responsibilities. Many staff bankers at banks are very unclear about what auditors
do and how important their role is. Basel’s “Principles for Enhancing Corporate Governance”
emphasizes that internal audit function should have authority, stature, independence,
resources and access to the board of directors.” Needless to say, auditors should be well
qualified and competent. If a firm has a culture that sees auditors as a cost centre, then the
internal audit function will not receive the training, stature and remuneration necessary to
make sure that the group can truly perform useful Basel audits that can help senior
management not only comply with Basel requirements, but actually improve risk
management at the firm and not just pay lip service to those words.
26 | P a g e
Risk Based Internal Auditing Methodology
Internal audit is one of the main systems in a Bank for assessing and controlling operational
risk. The Institute of Internal Auditors defines the internal audit officially as an independent,
objective assurance and consulting activity designed to add value and improve an
organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
Internal audit in the modern sense is a relatively new but yet an indispensable part of the
corporate structure of the most of large corporations. In some areas, such as banking, its
existence is based on the legislative requirements. It's a logical step as the internal audit is,
due to its independence, not only an internal control tool, but also a significant assistant, a
partner and a point of contact for an external regulator of the banking industry.
Several types of internal audit exist, for example:
 Financial audit, the aim of which is to evaluate the reliability of the accounting
system and the information contained in the consequent financial results,
 Compliance audit, the aim of which is to evaluate the quality and suitability of
systems proposed for the purpose of ensuring compliance with a legal requirements,
measures and procedures,
 Operations audit, the aim of which is to evaluate the quality and suitability of other
systems and procedures, analyze the organizational structure and assess the
suitability of methods and resources.
 Management audit, the aim of which is to evaluate the quality of the management's
approach to risk and control in the framework of the bank's overall aims.
Since the internal audit department examines and evaluates the overall activities of the
bank, it should not focus simply on one type of audit, but should employ the most
appropriate type depending on the objectives which the audit is to achieve.
The main methodological approaches specific for the internal audit are the compliance
based auditing (sometimes also referred as a control based or transaction based) and risk
based auditing (RBA).
27 | P a g e
Need for Risk Based Auditing
Compliance / control based audit is the basis of methodology of internal audit. In essence it
is the one of the first methodological approaches that can be considered as specific solely
for internal audit (considering the modern understanding of the concept of internal audit).
As its name suggests, it deals primarily with an assessment of compliancy of internal
activities with the internal methodology or regulatory measures and also with the control
functionality and the control implementation in accordance with the methodology or
regulations. This assessment is done through the testing of individual transactions within
the institution. The drawback factor of this approach is that while assessing the existence
and effectiveness of the controls, it does not examine its global impact or significance and
motivations leading to its implementation. Compliance audit is therefore unable to
determine whether the area is overly controlled. Compliance audit also does not concern
about the rules itself; therefore itdoes not assess its ability to reduce risks. It is thus
theoretically possible that in the audited area there are a number of risks not covered by
valid methodology and required controls, and audit still does not consider this area as
problematic. The last, but not insignificant problem of this approach is that it is largely
based on the transactional principle (as already mentioned, sometimes the whole
methodology is called "transaction based"). This is reflected in the absence of a global
perspective. Output of compliance audit can sometimes provide only sketchy information
about the company's internal processes (e.g. considering an area of consumer credits, the
process is not viewed as a whole - from the initial contact with the client, to the repayment,
or collection process, but only as the single transaction or control – e.g. the presence of the
client signature on the contract is checked etc.).
Hence a different approach (RBA) is required.
28 | P a g e
Risk Based Internal Auditing Process
Source: Thesis Report by A Benes
The first step in Risk-based Audit plan - outline the audit universe where:
 All activities , products, departments and processes included.
 Changes from last year- New products / processes, products / processes

discontinued are accounted for
 Auditable and non-auditable categories are defined
 Organisation charts and process flows are created
Operational Risk and its Assessment
Operational Risk – risk that could prevent the organization from operating in the most
effective and efficient manner or be disruptive to other operations.
29 | P a g e
Operational risk can be further measured or calculated by taking into account the
following types of risks:
1. Inherent risk- Inherent business risks indicate the intrinsic risk in a particular
area/activity of the bank and could be grouped into low, medium and high
categories depending on the severity of risk. In a financial audit, inherent risk is most
likely to occur when transactions are complex, or in situations that require a high
degree of judgment in regards to financial estimates. This type of risk represents a
worst-case scenario because all controls have failed.
2. Control risk: which is the risk that a misstatement due to error or fraud that could
occur in an assertion and that could be material, individually or in combination with
other misstatements, will not be prevented or detected on a timely basis by the
company's internal control.
3. Residual Risk: Risk of loss remaining after other risks have been controlled /
eliminated. That is risk occurring after any internal controls are taken into account.
The risk assessment process should, inter alia, include the following :-
 Identification of inherent business risks in various activities undertaken by the bank.

 Evaluation of the effectiveness of the control systems for monitoring the inherent
risks of the business activities (`Control risk’).
 Drawing up a risk-matrix for taking into account both the factors viz., inherent
business risks and control risks. An illustrative risk-matrix is shown as a box item.
The basis for determination of the level (high, medium, low) and trend (increasing, stable,
decreasing) of inherent business risks and control risks should be clearly spelt out.
The risk assessment may make use of both quantitative and qualitative approaches.
While the quantum of credit, market, and operational risks could largely be determined by
quantitative assessment, the qualitative approach may be adopted for assessing the quality
of controls in various business activities. In order to focus attention on areas of greater risk
to the bank, an activity-wise and location-wise identification of risk should be undertaken.
Parameters to be included in risk assessment
The risk assessment methodology should include, inter alia, the following parameters:
 Previous internal audit reports and compliance
 Proposed changes in business lines or change in focus
30 | P a g e
 Significant change in management / key personnel
 Results of latest regulatory examination report
 Reports of external auditors
 Industry trends and other environmental factors
 Time lapsed since last audit
 Volume of business and complexity of activities
 Substantial performance variations from the budget
Audit Plan
An audit plan must have a rough structure as follows:
 Classification of Audit area as per Risk Matrix

 Determination of Frequency of audit
 Determination of Time required for various activities
 Ensure all universe covered
 Exclusions approved by Board / audit committee
 Determination of Resources available & Additional resources required
 Coverage per quarter
 Objective of completing 90% of plan by end of third quarter
 Reviews and next audit plan two months in advance of year-end
31 | P a g e
Evaluation of the potential harm that a risk possesses
 Unacceptable: Immediate action required to manage the risk

 Issue: Action required to manage the risk
 Supplementary issue: Action is advisable if resources are available
 Acceptable: No action required
 IR : Inherent Risk
 RR: Residual Risk
32 | P a g e
Mathematical Assessment of the Risk of an Auditable Unit
Retail Credit risk Market risk Operational Reputational Total
Credits risk risk
Client´s 5 1 3 1 10
Identification
Client´s 3 1 5 1 10
registration
Evaluation 1 1 1 1 4
of the
request by
the system
Evaluation 4 1 3 4 12
by the
underwriter
Overall IR
score for the 9

whole unit
Source : Own arrangements
Grading the Auditable Area via the Measured Risks
The control risk is analysed in the similar way. The analysis consists of the evaluation of the
quality of the internal control, management approach to risks etc. The scores of the control
and inherent risk are then recorded into risk matrix which is shown and explained as below.
33 | P a g e
High Risk
A – High Risk- Although the control risk is low, this is a High Risk area due to high inherent
business risks.
B – Very High Risk- The high inherent business risk coupled with medium control risk makes
this a Very High Risk area
C – Extremely High Risk – Both the inherent business risk and control risk are high which
makes this an Extremely High Risk area. This area would require immediate audit attention,
maximum allocation of audit resources besides on-going monitoring by the bank’s top
management.
D – Medium Risk – Although the control risk is low this is a Medium Risk area due to
medium inherent business risks.
E – High Risk – Although the inherent business risk is medium this is a High Risk area
because of control risk also being medium.
F – Very High Risk – Although the inherent business risk is medium, this is a Very High Risk
area due to high control risk.
G – Low Risk – Both the inherent business risk and control risk are low.
34 | P a g e
H – Medium Risk - The inherent business risk is low and the control risk is medium.
I – High Risk – Although the inherent business risk is low, due to high control risk this
becomes a High Risk area.
Sources of Information to be looked into for Auditing
1. Previous internal audit reports and compliances

2. Proposed changes in business lines or change in focus of the company
3. Significant change in management / key personnel of the company
4. Results of latest regulatory examination report of the company
5. Reports of external auditors
6. Industry trends and other environmental factors of the company
7. Frauds / attempts to defraud reported
8. Volume of business and complexity of activities of the company
9. The views of different Business Heads
The Three Steps for the Practical Implementation of the Risk

Based Auditing Process
Step 1: Assessing Risk Maturity
The bank risk maturity is taken as the starting point. Scoring and sorting risk with the aim of
creating a database – a risk register – is the first step to take into consideration. The
assessment of risk appetite concerning operational risks is provided by management and
from the evaluation of this register the internal auditor can conclude the risk maturity of the
bank. The risk register will provide information needed for creation of the audit plan.
Following the IIA U.K and Ireland Positions (Institute of Internal Auditors, 2003) organization
risk maturity can take the contour of:
Risk enabled: Risk management and internal controls are fully embedded into the
operations. Risk management and monitoring controls are sophisticated, a complete risk
register is provided. The emphasis of the audit work regards proper processes development.
Risk managed: Enterprise wide approach to risk management are developed and
communicated, nevertheless weaknesses are found and are to be reedited.
35 | P a g e
Risk defined: Risk appetite defined. Strategies and policies are in place and
communicated. Internal audit will act as a consultant to facilitate the construction of a
complete risk register.
Risk aware: no risk register is available, only few managers will have determined their risk.
Internal audit will act as a consultant to undertake risk assessment, and to determine the
work required to implement a risk framework.
Risk naïve: Internal audit will promote or will provide consultation on establishing a risk
management framework.
Step 2: Developing a general strategy of internal audit and the audit plan
The risk and audit universe is an extension of the management’s risk register. This will
consist of: risks identified by management and scores attached to them; processes and
objectives that this risks threaten; identification of the “owner” of the risk- the person
responsible with risk management; the audit that provides an opinion about the
management of each risk, details of the last and next audits, details of controls and
managing the risk.
An important step is the allocation of risk to audits which will determine the scope of
individual audit. Audit is allocated by category of risk identified and by the response of the
organization to risk. Possible responses given by the organization to risk can be:
 To tolerate-if there is no possibility of cost efficient risk reduction: in this case the
need of contingency plan should be considered;
 To transfer- outsourcing most of the cost of impact;
 To terminate- remove circumstance giving rise to risk;
 To treat- implement a system of internal control that can reduce risk below risk
appetite.
After achieving an image about risks, scores, audit linked to them, the approach that is used
should be considered. The audit can either provide assurance or it can offer consultancy.
Assurance will be adopted if control score is high – confirming that risks are properly
managed. The consultancy approach is recommended if control scores are low, audit will
facilitate management’s identification, assessment, managing and monitoring of operational
risk.
Before publishing the audit plan, resource allocation is necessary, it is required to estimate a
total number of days per audit and also human resources are to be assigned.
The planning phase can be divided into following:
36 | P a g e
1. Divide banking operations into operational risk auditable entities/activities (e.g.
divisions, branches, risk related projects, activities);
2. Identification of key risk factors: (e.g. failed transactions, errors and omissions,
fluctuation of personnel, activity growth, fraud cases detected, product development
and new operation, adequacy of security measures, major changes in operations,
programs, systems and control, deviations from approved budget, etc.) that are to
be expressed quantitatively, qualitatively or in combination;
3. Assignment of a risk rating to each auditable entity/activity (e.g. high/medium/low);
4. Decision about which audit to perform considering risk domains and management
request.
Step 3: The Individual Assurance Audit
In this step the principle of guidance is that for each risk covered, the audit should give
reasonable assurance that (Griffiths, 2006):
 Management has identified, assessed and responded to risks above the risk appetite.
 Internal controls are effective in reducing the inherent risks to below the risk
appetite.
 Reduction of residual risks within the risk appetite has been done, or the board has
been informed that they will be tolerated, transferred or terminated.
 There are monitoring processes by the management to ensure they continue to
operate effectively.
 Following the types of risk maturity emphasize on auditing should be:
1. For risk managed and risk enabled – management processes e.g. resources,
documentation, methods and reporting;
2. For risk defined – risk identification, are controls operating?
3. Risk naïve and risk aware – management involvement in risk assignment.
 Potential areas for internal auditing through discussions with key management and
review of documentation are identified. Key risks should be taken into account.
 Financial statements, strategic plans, budgets, policies and procedures, code of
conduct, and other entity related information are reviewed.
 Industry information is reviewed. Risk assessment sessions with management are
facilitated.
Evaluation of Performance
1. The Internal Audit Department should conduct periodical reviews, annually or more
frequently, of the risk-based internal audit undertaken by it vis-à-vis the approved
37 | P a g e
audit plan. The performance review should also include an evaluation of the
effectiveness of risk-based internal audit in mitigating identified risks.
2. The Board of Directors/Audit Committee of Board should periodically assess the

performance of the risk-based internal audit for reliability, accuracy and objectivity.
Variations, if any, in the risk profile as revealed by the risk-based internal audit vis-à-
vis the risk profile as documented in the audit plan should also be looked into to
evaluate the reasonableness of risk assessment methodology of the Internal Audit
Department.
Continuous Auditing
The RBIA is now clearly most widely used methodology of internal audit. But the
development in IT area has its effects also in the audit domain. This trend is mostly evident
in the development of so called automatic or more often continuous auditing (CA). The
theoretical origins of this tool can be dated back to the mid-nineties. In practice, the first
attempts to implement CA appeared at the turn of the century. Continuous auditing is
defined by Kogan et al. (1999) as the type of auditing that produces results at the same time
or within a short interval after the event occurs. The Institute of Internal Auditors defines
continuous auditing as an automatic method used for valuation of risks and controls at
regular (frequent) basis.
In essence, it is not a separate audit methodology, but one of the practical applications of
the transactional audit methodology. As mentioned above, the transactional or compliance
based audit is a bit out-dated methodology. The main goal of current auditing is not a
detailed analysis of individual transactions, but rather risk based view on the audited area.
Despite all this, there are still areas, primarily related e.g. to the regulator reporting, where
the use of a transactional approach remains important (risk here derives mainly from
penalties for fail for inaccurate reporting to regulatory authorities). It is also possible to
implement some risk-based principles into the process and also to use its outcomes as a
basis for further RBIA planning.
The process of the continuous auditing is largely a technical matter. Significantly lower
interest of both academics and practitioners is focused on its implementation into the audit,
or risk-management frameworks in general. Even though it is mainly a transactional audit, it
is possible to incorporate in it some of the RBIA components (mainly in relation to dealing
with its outcomes). The most of continuous audit procedures are based on a rule-based
method. Less frequent (mentioned for example by Lee (2007)) is a case-based method,
introducing the elements of the precedent into the process of the continuous auditing by
comparing individual transactions with pre-set precedent cases and subsequent application
of precedent remedial actions (in case of LEE mainly repressive).
38 | P a g e
The rule based method is based on the setting of the clear rules derived from the
internal methodology or regulatory rules, and its registration in special database (rule
database). The on-going transactions are then assessed by the specially designed software
in sense of compliancy with rules registered in the rule database. In case that the
transaction violates some of the rules, the report is generated and the auditor is
immediately informed about the transaction. As already mentioned, it is theoretically
possible to include some limited elements of the RBIA into this process – this could be done
by setting a limit (in sense of amount or materiality of rule breached) for erroneous
transactions, corresponding to the risk appetite of the company or the audit department. In
case that the erroneous transaction amount is below this threshold, only the business
management is informed. Otherwise (serious violations or the transaction above the limit)
the auditor is informed. In both cases these incidents should be recorded in detail - both for
possible use for case-based identification, or as one of the important risk estimation inputs
for the subsequent risk-based audit planning.
Source: Thesis Report by A Benes
The procedure above is one of the possible forms of the assurance based audit. Along with
continuous monitoring from the business side, this combination represents a very effective
internal control framework. Despite above mentioned the continuous auditing is still very
rarely used approach in practice. Barrier of larger expansion of CA can be found in
insufficient information availability – there are a number of theoretical papers on the
continuous auditing and there are also a number of practical manuals, but most of these are
strongly IT orientated. But the main users of such system do not recruit from academics or
39 | P a g e
IT professionals – they are just standard auditors and from their point of view there is
still a large information gap. There are also some limitations in practical point of view –
especially in data availability area. The continuous auditing requires access to transactional
systems´ data flow and such a connection is very difficult to establish. The costs of such
implementation are also one of the important factors preventing the CA growth.
Concluding Remarks
Internal audit in the modern sense is a relatively new but rapidly developing profession. This
is caused by the large expectations from both regulators and management of audited
companies. The methodological approaches to audit work are changing during the time, but
the main trend is set in direction of the risk related and process based matters rather than
on rules compliancy. This is also reflected in the currently most applied methodology – risk
based auditing. In this essay the RBIA methodology was analysed and some future
perspectives were outlined – mainly in relation to the implementation of continuous
auditing into Risk Based structures. The continuous auditing, even though representative of
a bit out-dated compliance/transaction based auditing, could bring significant
improvements into the RBIA approach. Nevertheless, there are still barriers in the way to its
wider implementation – mainly related to data availability. This, however could change
while e.g. old, incompatible transactional systems in banks are gradually replaced by the
new, more suitable ones. The monitoring-net consisting of the management reporting,
continuous auditing and RBIA as presented here, represents one of the most suitable the
future of auditing and risk management.
40 | P a g e
Importance and Advantages of Risk Based Internal
Auditing
Importance of Risk Based Internal Auditing
Times don’t change and organizations don’t like unexpected ‘Events’. This is why regulators
are now requiring organizations to determine the risks which might give rise to these events
and, in some cases, disclose them. But it’s not about bureaucracy: an organization that
understands its risks, understands its opportunities. Because:
 If it doesn’t know its risks, it doesn’t know the risks it can accept
 If it doesn’t know the risks it can accept, it doesn’t know the risks to take
 If it doesn’t know the risks to take, it doesn’t know how to grow
 If it doesn’t know how to grow, it will wither away.
If it does not understand its risks, ‘Events’ will knock the organization back; missed
opportunities will hold it back. So how does any organization control events and seize
opportunities? By understanding:
 The risks it faces, both on going and in new projects.

 The risks it is prepared to accept.
 The action necessary to manage those risks it is not prepared to accept.
Since the management of the organization is responsible for controlling events and seizing
opportunities, they are responsible for specifying objectives and identifying, assessing and
managing the risks threatening the achievement of the objectives. The correct operation of
these processes is essential if an organization is to achieve its objectives.
The economical, financial and sometimes even the regulatory environment presents both
risks and opportunities, with the potential to erode or enhance value. Risk management
enables management to effectively deal with uncertainty and associated risk and
opportunity, enhancing the capacity to build value. Value is maximized when management
sets strategy and objectives to strike an optimal balance between growth and return goals
and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s
objectives.
Banks survive and prosper by accepting risk, which are their principal economic
characteristic. Risk must be well managed and for the banking institutions that task has
become much more difficult and complex. We must also highlight the changing nature of
41 | P a g e
risk management in banking sector and its new implications for bankers and bank
supervisors.
Banking is a highly leveraged and, in many respects, low-margin business. Losses from a
single bad loan or a material breakdown in controls can eliminate the gain on many other
transactions. The continued ability to identify and manage risks and to maintain the proper
internal controls is critical in banking organizations even as they seek to increase profits and
profitability.
Internal audit function in banks has known important changes in the last years. The
assimilation of the international internal audit standards is one of the most important one.
We can say that in the new context – regulatory environment for banking system and
professional requirements – internal audit has the potential to be one of the most
influential and value added function to the banks’ Board of administrators. We can sustain
this opinion by the following arguments:
 Internal audit is seen as a value adding resource
 Internal audit is characterized by process driven/value added approach
 Internal audit is risk orientated
 Internal audit is seen as a training ground for future managers.
42 | P a g e
Advantages of Risk Based Internal Auditing
The advantages of risk-based approach of the internal audit function in Banks are as follows:
 It appropriately defines the audit universe and identifies the auditable branches
within the Bank for which these analyses would be carried out.
 It assists the management in identification of appropriate risk factors to reflect
the managements concerns.
 It results in development of an appropriate format for evaluating risk factors so
that the more important risk factors play a more prominent role in the risk
assessment process than less important risk factors.
 It develops a combination rule for each branch, which will properly reflect its
riskiness over several risk factors that have been identified and a method of
setting up audit priorities for the branches.
 It results in appropriate audit coverage plan, which provides a roadmap for the
management of internal audit staff skills so that they are available to carry out
audits of appropriate scope when they are needed the most.
 This risk-based internal audit results in a process oriented audit with a risk
management perspective, which gives advice to management on the steps to be
taken for effective risk management on a bank-wide basis.
An international study realized in different organizations analysing the management

perception on internal audit function have highlighted the fact that CEOs and CFOs in banks
expect internal auditors to fulfil an active management supporting role, by contributing to
the continuous improvement of the risk management and internal control system as well as
the operational processes and also expressing their opinion regarding strategically
important projects in the bank. An important number of the CEOs and CFOs questioned in
the studies expect internal auditors to play an important ‘signalling’ role with respect to
internal problems and inefficiencies. Internal auditors also are expected to create a
sufficient level of risk and control awareness throughout the organisation.
As a corporate governance request executive management is responsible for establishing

the framework of internal controls as part of its management of risk and for update it as
risks change. Management also should ensure itself that the controls are working. Internal
audit function is asked to provide objective assurance on the effectiveness of the
organisation’s governance processes, how well it manages the risks, and whether internal
control processes are operating, as required, to manage risks to an acceptable level, this
acceptable level, in case of the banks’ being evaluated according to the approved risk
profile. Internal auditors also support management by providing consulting services, which
contribute to the establishment of sound risk management processes.
43 | P a g e
In order to become a valuable support for senior management in the effort of continuous
monitoring and improving risk management, the internal auditor should focus on the
provision of assurance regarding the risk management and internal control system. Internal
auditor must to play a more pro-active role in the improvement and formalization of the risk
management and internal control system. The internal auditors are expected also to
improve the processes in the main business areas in the bank.
44 | P a g e
Limitations of Risk Based Internal Auditing
No measures taken by the banks can be a 100% successful in mitigating the risk that the
banks are exposed to. There are some limitations to the process followed by banks in terms
of the implementation of the RBIA measures based on the guidelines set by the Basel
Accords. Let us take a look at them.
Failures of Basel Accords
Basel Accord I
Basel I was criticized for its rigidity of “one-size fits” approach and absence of risk sensitivity
in estimating capital requirements
The Basel I Capital Accord has been criticized on several grounds. The main criticisms include
the following:
 Limited differentiation of credit risk: There are four broad risk weightings (0%, 20%,
50% and 100%), as shown in Figure 1, based on an 8% minimum capital ratio.
 Static measure of default risk: The assumption that a minimum 8% capital ratio is
sufficient to protect banks from failure does not take into account the changing
nature of default risk.
 No recognition of term-structure of credit risk: The capital charges are set at the
same level regardless of the maturity of a credit exposure.
 Simplified calculation of potential future counterparty risk: The current capital

requirements ignore the different level of risks associated with different currencies
and macroeconomic risk. In other words, it assumes a common market to all actors,
which is not true in reality.
 Lack of recognition of portfolio diversification effects: In reality, the sum of

individual risk exposures is not the same as the risk reduction
through portfolio diversification. Therefore, summing all risks might provide an
incorrect judgment of risk. A remedy would be to create an internal credit risk
model—for example, one similar to the model as developed by the bank to calculate
market risk. This remark is also valid for all other weaknesses.
Basel Accord II
45 | P a g e
Although Basel II was a very comprehensive capital regulation framework architected on
sophisticated risk quantification models, it failed to address certain issues which emerged
during the financial crisis of 2007-08. First, Basel II, a risk sensitive framework, proved to be
pro-cyclical; in good times, when banks were doing well, and the market was willing to
invest capital in them, Basel II did not impose additional capital requirement on banks. On
the other hand, in stressed times, when banks required additional capital and markets were
wary of supplying that capital, Basel II required banks to bring in more of it. During the crisis,
it was the failure to bring in additional capital that forced major international banks into a
vicious cycle of deleveraging, thereby hurtling global financial markets into seizure and
economies around the world into recession. Second, by following value at risk (VaR) models
banks maintained capital requirements against trading book exposures assuming that these
could be liquidated, and substantial banking book assets were parked in trading book, which
helped banks to optimize the capital requirements. These trading book exposures include
the securitized bonds, derivative products, and other toxic assets. The third issue was the
absence of any explicit regulation governing leverage. Basel II assumed that its risk based
capital requirement would implicitly mitigate the risk of excessive leverage. Unfortunately,
excessive leverage of banks was one of the prime causes of the crisis. The fourth issue was
that Basel II did not consider liquidity risk as part of capital regulation. During the financial
crisis unaddressed liquidity risk cascaded into solvency risk; the data shows that the Federal
Reserve, the European Central Bank (ECB), the Bank of England, the Bank of Japan, and the
Swiss National Bank have together injected USD 2.74 trillion to meet liquidity
requirements.1 Finally, Basel II focused more on individual financial institutions and ignored
the systemic risk arising from the interconnectedness across institutions and markets, which
led the crisis to spread to several financial markets (Acharya and Richardson 2009). Since
the beginning of the financial turbulence in 2007, the total reported write downs and losses
of banks globally have exceeded 888 billion dollars. Some estimates of the overall expected
losses by banks and other financial institutions are in the range of 2.2trillion dollars
The challenge faced by the supervisors of the banks is that they must require the high
quality data as well as the supervisors need to upgrade their skills and expertise time to
time. Another challenge for the supervisors is that the implementation of Basel accord
should be transparent, consistent and fair throughout jurisdiction.
Another challenge for the banks that they need the high quality data for IRB approach but
the banks have not the time series data for this purpose, which creates big problem for
accessing the risk. Another problem of banks they should meet the entire financial and
accounting standard for full fill the third pillar of Basel Accord II which is called as market
disclosure.
The use of modern and complex models (due to lack of reliable and sufficient data bases in
the banks) for accessing the risk in Basel Accord II like AIRB and AMA Model etc. (Griffith-
Jones, 2006) Most of the financial institutions like Life Insurance Companies (LIC’s) must
46 | P a g e
need to implement the Basel because they has link with foreign banks and they apply
advanced approaches in Basel. They collaborate with these bank’s supervisors to implement
the Basel and face lot of difficulties if the country in which LIC operate not adopt the Basel.
(Griffith-Jones, 2006)
The basic problem of Basel Accord II has pro-cyclical process due to this if there is
economical boom in the country then banks require less capital for recovering the risk but in
case of down of economy then banks require more capital for recovering the risk.
The banks relay on external credit institution provided credit rating in this case banks totally
depend upon the external credit rating provided institution. If any wrong or error occur in
the information provided by the external credit providers then bank survive from risk.
The main problem of the banking system is to get and transform the data in such a way that
we are able to apply the relevant approach on the data which is a big challenge for the
supervisors of the banking system.
The Basel Accord II is the very complex to understand as well as implement not only for
regulatory authorities as well as regulated community. For the implementation of Basel
Accord II the strong financial system of the organization as well as country is essential.
Another problem of implementation of Basel Accord II is no availability of high quality data

which is necessary for the implementation of Basel Accord. Another challenge face by the
banks is that the operational cost of Basel Accord II. There is high cost bear by the banks in
implementation of Basel accord II.
The basic problem of Basel Accord II has pro-cyclical process due to this if there is
economical boom in the country then banks require less capital for recovering the risk but in
case of down of economy then banks require more capital for recovering the risk.
The verification of measurement of capital adequacy which is calculated under IRB as well as
the IRB treatment qualification.
The one of the objective of Basel Accord II is that the Basel improves the competitive
equality between the banks but it fails to do so. Many of the banks were winners and many
of the banks were losers in Basel Accord II. The large institutions who were adopt the A-IBR
receiving the significant gains then the small institutions.
Basel III issues for Indian banks
Additional capital
As banks go on increasing the risk weighted asset portfolio to meet the growing economy’s
credit requirements, they would need additional capital funds under Basel III. Different
estimates of additional capital infusion have been announced by various agencies.
47 | P a g e
Growth barrier
Growth and financial stability seem to be two conflicting goals for an economy. The Indian
economy is transforming structurally and moving towards rapid growth although some
seasonal down trends are seen. The main goal of the 12th Plan is “faster, sustainable and
more inclusive growth”. In a structurally transforming economy like India with rapid upward
mobility, credit demand will expand faster than GDP for several reasons. This means is that
banks need to maintain higher capital requirements as per Basel III at a time when credit
demand is going to expand rapidly. The concern is that this will raise the cost of credit and
hence militate against growth
Profitability of banks
Return on equity (ROE) is defined as the product of return on assets (ROA) and the leverage
multiplier. As the upper limit for the leverage ratio by Basel III has been set at 3%, the value
of the leverage multiplier will come down, resulting in a reduction in the ROE. On an
average, Indian banks’ ROE is around 15% for the last three years. The enhanced capital
requirements under Basel III regime are likely to affect the ROE of the banks and the
shareholders’ expectations on the minimum required rate of return.
Implementing the countercyclical capital buffer
A critical component of the Basel III package is implementation of countercyclical capital

buffer which mandates that banks build up a higher level of capital in good times (that could
be run down in times of economic contraction), consistent with safety and soundness
considerations. Here the foremost challenge to the RBI is identifying the inflexion point in an
economic cycle which should trigger the release of the buffers. The identification of the
inflexion point needs to be based on objective and observable criteria; it also requires long
series data on economic cycles.
Limitations of RBIA in the context of Indian Banks
1. Implementation of RBIA
Most of the Indian banks do not seem to follow the Road map which envisage replacement
or discontinuation of any other type of Inspection/Audit. This indicates some amount of
duplication of work and wastage of resources. Efforts should be made to avoid the same.
RBIA has a definite purpose to be achieved, which is conducting audit by focusing on risks in
the business. In the current context, assessment and mitigation of risks in banking business
is a must especially when they are expanding their volume of business at a rapid rate. But
banks have been conducting the parallel run of Inspection/Audit and RBIA for a longer
48 | P a g e
period of a year or two. Hence, banks are suggested to work out an action plan to
replace inspection and internal audit by RBIA at the earliest.
2. Risk Assessment
(a) Regarding the activities considered under risk assessment, it is observed that all banks
are covering Risk assessment of Branch as a whole but a lot of work needs to be done to
include the following activities or locations also:
1. Controlling offices
2. Investment department
3. Risk management department
4. Merchant banking and advisory services
Thus, to get a fair view of risks in banking business, risk assessment under RBIA is expected
to cover all critical areas of banks operations.
(b) The RBIA guidelines clearly state that Risk based internal audit should undertake risk
assessment solely for the purpose of formulating the risk based audit plan. and, this is a
core component of the RBIA process.
Off-site risk assessment will assist the bank in identifying the areas requiring
adequate/increased attention besides planning for resource management. Hence, it is
suggested that banks must gear up and prepare themselves to undertake risk assessment
off-site for preparation of the Audit plan. To undertake this assessment, the necessary
database and reliable and timely MIS have to be created.
3. Audit Plan
As per the Policy guidelines, it is expected that banks use the Audit risk matrix to determine
the areas that need priority in allocation of audit resources. But this expectation is fulfilled
in only a small number of banks. It appears that there is a lack of clarity as well as
understanding of the use and application of the Risk audit matrix. Therefore, in recognizing
the many benefits of the Audit risk matrix, it becomes necessary for the banks to examine
the Policy guidelines pertaining to the same in greater detail. Implementation and use of the
Audit risk matrix can be made in a manner well suited to the requirements of each
individual bank.
49 | P a g e
4. Audit report – Preparation and follow up
(a) Most the banks are yet to complete the process of making the Manual containing
procedures for the conduct of RBIA. To carry out RBIA more effectively it is important that a
Manual be prepared by all banks since it is a not only a source of guidance but also assists in
fixing Staff accountability. Banks must, therefore, undertake the exercise of preparing the
RBIA Manual on a priority basis.
(b) To ensure that Audit/Inspection teams cover all items/parameters under RBIA, a
checklist for Risk mitigation would assist a lot. But only a very few banks have done so.
Hence, banks are advised to initiate the process of preparation of such a checklist based on
experience gained so far and also keeping in mind the bank specific requirements.
(c) Further, only a few banks have a system to ensure that there are no variations between
the inferences drawn from the Composite risk matrix and the subsequent audit findings.
Since this is an important observation, it calls for a system to be installed to verify/validate
the off-site risk assessment and subsequent audit findings. In the absence of this, the very
purpose of RBIA is achieved to a limited extent.
5. Organizational aspects
Few more issues have come up in regard to organizational aspects of RBIA function in banks.
(a) Whilst the coverage of branches under RBIA has been sufficiently enhanced, the quality
of RBIA needs to be paid additional attention. This, in turn, depends upon MIS, Audit skills
on the part of Auditors and the technological support. Though CBS has been launched in
banks, the MIS specially required for RBIA is yet to be fully created. When the same is
available, it would be of tremendous assistance in accurate off-site risk assessment.
(b) Though banks have been organizing training programs for their staff on RBIA, the post
training evaluation is necessary. This would assist in redesigning the course curriculum and
filling up the knowledge and skill gaps.
(c) It is suggested to reward those inspectors/auditors whose performance in conducting

RBIA is exceedingly good. For this purpose, certain criteria for assessment of quality of
RBIA may be thought of.
(d) The cost-benefit analysis of RBIA needs to be undertaken to make RBIA more effective
and beneficial to the banking industry.
50 | P a g e
In terms of RBI guidelines, banks in India are in the process of switching over from
traditional Internal Inspection/Audit to RBIA. Progress in this regard is not uniform. While
some banks have already switched over, there are many other banks, which are yet to
comply with the guidelines. Sufficient experience is now available with the banks in respect
of organizational preparedness and understanding of concepts, process and methodology
relating to RBIA. It would be a worthwhile exercise to document such experience and the
level of understanding of RBIA on the part of the banks. This exercise would help to identify
issues relating to implementation of RBI guidelines regarding RBIA and workout suggested
strategies. The same would also enable the banks to assess the nature and extent of
implementation of RBIA.
51 | P a g e
Conclusion
Through this report, we have understood what Risk Based Internal Auditing is. In the course
of preparing this report, we have realized that in the modern banking sector, a bank which
does not employ and adhere to its RBIA methods will surely perish in the long run, an apt
example of which is given by us in the form of the PNB scam. RBIA is still a long way away
from being completely able to mitigate the risk exposure to banks but still it is a step in the
right direction. There are still many problems that need to be ironed out though.
The effort of the banks to implement the regulatory requirements will continue and the
internal auditors will continue to take part in this huge project. The internal audit role and
importance will be recognize according with its value added function in the bank and will
strengthen in time. The image of the internal audit in the bank is a direct result of its effort
and involvement, professionalism and capacity to respond to the requirements of the
management.
Co-operation between banking supervisory authorities, external auditors and their internal
auditors with the aim of improving the effectiveness of their work is very important, where
each of the parties concentrates on its own field of responsibility. Such co-operation may,
for example, be founded on regular meetings, where each of the parties presents
information on areas of common interest, the recommendations of internal and external
auditors are discussed and each of the parties gives its opinion on them. The cooperation of
banking supervisory authorities, internal auditors and external auditors requires a
relationship founded on trust which will take some time to foster.
52 | P a g e
References
Jaydev M. (2013). Basel III implementation: Issues and challenges for Indian banks. IIM
Bangalore Management Review (2013) 25, 115-130
Stanciu V. (2008). Internal Audit Approach in Banks. ANALELE stiinłifice ALE universităłii
„ALEXANDRU IOAN CUZA” DIN IASI Tomul LV stiinńe Economice.
Danescu T., Oltean A., Sandru R. (2010). Risk Based Internal Audit: Perspectives offered to
corporations and banks. Annales Universitatis Apulensis Series Oeconomica 12(1), 2010
Benes V. (2010). Internal Audit and its Approach to the Risk Mitigation. Journal of
Interdisciplinary Research.
Chernykh L. (2016). Audit and Fraud: Evidence from Bank Failures. Clemson University
Conference 2016
Gunther, J. W., & Moore, R. R. (2003). Loss underreporting and the auditing role of bank
exams. Journal of Financial Intermediation, 12(2), 153-177.
Haggard, K. S., & Howe, J. S. (2012). Are banks opaque?. International Review of Accounting,
Banking and Finance 4(1), 51-72.
Kohlbeck, M. 2005. The Demand for Private Company Audits: Evidence from Private
Commercial Banks. Working paper, University of Wisconsin.
Cheng, H., & Ma, L. (2009). White collar crime and the criminal justice system: Government
response to bank fraud and corruption in China. Journal of Financial Crime, 16(2), 166-179.
Black, R. 1990. Auditors and Bank Examiners: A New Era of Cooperation. Journal of
Accountancy, 170(3): 77-82.
Coetzee P. & Lubbe D. (2014). Improving the efficiency and effectiveness of Risk Based
Internal Audit Engagements. International Journal of Auditing 11-125 (2014)
Ayagre P. (2014). The adoption of Risk Based Internal Auditing in Developing Countries: The
Case of Ghanaian Companies. European Journals of Accounting Auditing and Finance
Research CVol 2 No 7 pp 52-65, September 2014
The Changing Role of Internal Audit. Deloitte Report, 2012
Dumitrescu M. (2002). Internal Audit in Banking Organizations. Basel Committee on Banking

Supervisions 2001-2002
53 | P a g e
Petrascu D. & Tieanu A. (2014). The Role of Internal Audit in Fraud Prevention and
Detection. 21st International Economic Conference 2014. IECS 2014, Sibiu, Romania
Implementing Risk Based Internal Audit in Indian Banks: An Assessment of Organizationa

Preparedness. RBI Discussion Paper on “Move towards Risk Based Supervision”
Davies M. (2014). Risk Based Audits. Working Paper, Casual Capital, 2014.
Dimitris C. (2003). Operational Risk with Basel II. Elsevier Publishers 2003.
Griffiths, P. (2005) Risk-Based Auditing. Gower Publishing Limited, 2005. ISBN 0-566-08652-2
Rattlif, R; Wallance, W; Summers, G; McFrland, W; Loebbecke, J.: Internal Auditing Principle

and Techniques. The Institute of Internal Auditors, 1996. ISBN 978- 0894133268
54 | P a g e

Risk Based Internal Auditing in Banks

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Based Internal Auditing in Banks

Uploaded by

Copyright:

Available Formats

April

IN PARTIAL FULFILMENT OF THE COURSE

PREPARED FOR DR DEBASIS PATNAIK AND PROF. SARIPALLI

PARSHVA KOTHARI 2015A3PS0214G

ANAY JOSHI 2015A3PS0277G

AKSHAT SHAH 2015A3PS0235G

MANDEEP SINGH 2015A3PS0260G

AKSHAT BUDANIA 2015A8PS0441G

Key Words: Risk, Audit, Bank, Basel Accords, Profitability, Assessment

 These risk management processes are of sound design.

 A sound framework of controls is in place to sufficiently mitigate those risks which

a) An aid to necessary checks and balances in the system.

b) Timely identification of potential risk concerns.

c) Tool for effective risk management.

d) Facilitate improvement in quality and content of procedures and MIS.

Internal Audit and Its Approach to the Risk Mitigation

Improving the Efficiency and Effectiveness of Risk-Based Internal

Philna Coetzee and Dave Lubbe

Coetzee,P. and Lubbe,D.(2004) in “Improving the Efficiency and Effectiveness of Risk-

Risk Based Internal Audit: Perspectives Offered to Corporations and

Tatiana Danescu, Anca Oltean, Raluca Sandru

Audit and Fraud: Evidence from Bank Failures

Internal Audit Approach in Banks

Internal Audit Methodology- Improve Internal Audit Methodology in

Nguyen Thi Hong Trang

The Critical Role of Internal Audit in Addressing Bank Fraud: A

Basel III implementation: Issues and challenges for Indian banks

Basel III Accord: Where Do We Go From Here?

Internal Audit in banks particularly, is a department, independent of line management,

Fraud is an aspect of corruption and it occurs in organizations where governance structures

Banking fraud therefore is defined as the use of deliberate misrepresentation in order to

a. Active involvement of the staff-both supervisor and clerical either independent of

c. External elements perpetuating fraud on banks by forgeries or manipulations of cheques,

Case Example: The Nirav Modi Scam

How the fraud was detected

SWIFT is the Society of Worldwide Interbank Financial Telecommunication, or SWIFT, is a

Offsetting the payment

 The purpose and differences of the three Basel Accords?

Several types of internal audit exist, for example:

Hence a different approach (RBA) is required.

Source: Thesis Report by A Benes

 All activities , products, departments and processes included.

 Changes from last year- New products / processes, products / processes

 Auditable and non-auditable categories are defined

 Organisation charts and process flows are created

Operational Risk and its Assessment

 Identification of inherent business risks in various activities undertaken by the bank.

Parameters to be included in risk assessment

An audit plan must have a rough structure as follows:

 Classification of Audit area as per Risk Matrix

 Unacceptable: Immediate action required to manage the risk

Retail Credit risk Market risk Operational Reputational Total

Credits risk risk

score for the 9

Source : Own arrangements

Grading the Auditable Area via the Measured Risks

Sources of Information to be looked into for Auditing

1. Previous internal audit reports and compliances

The Three Steps for the Practical Implementation of the Risk

Step 1: Assessing Risk Maturity

The planning phase can be divided into following:

Step 3: The Individual Assurance Audit

2. The Board of Directors/Audit Committee of Board should periodically assess the

Source: Thesis Report by A Benes