Deregulation and liberalization of Indian financial sector call for effective and crucial risk management and internal control system in the conduct of banking business especially after the recent unsavory incidents of fraud and cheatings by some of the prominent borrowers causing a grave crisis in the financial market. This is also significant in view of the New Basel Capital Accord under which capital maintained by a bank will be more closely aligned to the risks undertaken and Reserve Bank's move towards risk-based supervision (RBS) of banks for which the RBI has introduced risk-based audit system and appointment of chief Risk Officers in banks.
Reserve Bank India circular states, 'A sound internal audit function plays an important role in contributing to the effectiveness of the internal control system. The audit function should provide high quality counsel to management on the effectiveness of risk management and internal controls including regulatory compliance by the bank. Historically, the internal audit system in banks has been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, integrity, reliability and timeliness of control reports, and adherence to legal and regulatory requirements. However, in the changing scenario such testing by itself would not be enough. There is a need for widening as well as redirecting the scope of internal audit to evaluate the adequacy and effectiveness of risk management procedures and internal control systems in the banks.' For the veritable realisation of the aforesaid objectives, the banks will have to progressively move towards risk based internal audit to include besides selective transaction testing and other methods adopted presently, an evaluation of the risk management system and control procedures in various areas of operations of the banks which gives more importance to internal auditor's role not only in mitigating risks but also anticipating areas of potential risk to protect the bank from various risks.
RBI envisages that the policy for risk-based internal audit would shift the focus from the present system of full-scale transactions testing to risk identification, prioritization of audit areas and allocation of audit resources in accordance with the risk assessment. The audit should be undertaken in such a manner that the maximum time period beyond which even the low risk business activities/locations should not remain unaudited. Besides, banks should ensure functional independence of the Internal Audit Department and should not be a part of internal control process in order to avoid any conflict of interest and it should not be entrusted with the responsibility of performing other accounting and operational functions. The audit should be conducted objectively, impartially and without prejudice. The success of internal audit function depends largely on the extent of reliance placed on it by the management for guiding the bank's operations.
RBI emphasizes that the risk assessment would, as an independent activity, cover risks at various levels (corporate and branch; the portfolio and individual transactions, etc.) as also the processes in place to identify, measure, monitor and control the risks for which an effective risk assessment methodology should be devised taking into account the size and complexity of the business undertaken by the bank. AS per RBI the risk assessment process should, inter alia, include the following: -
• 'Identification of inherent business risks in various activities undertaken by the bank.
• Evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities ('Control risk').
• Drawing up a risk-matrix for taking into account both the factors viz., inherent business risks and control risks.'Besides,
'The basis for determination of the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business risks and control risks should be clearly spelt out. The risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of controls in various business activities. In order to focus attention on areas of greater risk to the bank, an activity-wise and location-wise identification of risk should be undertaken.'
'The risk assessment methodology should include, inter alia, the following parameters:
• Previous internal audit reports and compliance
• Proposed changes in business lines or change in focus
• Significant change in management / key personnel
• Results of latest regulatory examination report
• Reports of external auditors
• Industry trends and other environmental factors
• Time elapsed since last audit
• Volume of business and complexity of activities
• Substantial performance variations from the budget.'
Further, RBI states,
'For the risk assessment to be accurate, it will be necessary to have in place proper MIS and data integrity. The internal audit function should be kept informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices/policies etc. The risk assessment should invariably be undertaken on a yearly basis. The assessment should also be periodically updated to consider changes in business environment, activities and work processes, etc.'
An annual audit plan is to be in place to cover all risk areas and their prioritisation based on the level and direction of risks involved based on the risk matrix and if found necessary the frequency of audit within shorter intervals can also be increased depending the nature of risk involved to avoid any untoward incidents affecting the bank. An effective two-way communication system and a system for performance evaluation must also be ensured for reliability, accuracy and objectivity to undertake periodical review on the result achieved and to take remedial measures without any delay.
RBI exhorts the banks stating, 'The precise scope of risk-based internal audit must be determined by each bank for low, medium, high, very high and extremely high-risk areas. However, at the minimum, it must review/report on: -
• process by which risks are identified and managed in various areas;
• the control environment in various areas;
• gaps, if any, in control mechanism which might lead to frauds, identification of fraud prone areas;
• data integrity, reliability and integrity of MIS;
• internal, regulatory and statutory compliance;
• budgetary control and performance reviews;
• transaction testing/verification of assets to the extent considered necessary
• monitoring compliance with the risk-based internal audit report
• variation, if any, in the assessment of risks under the audit plan vis-à-vis the risk-based internal audit.
The scope of risk-based internal audit should also include a review of the systems in place for ensuring compliance with money laundering controls; identifying potential inherent business risks and control risks, if any; suggesting various corrective measures and undertaking follow up reviews to monitor the action taken thereon.'
If the banks evolve an effective implementation and non-complacent compliance of RBI directions on risk management internal audit system and procedure, it will lead to better credit management and monitoring reducing the incidents of operational risks and other connected risks attached to lending.