Risk Based Internal Audit

in Banks

March 9, 2015
Agenda

1.  Principles of Risk Based Internal Audit

2.  Methodology

3.  Risk Assessment

4.  Annual Plan

5.  Audit Engagement

6.  Reporting

7.  Benefits of Risk Based Audit

Page 2
1. Principles of Risk Based Internal Audit
Risk: The probability of occurring an event
having effects on achievement to objectives.

Risk has 4 components:

q  Event
q  Effect
q  Likelihood
q  Result

Risk Management: The process of

identification of potential cases, assessment,
managing and controlling in order to realize
institution’s objectives, for providing acceptable
assurance.

Risk Assessment Process

Identification Classification Prioritization Measuring

Page 3
1. Principles of Risk Based Internal Audit

Risk Assessment Process

q  A “risk assessment” is an effort to identify, measure, and

prioritize risks organization faces, so that internal audit
activities are focused on the auditable areas with the greatest
significance.

q  Through the risk assessment process, it is able to develop a

risk-based Internal Audit Plan.

Risk Assessment Goals

q  Inform senior management and the Board of Directors on

risk assessment process.

q  Get to know your client needs.

q  Develop a project plan, timeline, and agree upon

deliverables.

q  Provides a framework for assessing and prioritizing risks.

Page 4
1. Principles of Risk Based Internal Audit

What is risk based internal audit?

The Institute of Internal Auditors defines Risk Based Internal Auditing

(RBIA) as:

•  a methodology that links internal auditing to an organization’s overall

risk management framework

•  that allows internal audit to provide assurance to the board that risk
management processes are managing risk effectively, in relation to
the risk appetite

Page 5
2. Methodology

Assessing Risk

Annual Plan

Audit Engagement

Reporting

Page 6
3. Risk Assessment

Evaluate the level of risk for each

auditable area.
Risk factors to consider include:
Materiality
Complexity of Process
Business Environment
Exposure to Loss
Regulatory Environment

Page 7
3. Risk Assessment

Identify potential areas for internal auditing through

discussions with key management and review of
documentation. Key risks should be taken into
account.

Interview executive, senior management, middle

management, and Board of Directors / Audit
Committee.

Review financial statements, strategic plans,

budgets, policies and procedures, code of conduct,
and other entity related information.

Review industry information.

Facilitate risk assessment sessions with management.

Page 8
3. Risk Assessment
Sample Heat Map

Page 9
4. Annual Plan

Establishing the Risk Based Internal Audit Plan

According to IIA standards, a risk based internal audit plan should satisfy the
following issues:

q  The internal audit activity’s plan of engagements must be based on a

documented risk assessment, undertaken at least annually. The input of
senior management and the board must be considered in this process.

q  The chief audit executive must identify and consider the expectations of
senior management, the board, and other stakeholders for internal audit
opinions and other conclusions.

q  The chief audit executive should consider accepting proposed consulting
engagements based on the engagement’s potential to improve
management of risks, add value, and improve the organization’s
operations. Accepted engagements must be included in the plan.

Page 10
4. Annual Plan

In Turkey, regulations of Banking Regulation and

Supervision Agency necessitate the following conditions for
an efficient internal audit system:

q Annual risk assessments that consider all business units

and operations of the bank shall be made.

q An annual audit plan shall be established conveniently to

the results of risk assessments.

q Annual audit plan shall be approved by the Board.

Page 11
4. Annual Plan

Annual Audit Plan is determined by evaluation of

q  Risk matrix,
q  Risk Matrices of Subsidiaries (If applicable)
q  Risk level of activities
q  Risk Indicators & Dynamic Risk Assessment
q  Contemporary conditions and expectations
q  Feedbacks of Board of Directors, Audit Committee & Senior
Management, etc.

SAMPLE AUDIT PLAN PROCESS

Board of Regulatory
Internal Audit Audit Committee Authority
Department (Approval)
Directors
(for information
(Approval)
purposes only)

Page 12
4. Annual Plan – Sample Risk Assessment Process: Bank Example

Identify Key Risks Define Audit Universe Perform Risk Ranking Audit Plan

The Bank’s Risk Matrix

Risk Level of
Bank’s Activities

Corporate Finance
Trading and Sales Risk
Indicators

Importance Level*
Retail Banking
Credit Extension

AUDIT PLAN
Audit Period
Deposit Collection and Investment Products
Retail Banking Operations
Retail Brokerage
Commercial Banking Identifying the
Credit Extension
Deposit Collection and Investment Products Auditable Entities Risk
Commercial Banking Operations Assessment
Payment and Settlement Reports
Agency Services
Asset Management
Mergers and Acquisitions
Insurance Services
Information Systems
Human Resources
Legal Proceedings
New Technologies

* A risk rating model can be used to define ideal audit periods. A risk rate can be given to each auditable entity from
“1-High Risk” to “5-Low Risk”.

Page 13
4. Annual Plan – Sample Risk Based Annual Plan
Aggregate Risk from Audit Frequency
Audit Cycle / Area Risk Assessment (1, 2, or 3 year Year - 1 Year - 2 Year - 3
Matrix rotation)
LENDING OPERATIONS
Commercial Loans M 2 X X
Consumer Loans M 2 X
Real Estate Loans M 2 X X
Credit Administration H 1 X X X
Secondary Marketing L 3 X
TREASURY MANAGEMENT
Securities M 2 X X
Cash Management L 3 X
Asset/Liquidity Management M 2 X X
Wire Transfer H 1 X X X
Automated Clearing House H 1 X X X
Borrowings and Repurchase Agreements L 3 X
ACCOUNTING AND FINANCIAL REPORTING
General Accounting M 2 X X
Financial Reporting M 2 X
DEPOSIT OPERATIONS M 2 X
BRANCH OPERATIONS M 2 X X
BANK ADMINISTRATION
Human Resources M 2 X X
Payroll L 3 X
Purchasing L 3 X
Insurance Coverage M 2 X X
High (H); Medium (M); Low (L)

Page 14
5. Audit Engagement
Subjects reviewed during the audit engagements vary according to the work performed by those
units. According to the model, controls should provide tenable assurance about the following 4 issues.
In the audit engagement controls on these issues are tested.

• Financial records, • Policies for

• Operational records, Segregation of Duties
• Record keeping and • Evaluation of
reporting activities. procedures designed
against theft, forgery,
illegal acts and etc.

Reliability &
Safeguarding
Integrity of
of Assets
Information

Effectiveness
Compliance & Efficiency
of Operations
• Policies, • Efficiency of
• Procedures, workflows,
• Laws and regulations, • Evaluation of capacity
• Agreements. usage,
• Over/under
employment.

COSO is a committee composed of 5 professional organizations. This model is preferred and suggested by IIA
(Institute of Internal Auditors.).

Page 15
5. Audit Engagement

EXECUTING THE AUDITS

Identifying

Analyzing

Evaluation of
Information
Observation Statistical
& Inspection Sampling

Recomputing
Page 16
5. Audit Engagement
Sample Audit Plan

Sample Working Paper

Risk based audit plans and

working papers are prepared
in audit engagement.
Contents of these documents
that are mentioned below
identify the scope of assurance.
v Purpose,
v Scope,
v Analyzing Method,
v Sampling Method,
v Results

Page 17
6. Reporting

What is expected by the senior management and the board from

internal audit reports?

•  Compliance of the audited unit to the Law and other legal

procedures

•  Compliance of the audited unit to the internal policies and

procedures

•  Efficiency and effectiveness of processes in the audited unit and

possible corrective actions that may be taken by the senior
management

Page 18
6. Reporting
Internal Audit Reporting Sample
(High / Medium / Low) Headline
of Finding
Number

2013-910-H-001

Any kind of controls that are currently available in the

Auditee Controls
Current State

process
•  Explaining the examined process briefly

Finding •  Highlighting the risky points

•  Auditor’s opinions
Risk and Examined
Suggestion Process

Related Process / Process from the audit plan in which the finding is
Sub-Process detected

Risk Risks regarding the process

Suggestion Suggestions to cover risk

Response of The answer / opinion of the auditee regarding the finding,

Auditee risk and suggestion
Result

Target Remedition
Date

Related Parties
Assistant Manager Unit Manager

Page 19
6. Reporting

Reporting to the Audit Committee

The internal audit function is ultimately reports and is accountable to the Audit
Committee. Prior to meeting the Audit Committee, internal audit reports of the
audit period are prepared and delivered to the members of the Audit Committee
and other concerned parties.

Reporting to Senior Management and the Board

In IIA standards, reporting levels are explained as follows:

The chief audit executive must report periodically to senior management and
the board on the internal audit activity’s purpose, authority, responsibility, and
performance relative to its plan.

Reporting must also include significant risk exposures and control issues,
including fraud risks, governance issues, and other matters needed or
requested by senior management and the board.

Page 20
6. Reporting

Monitoring Progress and Communicating the Acceptance of Risks

The chief audit executive must establish and maintain a system to monitor the
disposition of results communicated to management.

When the chief audit executive concludes that management has accepted a
level of risk that may be unacceptable to the organization, the chief audit
executive must discuss the matter with senior management. If the chief audit
executive determines that the matter has not been resolved, the chief audit
executive must communicate the matter to the board.

The identification of risk accepted by management may be observed

through an assurance or consulting engagement, monitoring progress on
actions taken by management as a result of prior engagements, or other
means. It is not the responsibility of the chief audit executive to resolve the
risk.

Page 21
7. Benefits of Risk Based Audit

Conducting
efficient audit
activities

Focusing on
the most Identifying the
significant and risk
risky auditable appropriately
areas
Benefits of
Risk Based
Audit

Fulfilling the Affirmative

stakeholders’ cost-benefit
expectations impacts

Page 22
Internal Audit Exam

Deadline to
Application:
April 3rd, 2015

Exam Date:
April 11,
Exam
2015
Locations:
İstanbul
Ankara
İzmir
Expected to
Hire:
40 People
Expected
Date to Begin:
July 2015

http://garantilikariyer.garanti.com.tr/ Page 23
March 9, 2015 - Istanbul Page 24