52 Guide on Risk-based Internal Audit

Exhibit 1

Measurement Yardstick for Likelihood of Risk

Likelihood of Risk Occurrence

Level Description Ranking Criteria

1 Remote Event may only occur in exceptional circumstances

2 Unlikely Event could occur in rare circumstances

3 Possible Event could occur at some time

4 Likely Event could occur in most circumstances

5 Almost certain Event is expected to occur in most circumstances

 Risk Consequence

Level Description Ranking Criteria Impact Resulting in Illustrations

1 Low

benchmarks.
Insignificant + < Rs. 50 lakh impact on Causes minor + No potential impact on market
profitability inconvenience without shar
+ No impact on market share impacting the + No impact on brand value
+ No impact on reputation achievement of + Issues would be delegated to
objectives junior management and staff to
resolve

2 Minor + Rs. 50 lakh Rs. 2 crore impact on Low to Causes inconvenience + Consequences can be absorbed
profitability Moderate without impacting the under normal operating
+ Consequences can be absorbed achievement of conditions
under normal operating objectives + There is a potential impact on
conditions market share and brand values
+ Potential impact on market share + Issues will be delegated to middle
+ Potential impact on reputation management for resolution

3 Moderate + > Rs. 2 crore to Rs 5 crore impact Moderate Preventing + Market share and/or brand value
on profitability organisation from will be affected in the short term
+ There is some impact on market achieving some of it's + The event will require senior and
share objective for limited middle management intervention
Exhibit 2

+ There is some impact on period

reputation

4 Major + > Rs. 5 crore to Rs 10 crore
impact on profitability
+ Market share will be affected in
the short term
+ Reputation is affected in the
short term
Moderate Preventing + Serious diminution in brand value
to High organisation from and market share with adverse
achieving majority of publicity
it's objective for a long + Key alliances are threatened
time + Events and problems will require
Board and senior management
attention
Measurement Yardstick for Risk Consequences*

5 Catastrophic + > Rs. 10 crore impact on High Closing down of + Loss of key alliances
profitability organisation/ + Sustained, serious loss in market
+ Serious diminution in reputation operation or share
+ Sustained loss of market share significant part for a
long time
Exhibits

* The amounts (figures) given in this Exhibit are for illustrative purposes only and are not intended to serve as
53
54 Guide on Risk-based Internal Audit

Exhibit 3

Measurement Yardstick for Risk Score

Consequences of Risk

Insignificant Minor Moderate Major Catastrophic

(1) (2) (3) (4) (5)

Almost
5x1=5 5 x 2 = 10 5 x 3 = 15 5 x 4 = 20 5 x 5 = 25
Certain (5)
Likelihood of Risk

Almost
4x1=4 4x2=8 4 x 3 = 12 4 x 4 = 16 4 x 5 = 20
Certain (4)
Almost
3x1=3 3x2=6 3x3=9 3 x 4 = 12 3 x 5 = 15
Certain (3)
Almost
2x1=2 2x2=4 2x3=6 2x4=8 2 x 5 = 10
Certain (2)
Almost
Certain (1) 1x1=1 1x2=2 1x3=3 1x4=4 1x5=5

LEGEND

Risks which require immediate attention

Risks which should be monitored and brought down to green
Risks which do not require action
 Exhibits 55

Exhibit 4

Illustrative Risk Heat Map

Ref. Key Risk

Almost
certain
5

2
Likely
4

3
Likelihood

7 7 1 1
Possible

4
3

2
5
Unlikely

2 6
2

4-6 4-6
9-10 9-10
7

8
Rare
1

8 8
9
1 2 3 4 5
Insignificant Minor Moderate Major Catastrophic
10

Impact

SEVERITY
Critical Inherent Risk severity
High (Assessed before ‘Existing Controls’)
Moderate Residual Risk severity
Low (Assessed after ‘Existing Controls’)
56 Guide on Risk-based Internal Audit

Exhibit 5

Illustrative Risk Register ( Part A, B, C)

Part A: Summarised Risk Register

Auditable Unit: Bullion ABC Bullion Trading Company

Process: Gold Sale Summarized Risk Register
Sub Process: Order Booking5 Serial No of Risk 121-128
Process Objectives Critical Success Factors Failure Rate

Sell gold on behalf of Principal at
no financial and physical risk to
our company
Order booking should consider
future risks and treat them at
this stage itself
Number of times gold delivery
process initiated on the basis of
manual instructions i.e., prior to
first using GMS software for
order booking

Risks which Threaten Objectives Likelihood Impact Controls

Inadequate training provided to Possible Major New employees receive training

employees on the significance of as part of orientation process.
gold procedure manual and its Existing employees receive
compliance periodic compliance training.

At times no trained person on Almost certain Major Head office maintains a roster of
GMS at a branch trained persons on GMS who can
be deputed for short durations to
branches

At times, no action on Likely Major Alerts sent to multiple officers

monitoring reports

New risks crystalising without the Possible Moderate Quarterly review for updating of
branch being aware risk register

5 As per the Gold procedure manual, when gold is sold on cash basis, the rate is the spot rate. When sold on loan
basis the transaction has to be completed and paid for within 21 days of delivery of gold. The bank guarantee
submitted should be 110% of the spot rate on loan date. During the loan period the price fixing day is at the
choice of the buyer. However once price is fixed the full payment must be credited in the company's bank
account on that day itself otherwise bank guarantee is to be invoked the next day.
 Exhibits 57

Part B: Risk Register Showing Inherent Score of Risk

S.No Process Sub Process Sub Process Process Risk Risk consequence Gross Risk Assessment6
of Risk (Level 1) (Level 2) Owner Impact Likelihood Overall
121 Gold sale Order Gold to be sold Bullion Novice buyer Messy dealings and 2 4 8
booking for cash Officer of gold bars time wastage of staff (minor) (likely) (moderate)
as company does not
sell less than a gold
bar

122 -do- -do- -do- -do- Gold rate Disagreements with 4 4 16

fluctuates Principal which may (minor) (likely) (catastrophic)
during the day result in financial
and the rate loss and reputation
fixed may not risk
be accepted by
Principal

123 -do- -do- Gold to be sold Branch Buyer may Financial loss to 4 4 16
on loan basis Manager later on company (minor) (likely) (catastrophic)
(delivered now, default or
rate fixed later delay payment
on, payment recd
when rate fixed)

124 -do- -do- -do- -do- Buyer may later Financial loss to 4 4 16
on dispute the company (minor) (likely) (catastrophic)
spot rate fixed and reputation risk

125 -do- -do- -do- -do- Bank Guarantee Financial exposure 4 4 16

(BG) expires which may manifest (minor) (likely) (catastrophic)
before receipt as risk no 123 and
of payment 124
from buyer

126 -do- -do- -do- -do- BG lower than Financial exposure 2 4 16

current spot which may manifest (minor) (likely) (catastrophic)
rate as risk no 123 and
124

127 -do- -do- -do- -do- BG defective Financial exposure 4 4 16

/misplaced which may manifest (minor) (likely) (catastrophic)
as risk no 123 and
124

128 Gold sale Order All -do- Occasional Financial exposure 4 4 16

booking deviation by which may manifest (minor) (likely) (catastrophic)
staff on as risks mentioned
compliance of above
gold procedure
manual

6 Assessing the impact and likelihood of risks has been covered in section on risk estimation below.
58 Guide on Risk-based Internal Audit

Part C: Risk Register Showing Residual Score of Risk

S.No Process Sub Process Sub Process Risk Control Residual Risk Assessment7
of Risk (Level 1) (Level 2) Impact Likelihood Overall

121 Gold sale Order Gold to be sold Novice buyer Order booking by only 2 0 0
booking for cash of gold bars registered (Minor)
customers

122 -do- -do- -do- Gold rate fluctuates Rate fixed by Principal 4 0 0
during the day and and Rate (Major)
the rate fixed may fixing serial no ( RFX) is
not be accepted by mentioned
Principal in the remittances

123 -do- -do- Gold to be sold on Buyer may later on Bank Guarantee of 110% 0 2 0
loan basis (delivered default or delay Unlikely
now, rate fixed later payment
on, payment recd
when rate fixed)

124 -do- -do- -do- Buyer may later on BG invoked 0 2 0

dispute the spot rate Unlikely
fixed

125 -do- -do- -do- Bank Guarantee (BG) Daily monitoring report 4 1 4
expires before receipt generated where BG is Major Unlikely Low
of payment from less than 105% of the
buyer closing spot rate for the
day. This report is
circulated at Branch and
Corporate office

126 -do- -do- -do- BG lower than If BG has not yet been 4 1 4
current spot rate invoked thenimmediately Major Unlikely Low
invoked

127 -do- -do- -do- BG defective All BG on company's 4 1 2

/misplaced format and kept Major Unlikely Low
at safe

128 Gold sale Order ALL Occasional deviation All transactions through a 4 0 0
Booking by staff on software, viz. Gold Major
compliance of management system
gold procedure which has inbuilt internal
manual (GPM) controls as per GPM

7 Assessing the impact and likelihood of risks has been covered in section on risk estimation below.